Adversaries may establish covert network communication with a specific remote IP or URL to exfiltrate data or maintain command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration or C2 activity early.
KQL Query
// Query 4 Search for specific network communication of a Remote IP or URL that also discovers related file creation events
// Ensure to update RemoteIP and RemoteURL variable.
DeviceFileEvents
| where FileOriginUrl == "IP ADDRESS GOES HERE" or FileOriginUrl contains "URL GOES HERE" or FileOriginReferrerUrl contains "URL GOES HERE"
| project DeviceName, Timestamp, FileName, FileOriginUrl, FileOriginIP, FileOriginReferrerUrl, SHA1
id: 44b02f8c-d206-4e1a-9859-6aa06b80c346
name: Network footprint (3)
description: |
Query 1 shows you any network communication happened from endpoints to a specific Remote IP or Remote URL.
Ensure to update RemoteIP and RemoteURL variable.
For questions @MiladMSFT on Twitter or [email protected] by email.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileEvents
query: |
// Query 4 Search for specific network communication of a Remote IP or URL that also discovers related file creation events
// Ensure to update RemoteIP and RemoteURL variable.
DeviceFileEvents
| where FileOriginUrl == "IP ADDRESS GOES HERE" or FileOriginUrl contains "URL GOES HERE" or FileOriginReferrerUrl contains "URL GOES HERE"
| project DeviceName, Timestamp, FileName, FileOriginUrl, FileOriginIP, FileOriginReferrerUrl, SHA1
| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Tasks
Description: A legitimate scheduled task (e.g., Windows Task Scheduler) communicates with a remote IP or URL to check for updates or perform maintenance.
Filter/Exclusion: Exclude traffic originating from known system accounts (e.g., SYSTEM, LocalService) or tasks with known update-related URLs (e.g., update.microsoft.com).
Scenario: Remote Administration Tool (RDP) Session
Description: An administrator uses Remote Desktop Protocol (RDP) to connect to a remote server, which may trigger network communication to the remote IP.
Filter/Exclusion: Exclude traffic from endpoints with known admin credentials or IP addresses associated with RDP sessions (e.g., using src_ip in a whitelist of admin IPs).
Scenario: Log Management Tool Communication
Description: A log management tool like Splunk or ELK Stack communicates with a remote server to send logs, which may be flagged as network footprint.
Filter/Exclusion: Exclude traffic to known log management servers (e.g., splunk.com, elasticsearch.com) or use a field like destination_service to identify log forwarding traffic.
Scenario: Software Update Distribution via SCCM
Description: A Software Center or Configuration Manager (SCCM) client communicates with a distribution point to download updates.
Filter/Exclusion: Exclude traffic to known SCCM distribution points (e.g., sccmserver.corp.example.com) or use a field like process_name to identify SCCM-related processes.
Scenario: Cloud Backup Service Communication
Description: A cloud backup service like Veeam, Dell EMC Data Domain, or AWS Backup communicates with a remote server to transfer data.
Filter/Exclusion: Exclude