Hello all,
I've recently observed activity that smells like beaconing. After trying to modify the searches provided within Splunk Documentation et al, I'd like to pose the following:
My example:
I want to identify any outbound activity (source_ip=10.etc or 198.162.etc) where the protocol=dns(or other), and the time between any beacon communications is _time-prev_time=consistent across each respective communication with a variance in the consistency of x-time
The result ( | table) I hope to get will look like this:
Count=number of beacons recorded
AvgTbB=Average Time between Beacons
MaxTbB=Maximum Time between Beacons
MinTbB=Minimum Time between Beacons
Source_IP, Dest_IP, Count, AvgTbB, MaxTbB, MinTbB,
10.1.2.3, 4.5.6.7, 89,7days6hrs5mins4sec, 5days6hrs7min8sec
Any assistance and/guidance on how to approach this is greatly appreciated
Here's a strawman to give you some ideas to explore
(search to return only beacon events) | delta _time as TbB p=1 | stats avg(TbB) as AvgTbB max(TbB) as MaxTbB min(TbB) as MinTbB