T1071 Application Layer Protocol Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let TimeWindow = 24h;
let BeaconThreshold = 10;
let EntropyThreshold = 4.5;
// Detect anomalous outbound connections with beaconing patterns
DeviceNetworkEvents
| where Timestamp > ago(TimeWindow)
| where RemoteIPType == "Public"
| where ActionType == "ConnectionSuccess"
| where RemotePort in (80, 443, 53, 21, 25, 110, 143, 8080, 8443, 1883, 5222)
| summarize
    ConnectionCount = count(),
    UniqueRemoteIPs = dcount(RemoteIP),
    UniquePorts = dcount(RemotePort),
    Ports = make_set(RemotePort),
    FirstSeen = min(Timestamp),
    LastSeen = max(Timestamp),
    AvgTimeBetween = datetime_diff('second', max(Timestamp), min(Timestamp)) / count()
    by DeviceName, InitiatingProcessFileName, InitiatingProcessId
| where ConnectionCount > BeaconThreshold
| where AvgTimeBetween between (1 .. 3600)
| extend BeaconScore = iff(AvgTimeBetween between (55 .. 65) or AvgTimeBetween between (295 .. 305) or AvgTimeBetween between (895 .. 905), "high", "medium")
| project Timestamp=LastSeen, DeviceName, InitiatingProcessFileName, ConnectionCount, UniqueRemoteIPs, Ports, AvgTimeBetween, BeaconScore, FirstSeen, LastSeen
| sort by ConnectionCount desc

medium severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Network Traffic: Network Traffic Flow Microsoft Defender for Endpoint

Required Tables

DeviceNetworkEvents

False Positives

Legitimate software performing periodic update checks (Windows Update, antivirus definitions, NTP)
Monitoring and heartbeat agents that maintain persistent connections to cloud management platforms
Chat and collaboration applications (Slack, Teams, Zoom) with long-lived WebSocket or polling connections
IoT devices communicating via MQTT to cloud brokers on regular intervals

Splunk

spl

index=proxy OR index=firewall OR index=network sourcetype IN ("stream:tcp", "pan:traffic", "cisco:asa", "squid")
  dest_port IN (80, 443, 53, 21, 25, 110, 143, 8080, 8443, 1883, 5222)
  action=allowed
  NOT (dest_ip="10.*" OR dest_ip="172.16.*" OR dest_ip="192.168.*" OR dest_ip="127.*")
| bin _time span=5m
| stats count as ConnectionCount, dc(dest_ip) as UniqueDestIPs, dc(dest_port) as UniquePorts, values(dest_port) as Ports, earliest(_time) as FirstSeen, latest(_time) as LastSeen by src_ip, process_name
| where ConnectionCount > 10
| eval Duration=LastSeen-FirstSeen
| eval AvgInterval=if(ConnectionCount>1, Duration/(ConnectionCount-1), 0)
| where AvgInterval > 1 AND AvgInterval < 3600
| eval BeaconScore=case(
    (AvgInterval >= 55 AND AvgInterval <= 65) OR (AvgInterval >= 295 AND AvgInterval <= 305), "high",
    1=1, "medium")
| table FirstSeen, LastSeen, src_ip, process_name, ConnectionCount, UniqueDestIPs, Ports, AvgInterval, BeaconScore
| sort - ConnectionCount

medium severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Network Traffic: Network Traffic Flow Proxy Logs Firewall Logs

Required Sourcetypes

stream:tcp pan:traffic cisco:asa squid

False Positives

Legitimate software performing periodic update checks (Windows Update, antivirus definitions, NTP)
Monitoring and heartbeat agents that maintain persistent connections to cloud management platforms
Chat and collaboration applications (Slack, Teams, Zoom) with long-lived WebSocket or polling connections
IoT devices communicating via MQTT to cloud brokers on regular intervals

Elastic Security (EQL)

eql

sequence by process.entity_id with maxspan=24h
  [network where event.type in ("connection", "start") and
   network.direction == "egress" and
   destination.port in (80, 443, 53, 21, 25, 110, 143, 8080, 8443, 1883, 5222) and
   not cidrmatch(destination.ip, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8", "169.254.0.0/16") and
   process.name != null
  ] with runs=10

high severity medium confidence

Data Sources

Elastic Endpoint Security agent Packetbeat network capture NDR ingested via Elastic Agent

Required Tables

logs-endpoint.events.network-* logs-network_traffic.* packetbeat-*

False Positives

Monitoring agents with fixed heartbeat intervals (Datadog, New Relic, Dynatrace) legitimately connect to cloud endpoints at 60s or 300s intervals, producing high beacon scores against exactly those thresholds
Browser processes (chrome.exe, firefox.exe, msedge.exe) performing background sync, telemetry reporting, or extension update checks to vendor cloud infrastructure at regular intervals
Enterprise software update clients and antivirus daemons polling update servers on fixed schedules across ports 80, 443, or 8080 from every managed endpoint simultaneously

