Question: Use the “cobaltstrike_beacon” index and the “bro:http:json” sourcetype. What is the most straightforward Splunk command to pinpoint beaconing from the 10.0.10.20 source to the 192.168.151.181 destination? Answer format: One word
Am i missing something obvious here?
Think of something related to time.
Damasen, sorry to bother you. Have you got the answer to this question yet? I have been stuck on this question for weeks.
Time sounds like a good start, now think of visualizing - hint from discord
I too struggled a bit to correctly interpret this question, but managed to solve it quite quickly with a bit of luck. The answer has to be chosen such that the following example query would give you a neat overview over the bacon frames if you replace <cmd> with the answer (the <cmd_opts> are not mandatory to make it work):
index="cobaltstrike_beacon" sourcetype="bro:http:json"
| search id.orig_h=10.0.10.20 id.resp_h=192.168.151.181
| <cmd> <cmd_opts> count
The Splunk wasn’t available in my case, so I have to figure it out.
The answer is Word, sometimes used in the filtering. Just Word starting with Capital letter, nothing else.
timechart