KQL Search

Query Details

Potential Beaconing Activity

Query

# Potential Beaconing Activity

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1071.001 | Application Layer Protocol: Web Protocols | https://attack.mitre.org/techniques/T1071/001/ |

#### Description
This query detects potential Command & Control (C2) beaconing activity by identifying remote IPs that receive a high average number of connections from a small number of devices. Beaconing is a hallmark of C2 communication where malware regularly checks in with its controller at consistent intervals. The query combines aggregated connection reports with enrichment via `FileProfile` to surface processes with low global prevalence making these repeated outbound connections, reducing false positives from known-good software.

#### Risk
Beaconing activity is a strong indicator of an active C2 channel. An attacker with a foothold on a device may use a C2 framework to maintain persistence, exfiltrate data, and issue commands. Detecting beaconing early can significantly reduce dwell time.

## Defender XDR
```KQL
let DeviceThreshold = 5;
let ConnectionThreshold = 25;
let GlobalPrevalanceThreshold = 250;
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where not(ipv4_is_private(RemoteIP))
| where ActionType == 'ConnectionSuccessAggregatedReport'
| extend Connections = toint(parse_json(AdditionalFields).uniqueEventsAggregated)
| summarize Total = count(), Devices = dcount(DeviceId), Domains = make_set(RemoteUrl), AvgConnections = avg(Connections) by RemoteIP, bin(TimeGenerated, 1d)
| where AvgConnections >= ConnectionThreshold and Devices <= DeviceThreshold
| join kind=inner (DeviceNetworkEvents
    | where ActionType == 'ConnectionSuccess'
    | distinct RemoteIP, InitiatingProcessSHA256) on RemoteIP
    | invoke FileProfile(InitiatingProcessSHA256)
    | where GlobalPrevalence <= GlobalPrevalanceThreshold
```

## Sentinel
```KQL
let DeviceThreshold = 5;
let ConnectionThreshold = 25;
let GlobalPrevalanceThreshold = 250;
DeviceNetworkEvents
| where TimeGenerated > ago(7d)
| where not(ipv4_is_private(RemoteIP))
| where ActionType == 'ConnectionSuccessAggregatedReport'
| extend Connections = toint(parse_json(AdditionalFields).uniqueEventsAggregated)
| summarize Total = count(), Devices = dcount(DeviceId), Domains = make_set(RemoteUrl), AvgConnections = avg(Connections) by RemoteIP, bin(TimeGenerated, 1d)
| where AvgConnections >= ConnectionThreshold and Devices <= DeviceThreshold
| join kind=inner (DeviceNetworkEvents
    | where ActionType == 'ConnectionSuccess'
    | distinct RemoteIP, InitiatingProcessSHA256) on RemoteIP
    | invoke FileProfile(InitiatingProcessSHA256)
    | where GlobalPrevalence <= GlobalPrevalanceThreshold
```

Explanation

This query is designed to detect potential malicious activity, specifically Command & Control (C2) beaconing, by analyzing network connections. Here's a simplified breakdown:

  1. Objective: The query aims to identify suspicious remote IP addresses that might be involved in C2 communication. This is done by looking for IPs that receive a high number of connections from a small number of devices, which is a common pattern in malware communication.

  2. Process:

    • Data Source: It examines network events from the past 7 days.
    • Filtering: It excludes private IP addresses and focuses on successful connection reports.
    • Aggregation: It calculates the average number of connections to each remote IP and counts how many different devices are connecting to it.
    • Thresholds: It flags IPs with an average of at least 25 connections from 5 or fewer devices.
    • Enrichment: It checks the processes initiating these connections against a global database to see how common they are. Processes with low global prevalence are more suspicious.

  3. Risk: Detecting beaconing is crucial because it indicates that an attacker might be maintaining a connection to a compromised device, potentially to issue commands or steal data. Early detection can help mitigate the threat.

  4. Tools: The query is compatible with both Defender XDR and Sentinel, two security platforms.

In essence, this query helps security teams identify potential threats by spotting unusual network behavior that could indicate malware communication.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: March 9, 2026

Tables

DeviceNetworkEvents

Keywords

Devices

Operators

letwherenotextendtointparse_jsonsummarizecountdcountmake_setavgbinjoinkind=innerdistinctinvoke

Actions