IBM QRadar (AQL)

sql

SELECT sourceip,
       destinationip,
       destinationport,
       "userName",
       COUNT(*) AS ConnectionCount,
       MIN(starttime) AS FirstSeenEpochMs,
       MAX(starttime) AS LastSeenEpochMs,
       CASE
         WHEN COUNT(*) > 1
         THEN (MAX(LONG(starttime)) - MIN(LONG(starttime))) / (COUNT(*) - 1)
         ELSE 0
       END AS AvgIntervalMs
FROM events
WHERE starttime > (NOW() - 86400000)
  AND destinationport IN (80, 443, 53, 21, 25, 110, 143, 8080, 8443, 1883, 5222)
  AND eventdirection = 'L2R'
  AND NOT (destinationip ILIKE '10.%'
        OR destinationip ILIKE '172.16.%'
        OR destinationip ILIKE '172.17.%'
        OR destinationip ILIKE '172.18.%'
        OR destinationip ILIKE '172.19.%'
        OR destinationip ILIKE '172.20.%'
        OR destinationip ILIKE '172.21.%'
        OR destinationip ILIKE '172.22.%'
        OR destinationip ILIKE '172.23.%'
        OR destinationip ILIKE '172.24.%'
        OR destinationip ILIKE '172.25.%'
        OR destinationip ILIKE '172.26.%'
        OR destinationip ILIKE '172.27.%'
        OR destinationip ILIKE '172.28.%'
        OR destinationip ILIKE '172.29.%'
        OR destinationip ILIKE '172.30.%'
        OR destinationip ILIKE '172.31.%'
        OR destinationip ILIKE '192.168.%'
        OR destinationip ILIKE '127.%')
GROUP BY sourceip, destinationip, destinationport, "userName"
HAVING COUNT(*) > 10
   AND AvgIntervalMs BETWEEN 1000 AND 3600000
ORDER BY ConnectionCount DESC

high severity medium confidence

Data Sources

QRadar Network Activity (firewall, proxy, IDS log sources) Palo Alto PAN-OS Cisco ASA Check Point

Required Tables

events

False Positives

CDN health-check probes and load balancer keep-alives from internal application servers to external monitoring endpoints generate repetitive outbound connections with sub-minute fixed intervals
VoIP and SIP clients making regular registration refresh messages to external SIP providers, often tunnelled over TCP 443 or 5060, may exhibit sub-60-second average intervals
IoT and OT devices with telemetry callbacks to cloud platforms (AWS IoT Core over MQTT 8883, generic MQTT 1883) at fixed polling cadences match the connection count and interval thresholds

Sumo Logic CSE

sql

(_sourceCategory=network* OR _sourceCategory=firewall* OR _sourceCategory=proxy*)
| where !(isNull(dst_port))
| where dst_port in ("80","443","53","21","25","110","143","8080","8443","1883","5222")
| where !(dst_ip matches "10.*" or dst_ip matches "172.16.*" or dst_ip matches "172.17.*" or dst_ip matches "172.18.*" or dst_ip matches "172.19.*" or dst_ip matches "172.2*" or dst_ip matches "172.30.*" or dst_ip matches "172.31.*" or dst_ip matches "192.168.*" or dst_ip matches "127.*")
| where isNull(action) or action in ("allowed","accept","permit","Allow")
| timeslice 24h
| count as ConnectionCount, count_distinct(dst_ip) as UniqueDestIPs, first(_messageTime) as FirstSeenMs, last(_messageTime) as LastSeenMs by src_ip, process_name, _timeslice
| where ConnectionCount > 10
| fields - _timeslice
| eval Duration = LastSeenMs - FirstSeenMs
| eval AvgIntervalMs = if(ConnectionCount > 1, Duration / (ConnectionCount - 1), 0)
| where AvgIntervalMs > 1000 and AvgIntervalMs < 3600000
| eval BeaconScore = if((AvgIntervalMs >= 55000 and AvgIntervalMs <= 65000) or (AvgIntervalMs >= 295000 and AvgIntervalMs <= 305000) or (AvgIntervalMs >= 895000 and AvgIntervalMs <= 905000), "high", "medium")
| sort by ConnectionCount

high severity medium confidence

Data Sources

Palo Alto PAN-OS (palo-alto-networks) Cisco ASA (cisco_asa) Zscaler NSS Squid Proxy Bluecoat ProxySG

Required Tables

_sourceCategory=network* _sourceCategory=firewall* _sourceCategory=proxy*

False Positives

Automated backup agents (Veeam, Acronis, Carbonite) making periodic outbound connections to cloud storage endpoints over port 443 at fixed backup window intervals will match connection count thresholds
Corporate endpoint management agents (SCCM, Tanium, Qualys Cloud Agent) regularly checking in to management infrastructure produce repetitive outbound connections with predictable intervals
SaaS desktop clients with background auto-sync (Dropbox, Box, OneDrive) polling for delta changes at sub-minute intervals accumulate connection counts well above the threshold of 10 per 24 hours

Google Chronicle / SecOps

yaral

rule t1071_application_layer_protocol_beaconing {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects C2 beaconing over application layer protocols (T1071). Identifies processes making more than 10 outbound network connections to non-RFC1918 IPs on common protocol ports within a 1-hour match window."
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1071"
    reference = "https://attack.mitre.org/techniques/T1071/"
    severity = "HIGH"
    confidence = "MEDIUM"
    version = "1.0"

  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    $e.network.direction = "OUTBOUND"
    $e.target.port in (80, 443, 53, 21, 25, 110, 143, 8080, 8443, 1883, 5222)
    not re.regex($e.target.ip, `^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)`)
    $e.principal.process.file.full_path != ""
    $hostname = $e.principal.hostname
    $process_path = $e.principal.process.file.full_path

  match:
    $hostname, $process_path over 1h

  outcome:
    $connection_count = count($e.metadata.id)
    $unique_dest_ips = count_distinct($e.target.ip)
    $dest_ports = array_distinct($e.target.port)
    $first_seen = min($e.metadata.event_timestamp.seconds)
    $last_seen = max($e.metadata.event_timestamp.seconds)
    $risk_score = max(if($e.target.port = 1883 or $e.target.port = 5222, 85, 60))

  condition:
    #e > 10
}

high severity medium confidence

Data Sources

Chronicle UDM via Endpoint telemetry forwarders Palo Alto Cortex XDR ingested to Chronicle Windows Defender ATP events via Chronicle ingestion Firewall/proxy syslog normalised to UDM NETWORK_CONNECTION

Required Tables

NETWORK_CONNECTION UDM events

False Positives

Legitimate recursive DNS resolvers or DNS forwarder appliances on the network making high volumes of outbound port 53 connections will match if not excluded by principal.hostname or IP allowlist
Email security gateways making repeated outbound connections on SMTP (25), IMAP (143), or POP3 (110) to external mail exchange servers for relay and delivery
Industrial IoT sensors using MQTT (1883) or XMPP (5222) for cloud telemetry publishing at fixed intervals — these are expected in OT network segments and should be excluded by network zone

CrowdStrike LogScale (CQL)

cql

#event_simpleName=NetworkConnectIP4
| RemotePort in [80, 443, 53, 21, 25, 110, 143, 8080, 8443, 1883, 5222]
| !cidr(field=RemoteAddressIP4, subnet=["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8", "169.254.0.0/16"])
| groupBy([ComputerName, ImageFileName, ContextProcessId], function=[
    count(as=ConnectionCount),
    min(field=@timestamp, as=FirstSeen),
    max(field=@timestamp, as=LastSeen),
    collect(field=RemotePort, as=Ports, limit=20),
    count(field=RemoteAddressIP4, distinct=true, as=UniqueRemoteIPs)
  ])
| ConnectionCount > 10
| eval Duration := LastSeen - FirstSeen
| eval AvgIntervalMs := if(ConnectionCount > 1, Duration / (ConnectionCount - 1), 0)
| AvgIntervalMs > 1000 AND AvgIntervalMs < 3600000
| eval BeaconScore := if(
    (AvgIntervalMs >= 55000 AND AvgIntervalMs <= 65000) OR
    (AvgIntervalMs >= 295000 AND AvgIntervalMs <= 305000) OR
    (AvgIntervalMs >= 895000 AND AvgIntervalMs <= 905000),
    "high",
    "medium")
| sort(field=ConnectionCount, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Sensor (NetworkConnectIP4 events) Falcon LogScale (Humio) SIEM ingestion

Required Tables

NetworkConnectIP4 (Falcon platform event stream)

False Positives

The CrowdStrike Falcon sensor process itself (CSFalconService, falcond) and other EDR agents make regular check-ins to cloud infrastructure — whitelist known EDR process image paths in ImageFileName
Software configuration management tools (Puppet agent, Chef client, Ansible pull mode) that poll controller nodes at configured run intervals over 443 or 8443 match both the connection count and scored interval thresholds
Unified communications clients (Microsoft Teams, Zoom, Cisco Webex) maintaining persistent WebSocket or HTTPS keep-alive connections to CDN endpoints at near-regular heartbeat intervals, particularly on port 443 or 8443

Application Layer Protocol

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (5)

Same Tactic: Command and Control

Popular Detections