Adversaries may establish covert network communication with a specific remote IP or URL to exfiltrate data or maintain command and control. SOC teams should proactively hunt for this behavior to identify potential data exfiltration or C2 activity in their Azure Sentinel environment.
KQL Query
// Query 2 shows you any network communication that happened from endpoints through a specific file to an Remote IP or Remote URL
//Ensure to update RemoteIP, RemoteURL and InitatingProcessFileName
// For questions @MiladMSFT on Twitter or [email protected] by email
let IP = "IP ADDRESS GOES HERE";
let DNS = "DNS ENTRY GOES HERE";
let FILENAME = "FILENAME GOES HERE";
DeviceNetworkEvents
| where (RemoteIP == IP or RemoteUrl endswith DNS) and InitiatingProcessFileName =~ FILENAME
| project Timestamp, DeviceName, ActionType, RemoteIP, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine
id: 42b5b09c-7132-4f37-a2fd-4efeed2c540c
name: Network footprint (1)
description: |
Query 1 shows you any network communication happened from endpoints to a specific Remote IP or Remote URL.
Ensure to update RemoteIP and RemoteURL variable.
For questions @MiladMSFT on Twitter or [email protected] by email.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
query: |
// Query 2 shows you any network communication that happened from endpoints through a specific file to an Remote IP or Remote URL
//Ensure to update RemoteIP, RemoteURL and InitatingProcessFileName
// For questions @MiladMSFT on Twitter or [email protected] by email
let IP = "IP ADDRESS GOES HERE";
let DNS = "DNS ENTRY GOES HERE";
let FILENAME = "FILENAME GOES HERE";
DeviceNetworkEvents
| where (RemoteIP == IP or RemoteUrl endswith DNS) and InitiatingProcessFileName =~ FILENAME
| project Timestamp, DeviceName, ActionType, RemoteIP, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Updates via Microsoft Update
Description: A legitimate scheduled task runs to download updates from Microsoft’s update servers.
Filter/Exclusion: Exclude traffic to update.microsoft.com or use a filter like RemoteIP in (4.2.2.1, 4.2.2.2) which are known Microsoft update IPs.
Scenario: Admin Task Using PowerShell to Query Remote Server
Description: An administrator uses PowerShell to query a remote server for system information (e.g., Get-WmiObject).
Filter/Exclusion: Exclude traffic to internal servers using RemoteIP in (10.0.0.0/8) or filter by process name like powershell.exe.
Scenario: Log Collection via Splunk Forwarder
Description: A Splunk Universal Forwarder sends logs to a central Splunk server.
Filter/Exclusion: Exclude traffic to the Splunk server IP (e.g., 10.10.10.10) or use a filter like process.name = "splunkforwarder".
Scenario: Software Licensing Server Communication
Description: A software license server communicates with endpoints to validate licenses.
Filter/Exclusion: Exclude traffic to the internal license server (e.g., 10.20.30.40) or use a filter like process.name = "license-service.exe".
Scenario: DNS Resolution for Internal Services
Description: Endpoints resolve internal DNS names (e.g., internal.service.example.com) to IP addresses.
Filter/Exclusion: Exclude traffic to internal DNS servers (e.g., 10.53.0.1) or use a filter like `RemoteIP in (10.0.0.0