Hello
i am stuck in this exercies:
Use the “empire” index and the “bro:http:json” sourcetype. Identify beaconing activity by modifying the Splunk search of the “Detecting Beaconing Malware” section and enter the value of the “TimeInterval” field as your answer.
i was using this query:
index=“cobaltstrike_beacon” sourcetype=“bro:http:json”
| sort 0 _time
| streamstats current=f last(_time) as prevtime by src, dest, dest_port
| eval timedelta = _time - prevtime
| eventstats avg(timedelta) as avg, count as total by src, dest, dest_port
| eval upper=avg1.1
| eval lower=avg0.9
| where timedelta > lower AND timedelta < upper
| stats count, values(avg) as TimeInterval by src, dest, dest_port, total
| eval prcnt = (count/total)*100
| where prcnt > 90 AND total > 10
So i modified to this:
index=“empire” sourcetype=“bro:http:json”
| sort 0 _time
| streamstats current=f last(_time) as prevtime by src, dest, dest_port
| eval timedelta = _time - prevtime
| eventstats avg(timedelta) as avg, count as total by src, dest, dest_port
| eval upper=avg1.1
| eval lower=avg0.9
| where timedelta > lower AND timedelta < upper
| stats count, values(avg) as TimeInterval by src, dest, dest_port, total
| eval prcnt = (count/total)*100
| where prcnt > 90 AND total > 10
But this doesnt work and i dont know why. the query is very complex to understand the error by me.
can someone help me?
thanks