Network footprint | SOC Hunt Feed

Hunt Hypothesis

Adversaries may establish persistent network communication to a specific remote IP or URL as part of command and control operations. SOC teams should proactively hunt for this behavior to identify potential C2 activity and mitigate advanced threats in their Azure Sentinel environment.

KQL Query

DeviceNetworkEvents
| where RemoteIP == "IP ADDRESS GOES HERE"
or RemoteUrl endswith "DNS ENTRY GOES HERE"
| project Timestamp, DeviceName, ActionType, RemoteIP, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine

Analytic Rule Definition

id: aca2c8fd-03e2-4638-b5df-88ef5c4db16f
name: Network footprint
description: |
  Query 1 shows you any network communication happened from endpoints to a specific Remote IP or Remote URL.
  Ensure to update RemoteIP and RemoteURL variable.
  For questions @MiladMSFT on Twitter or [email protected] by email.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceNetworkEvents
query: |
  DeviceNetworkEvents
  | where RemoteIP == "IP ADDRESS GOES HERE"
  or RemoteUrl endswith "DNS ENTRY GOES HERE"
  | project Timestamp, DeviceName, ActionType, RemoteIP, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine

Required Data Sources

Sentinel Table	Notes
`DeviceNetworkEvents`	Ensure this data connector is enabled

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/General queries/Network footprint.yaml)

False Positive Guidance

Scenario: System update via Microsoft Endpoint Manager (MEM)
Description: A legitimate system update process may communicate with Microsoft’s update servers.
Filter/Exclusion: Exclude traffic to update.microsoft.com or use a filter based on the RemoteIP field matching known Microsoft update IP ranges.
Scenario: Scheduled backup job to a cloud storage service (e.g., Azure Blob Storage)
Description: A backup process may initiate network communication to cloud storage endpoints.
Filter/Exclusion: Exclude traffic to blob.core.windows.net or use a filter based on the RemoteURL field containing /backup/ or similar paths.
Scenario: Remote PowerShell session initiated by an admin for troubleshooting
Description: An administrator may use PowerShell Remoting to connect to a remote system.
Filter/Exclusion: Exclude traffic to endpoints associated with the admin’s known IP range or use a filter based on the RemoteIP field matching the admin’s network.
Scenario: Software update via Windows Server Update Services (WSUS)
Description: A patching process may communicate with the internal WSUS server.
Filter/Exclusion: Exclude traffic to the internal WSUS server IP or use a filter based on the RemoteIP field matching the WSUS server’s IP address.
Scenario: Log collection via Splunk or ELK stack
Description: Log aggregation tools may push logs to a central server.
Filter/Exclusion: Exclude traffic to the Splunk or ELK server IP or use a filter based on the RemoteURL field containing /logs/ or similar paths.