I'd like to find users with activity in every 1/3/5 minute bucket in the last 24 hours as the indication of possible malware/botnet beaconing.
Let's say I have sourcetype=firewall and bytesout/packetsout for activity and src_user for user.
Any idea how to write such search?
Something like this. You can update the span per your need.
index=YourINdex sourcetype=firewall | bucket span=1m _time | stats sum(bytes_out) as bytes_out sum(packets_out) as packets_out by _time activity src_user
How would you filter it further to get only the users that have packets_out > 10 in every 5 min bucket?
With current query, it's giving you total packets sent by activity-srcuser combination for every minute. For get "only the users that have packetsout > 10 in every 5 min bucket", first change the span to 5m and use where clause to filter it.
index=YourINdex sourcetype=firewall | bucket span=5m _time | stats sum(bytes_out) as bytes_out sum(packets_out) as packets_out by _time activity src_user | where packets_out>10
Yes, but it only gives users with activity in each bucket.
Let's say we have three buckets:
So, I want to display only the usernames with activity in all buckets, so in this case it's only user1.