how to identify beacon activity

leotoa · ‎11-18-2015

Hello all,

I've recently observed activity that smells like beaconing. After trying to modify the searches provided within Splunk Documentation et al, I'd like to pose the following:

My example:
I want to identify any outbound activity (source_ip=10.etc or 198.162.etc) where the protocol=dns(or other), and the time between any beacon communications is _time-prev_time=consistent across each respective communication with a variance in the consistency of x-time

The result ( | table) I hope to get will look like this:
Count=number of beacons recorded
AvgTbB=Average Time between Beacons
MaxTbB=Maximum Time between Beacons
MinTbB=Minimum Time between Beacons

Source_IP, Dest_IP, Count, AvgTbB, MaxTbB, MinTbB,
10.1.2.3, 4.5.6.7, 89,7days6hrs5mins4sec, 5days6hrs7min8sec

Any assistance and/guidance on how to approach this is greatly appreciated

sundareshr · ‎11-18-2015

Here's a strawman to give you some ideas to explore

   (search to return only beacon events) | delta _time as TbB p=1 | stats avg(TbB) as AvgTbB max(TbB) as MaxTbB min(TbB) as MinTbB

how to identify beacon activity

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Are you a member of the Splunk Community?

how to identify beacon activity

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0