- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to generate a malware search to find users with packets sent out every 1, 3, or 5 minutes for the last 24 hours?
I'd like to find users with activity in every 1/3/5 minute bucket in the last 24 hours as the indication of possible malware/botnet beaconing.
Let's say I have sourcetype=firewall and bytes_out/packets_out for activity and src_user for user.
Any idea how to write such search?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

Something like this. You can update the span per your need.
index=YourINdex sourcetype=firewall | bucket span=1m _time | stats sum(bytes_out) as bytes_out sum(packets_out) as packets_out by _time activity src_user
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How would you filter it further to get only the users that have packets_out > 10 in every 5 min bucket?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

With current query, it's giving you total packets sent by activity-src_user combination for every minute. For get "only the users that have packets_out > 10 in every 5 min bucket", first change the span to 5m and use where clause to filter it.
index=YourINdex sourcetype=firewall | bucket span=5m _time | stats sum(bytes_out) as bytes_out sum(packets_out) as packets_out by _time activity src_user | where packets_out>10
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, but it only gives users with activity in each bucket.
Let's say we have three buckets:
bucket1:
user1,user2,user3
bucket2:
user1,user4,user5
bucket3:
user1,user4,user6
So, I want to display only the usernames with activity in all buckets, so in this case it's only user1.
