How to generate a malware search to find users wit...

edvornit · ‎01-30-2017

I'd like to find users with activity in every 1/3/5 minute bucket in the last 24 hours as the indication of possible malware/botnet beaconing.

Let's say I have sourcetype=firewall and bytes_out/packets_out for activity and src_user for user.

Any idea how to write such search?

somesoni2 · ‎01-30-2017

Something like this. You can update the span per your need.

index=YourINdex sourcetype=firewall | bucket span=1m _time | stats sum(bytes_out) as bytes_out sum(packets_out) as packets_out by _time activity src_user

edvornit · ‎01-30-2017

How would you filter it further to get only the users that have packets_out > 10 in every 5 min bucket?

somesoni2 · ‎01-30-2017

With current query, it's giving you total packets sent by activity-src_user combination for every minute. For get "only the users that have packets_out > 10 in every 5 min bucket", first change the span to 5m and use where clause to filter it.

index=YourINdex sourcetype=firewall | bucket span=5m _time | stats sum(bytes_out) as bytes_out sum(packets_out) as packets_out by _time activity src_user | where packets_out>10

edvornit · ‎01-30-2017

Yes, but it only gives users with activity in each bucket.

Let's say we have three buckets:
bucket1:
user1,user2,user3
bucket2:
user1,user4,user5
bucket3:
user1,user4,user6

So, I want to display only the usernames with activity in all buckets, so in this case it's only user1.

How to generate a malware search to find users with packets sent out every 1, 3, or 5 minutes for the last 24 hours?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies