splunk>enterprise
Administrator ▾Settings ▾
ES
Enterprise Security
Splunk App for Enterprise Security · v7.3.0
DAY 11 LAB · LAB 11 — HUNT WITH ADVANCED SPL· week 2
Hunt beaconing with streamstats and eval — find periodic C2.
- ›Run pre-loaded SPL on Zeek conn.
- ›Identify low-jitter, periodic outbound.
- ›Pivot: which user is on the source host?
Hint: jitter < 5s and avg_int 30-300s = textbook C2 beacon.
New Search
supported: search field=value (wildcards) · stats count by f1,f2 · where field op N · sort -field · top N field · head N · table f1 f2