Adversaries may use legitimate network connections to exfiltrate data or establish command and control channels by leveraging unusual or unexpected folder paths in DeviceNetworkEvents. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or data exfiltration attempts masked by normal network activity.
KQL Query
let EphemeralRangeStart = 49152;
let IncludeInboundRemoteIPs = false;
let AliasPath = (SourcePath:(FolderPath:string, FileName:string))
{
SourcePath
| extend AliasPath = tolower(
case(
//Modern style profile
FolderPath startswith 'c:\\users\\', strcat('%UserProfile%', substring(FolderPath, indexof(FolderPath,'\\',11), strlen(FolderPath) - 11)),
//Legacy style profile
FolderPath startswith 'c:\\documents and settings\\', strcat('%UserProfile%', substring(FolderPath, indexof(FolderPath,'\\',27), strlen(FolderPath) - 27)),
//Windir
FolderPath contains @':\Windows\', strcat('%windir%', substring(FolderPath, 10)),
//ProgramData
FolderPath contains @':\programdata\', strcat('%programdata%', substring(FolderPath, 14)),
// ProgramFiles
FolderPath contains @':\Program Files\', strcat('%ProgramFiles%', substring(FolderPath, 16)),
// Program Files (x86)
FolderPath contains @':\Program Files (x86)\', strcat('%ProgramFilesx86%', substring(FolderPath, 22)),
//Other
FolderPath)
)
};
let ServerConnections =
DeviceNetworkEvents
| where ActionType in ('InboundConnectionAccepted','ListeningConnectionCreated')
and RemoteIPType != 'Loopback'
and LocalIP != RemoteIP
and RemoteIP !startswith '169.254'
and LocalPort < EphemeralRangeStart
| distinct DeviceId, InitiatingProcessFolderPath, LocalPort;
union (
DeviceNetworkEvents
| where ActionType in ('InboundConnectionAccepted','ListeningConnectionCreated','ConnectionSuccess','ConnectionFound','ConnectionRequest')
and RemoteIPType != 'Loopback'
and LocalIP != RemoteIP
and RemoteIP !startswith '169.254'
and LocalPort < EphemeralRangeStart
| join kind=leftsemi ServerConnections on DeviceId, InitiatingProcessFolderPath, LocalPort
| project-rename FolderPath = InitiatingProcessFolderPath, FileName = InitiatingProcessFileName
| invoke AliasPath()
| extend Directionality = 'Inbound', Port = LocalPort, RemoteIP = iff(IncludeInboundRemoteIPs == true, RemoteIP,'')
),(
DeviceNetworkEvents
| where ActionType in ('ConnectionSuccess','ConnectionFound','ConnectionRequest')
and RemoteIPType != 'Loopback'
and LocalIP != RemoteIP
and RemoteIP !startswith '169.254'
and LocalPort >= EphemeralRangeStart
| join kind=leftanti ServerConnections on DeviceId, InitiatingProcessFolderPath, LocalPort
| project-rename FolderPath = InitiatingProcessFolderPath, FileName = InitiatingProcessFileName
| invoke AliasPath()
| extend Directionality = 'Outbound', Port = RemotePort
)
| summarize ConnectionCount = count(), DistinctMachines = dcount(DeviceId), Ports = makeset(Port), RemoteIPs = makeset(RemoteIP) by Directionality, AliasPath
id: 7323d9ca-ebf9-42da-a57b-015969fbd660
name: Firewall Policy Design Assistant
description: |
This query helps you design client firewall rules based on data stored within DeviceNetworkEvents. Folder paths are alias'ed to help represent the
files making or receiving network connections without dealing with duplication from path variance due to different root drive letter or user profile
association.
To make the report easy to read, inbound remote IP addresses are not calculated by default (this can be changed by setting the value of IncludeInboundRemoteIPs to true).
Also, the ephemeral range is defaulted to 49152 to help eliminate false detections.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
tactics:
- Misconfiguration
query: |
let EphemeralRangeStart = 49152;
let IncludeInboundRemoteIPs = false;
let AliasPath = (SourcePath:(FolderPath:string, FileName:string))
{
SourcePath
| extend AliasPath = tolower(
case(
//Modern style profile
FolderPath startswith 'c:\\users\\', strcat('%UserProfile%', substring(FolderPath, indexof(FolderPath,'\\',11), strlen(FolderPath) - 11)),
//Legacy style profile
FolderPath startswith 'c:\\documents and settings\\', strcat('%UserProfile%', substring(FolderPath, indexof(FolderPath,'\\',27), strlen(FolderPath) - 27)),
//Windir
FolderPath contains @':\Windows\', strcat('%windir%', substring(FolderPath, 10)),
//ProgramData
FolderPath contains @':\programdata\', strcat('%programdata%', substring(FolderPath, 14)),
// ProgramFiles
FolderPath contains @':\Program Files\', strcat('%ProgramFiles%', substring(FolderPath, 16)),
// Program Files (x86)
FolderPath contains @':\Program Files (x86)\', strcat('%ProgramFilesx86%', substring(FolderPath, 22)),
//Other
FolderPath)
)
};
let ServerConnections =
DeviceNetworkEvents
| where ActionType in ('InboundConnectionAccepted','ListeningConnectionCreated')
and RemoteIPType != 'Loopback'
and LocalIP != RemoteIP
and RemoteIP !startswith '169.254'
and LocalPort < EphemeralRangeStart
| distinct DeviceId, InitiatingProcessFolderPath, LocalPort;
union (
DeviceNetworkEvents
| where ActionType in ('InboundConnectionAccepted','ListeningConnectionCreated','ConnectionSuccess','ConnectionFound','ConnectionRequest')
and RemoteIPType != 'Loopback'
and LocalIP != RemoteIP
and RemoteIP !startswith '169.254'
and LocalPort < EphemeralRangeStart
| join kind=leftsemi ServerConnections on DeviceId, InitiatingProcessFolderPath, LocalPort
| project-rename FolderPath = InitiatingProcessFolderPath, FileName = InitiatingProcessFi| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task (e.g., Task Scheduler or Windows Update) is making outbound network connections to update system files or check for patches.
Filter/Exclusion: Exclude connections initiated by Task Scheduler or processes with CommandLine containing schtasks.exe or wuauclt.exe.
Scenario: Antivirus or Endpoint Protection Scan
Description: A security tool like Microsoft Defender, Kaspersky, or Bitdefender is performing a full system scan and establishing outbound connections to check virus definitions or submit samples.
Filter/Exclusion: Exclude processes with ProcessName like MsMpEng.exe, KavService.exe, or bdagent.exe.
Scenario: Database Backup Job
Description: A database backup job (e.g., SQL Server Backup, MySQL Dump) is transferring data over the network to a remote backup server.
Filter/Exclusion: Exclude connections where DestinationHostname matches the backup server IP or domain, or where ProcessName includes sqlbackup.exe or mysqldump.exe.
Scenario: Software Update Deployment
Description: A tool like Microsoft Endpoint Configuration Manager (SCCM) or Chocolatey is pushing updates to client machines, resulting in outbound network traffic.
Filter/Exclusion: Exclude connections initiated by ccmexec.exe, Chocolatey.exe, or msiexec.exe with known update-related command lines.
Scenario: Cloud Sync Tool Activity
Description: A cloud sync tool like OneDrive, Dropbox, or Google Drive is synchronizing files between the local machine and a cloud server.
Filter/Exclusion: Exclude connections where DestinationHostname matches the cloud service domain (