This plugin is designed to detect outbound malicious traffic from a mainframe by querying identity events and network activities. Here’s a breakdown of its components:
Template: Contains the KQL query used to detect outbound traffic to public IPs on non-standard ports.
The KQL query within the Template setting performs the following actions:
- DeviceNetworkEvents: Queries the device network events.
- Filter: Filters the events to include only those with a RemoteIPType of “Public” and a RemotePort greater than 1024.
- Join: Joins the filtered network events with DeviceProcessEvents to get additional details about the processes initiating the network connections.
- Summarize: Summarizes the results by DeviceName, RemoteIP, RemotePort, and InitiatingProcessFileName.
This query helps identify potentially malicious outbound traffic by focusing on connections to public IPs on non-standard ports, which can be indicative of suspicious activity.
Descriptor:
Name: Detect outbound malicious traffic
DisplayName: Detect outbound malicious traffic
Description: >
Identify outbound traffic from devices in the network to public IP addresses over non-standard ports (above 1024) and
detect potentially suspicious or unauthorized network activity that could indicate data exfiltration, malware communication, or policy violations.
SkillGroups:
- Format: KQL
Skills:
- Name: Detect outbound malicious traffic
DisplayName: Detect outbound malicious traffic
Description: >
Identify outbound traffic from devices in the network to public IP addresses over non-standard ports (above 1024)and
detect potentially suspicious or unauthorized network activity that could indicate data exfiltration, malware communication, or policy violations.
ExamplePrompt:
- "Get all outbound traffic"
- "Show me all outbound traffic to public IPs on non-standard ports."
- "List devices connecting to public IPs on ports above 1024."
- "Find all applications making outbound connections to public IPs."
Settings:
Target: Defender
TenantId: "Enter Tenant ID "
SubscriptionId: "SubscriptionID"
ResourceGroupName: "name of resource group"
WorkspaceName: "name of workspace"
Template: |-
// This query identifies outbound traffic to public IPs on non-standard ports (above 1024).
// Adjust RemotePort or RemoteIPType based on your organization's network behavior.
DeviceNetworkEvents
| where RemoteIPType == "Public" and RemotePort > 1024
| join kind=leftouter (
DeviceProcessEvents
| project DeviceId, FileName, InitiatingProcessFileName
) on DeviceId
| summarize by DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, FileName