Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to identify beacon activity

leotoa
New Member
‎11-18-2015 04:47 PM

Hello all,

I've recently observed activity that smells like beaconing. After trying to modify the searches provided within Splunk Documentation et al, I'd like to pose the following:

My example:
I want to identify any outbound activity (source_ip=10.etc or 198.162.etc) where the protocol=dns(or other), and the time between any beacon communications is _time-prev_time=consistent across each respective communication with a variance in the consistency of x-time

The result ( | table) I hope to get will look like this:
Count=number of beacons recorded
AvgTbB=Average Time between Beacons
MaxTbB=Maximum Time between Beacons
MinTbB=Minimum Time between Beacons

Source_IP, Dest_IP, Count, AvgTbB, MaxTbB, MinTbB,
10.1.2.3, 4.5.6.7, 89,7days6hrs5mins4sec, 5days6hrs7min8sec

Any assistance and/guidance on how to approach this is greatly appreciated

0 Karma
Reply

sundareshr
Legend
‎11-18-2015 07:46 PM

Here's a strawman to give you some ideas to explore

   (search to return only beacon events) | delta _time as TbB p=1 | stats avg(TbB) as AvgTbB max(TbB) as MaxTbB min(TbB) as MinTbB
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...