Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to identify beacon activity

leotoa
New Member
‎11-18-2015 04:47 PM

Hello all,

I've recently observed activity that smells like beaconing. After trying to modify the searches provided within Splunk Documentation et al, I'd like to pose the following:

My example:
I want to identify any outbound activity (source_ip=10.etc or 198.162.etc) where the protocol=dns(or other), and the time between any beacon communications is _time-prev_time=consistent across each respective communication with a variance in the consistency of x-time

The result ( | table) I hope to get will look like this:
Count=number of beacons recorded
AvgTbB=Average Time between Beacons
MaxTbB=Maximum Time between Beacons
MinTbB=Minimum Time between Beacons

Source_IP, Dest_IP, Count, AvgTbB, MaxTbB, MinTbB,
10.1.2.3, 4.5.6.7, 89,7days6hrs5mins4sec, 5days6hrs7min8sec

Any assistance and/guidance on how to approach this is greatly appreciated

0 Karma
Reply

sundareshr
Legend
‎11-18-2015 07:46 PM

Here's a strawman to give you some ideas to explore

   (search to return only beacon events) | delta _time as TbB p=1 | stats avg(TbB) as AvgTbB max(TbB) as MaxTbB min(TbB) as MinTbB
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...