How to generate a malware search to find users wit...

edvornit · ‎01-30-2017

I'd like to find users with activity in every 1/3/5 minute bucket in the last 24 hours as the indication of possible malware/botnet beaconing.

Let's say I have sourcetype=firewall and bytes_out/packets_out for activity and src_user for user.

Any idea how to write such search?

somesoni2 · ‎01-30-2017

Something like this. You can update the span per your need.

index=YourINdex sourcetype=firewall | bucket span=1m _time | stats sum(bytes_out) as bytes_out sum(packets_out) as packets_out by _time activity src_user

edvornit · ‎01-30-2017

How would you filter it further to get only the users that have packets_out > 10 in every 5 min bucket?

somesoni2 · ‎01-30-2017

With current query, it's giving you total packets sent by activity-src_user combination for every minute. For get "only the users that have packets_out > 10 in every 5 min bucket", first change the span to 5m and use where clause to filter it.

index=YourINdex sourcetype=firewall | bucket span=5m _time | stats sum(bytes_out) as bytes_out sum(packets_out) as packets_out by _time activity src_user | where packets_out>10

edvornit · ‎01-30-2017

Yes, but it only gives users with activity in each bucket.

Let's say we have three buckets:
bucket1:
user1,user2,user3
bucket2:
user1,user4,user5
bucket3:
user1,user4,user6

So, I want to display only the usernames with activity in all buckets, so in this case it's only user1.

How to generate a malware search to find users with packets sent out every 1, 3, or 5 minutes for the last 24 hours?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life