DETECTING WINDOWS ATTACKS WITH SPLUNK - Skills Assessment

Hello

i am stuck in this exercies:

Use the “empire” index and the “bro:http:json” sourcetype. Identify beaconing activity by modifying the Splunk search of the “Detecting Beaconing Malware” section and enter the value of the “TimeInterval” field as your answer.

i was using this query:

index=“cobaltstrike_beacon” sourcetype=“bro:http:json”
| sort 0 _time
| streamstats current=f last(_time) as prevtime by src, dest, dest_port
| eval timedelta = _time - prevtime
| eventstats avg(timedelta) as avg, count as total by src, dest, dest_port
| eval upper=avg1.1
| eval lower=avg
0.9
| where timedelta > lower AND timedelta < upper
| stats count, values(avg) as TimeInterval by src, dest, dest_port, total
| eval prcnt = (count/total)*100
| where prcnt > 90 AND total > 10
So i modified to this:

index=“empire” sourcetype=“bro:http:json”
| sort 0 _time
| streamstats current=f last(_time) as prevtime by src, dest, dest_port
| eval timedelta = _time - prevtime
| eventstats avg(timedelta) as avg, count as total by src, dest, dest_port
| eval upper=avg1.1
| eval lower=avg
0.9
| where timedelta > lower AND timedelta < upper
| stats count, values(avg) as TimeInterval by src, dest, dest_port, total
| eval prcnt = (count/total)*100
| where prcnt > 90 AND total > 10

But this doesnt work and i dont know why. the query is very complex to understand the error by me.

can someone help me?

thanks

Take away the ‘where’ clauses of that statement and then try again

yes. i resolved it some days ago like that.