Detection rules › Kusto Query Language
Potential beaconing activity (ASIM Network Session schema)
This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing patterns to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this Blog. This analytic rule uses ASIM and supports any built-in or custom source that supports the ASIM NetworkSession schema'
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Command & Control | T1071 Application Layer Protocol, T1571 Non-Standard Port |
Event coverage
Stages and Predicates
Stage 1: source
_Im_NetworkSession
Stage 2: where
not
macro "ipv4_is_private(DstIpAddr)"
Stage 3: where
not
macro "ipv4_is_in_any_range(DstIpAddr, LocalNetworks)"
Stage 4: project
Stage 5: sort
Stage 6: macro
Stage 7: extend
Stage 8: extend
Stage 9: where
SrcIpAddr eq "nextSrcIpAddr"
Stage 10: where
TimeDeltainSeconds gt "TimeDeltaThreshold"
Stage 11: project
Stage 12: summarize
Stage 13: summarize
Stage 14: where
TotalEvents gt "TotalEventsThreshold"
Stage 15: extend
Stage 16: where
BeaconPercent gt "PercentBeaconThreshold"
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
BeaconPercent | gt |
|
SrcIpAddr | eq |
|
TimeDeltainSeconds | gt |
|
TotalEvents | gt |
|