Malware may use a URI containing an IP address to establish communication with a command and control server. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential C2 activity and mitigate advanced threats that evade traditional domain-based detection.
KQL Query
let lbtime = 10m;
Cisco_Umbrella
| where TimeGenerated > ago(lbtime)
| where EventType == 'proxylogs'
| where DvcAction =~ 'Allowed'
| where UrlOriginal matches regex @'\Ahttp:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}.*'
| project TimeGenerated, SrcIpAddr, Identities
id: ee1818ec-5f65-4991-b711-bcf2ab7e36c3
name: Cisco Umbrella - URI contains IP address
description: |
'Malware can use IP address to communicate with C2.'
severity: Medium
requiredDataConnectors:
- connectorId: CiscoUmbrellaDataConnector
dataTypes:
- Cisco_Umbrella_proxy_CL
queryFrequency: 10m
queryPeriod: 10m
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandAndControl
query: |
let lbtime = 10m;
Cisco_Umbrella
| where TimeGenerated > ago(lbtime)
| where EventType == 'proxylogs'
| where DvcAction =~ 'Allowed'
| where UrlOriginal matches regex @'\Ahttp:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}.*'
| project TimeGenerated, SrcIpAddr, Identities
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: Identities
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIpAddr
version: 1.1.1
kind: Scheduled
Scenario: A system administrator is using Cisco Umbrella to monitor internal DNS queries, and a legitimate internal server is resolving an IP address as part of its normal operation.
Filter/Exclusion: Exclude traffic originating from internal IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or specific internal servers.
Scenario: A scheduled job (e.g., rsync, cron, or PowerShell script) is performing a backup and temporarily resolves an IP address as part of its configuration or logging process.
Filter/Exclusion: Exclude traffic associated with known backup tools or scheduled tasks by checking the process name or user context (e.g., user = backup, process = rsync).
Scenario: A network discovery tool (e.g., Nmap, Masscan, or SolarWinds Network Configuration Manager) is actively scanning the network and resolving IP addresses as part of its operation.
Filter/Exclusion: Exclude traffic from known network discovery tools by checking the source IP, process name, or user (e.g., process = nmap, user = network-admin).
Scenario: A DNS monitoring tool (e.g., OpenDNS, Cisco Umbrella, or Cloudflare DNS) is resolving IP addresses to monitor for malicious domains or to enforce DNS policies.
Filter/Exclusion: Exclude traffic from known DNS monitoring tools or internal DNS servers (e.g., source_ip = 10.10.0.1, process = dnsmasq).
Scenario: A remote management tool (e.g., TeamViewer, LogMeIn, or AnyDesk)