Hunting in the Noise: Advanced Splunk Queries
AUTHOR: Nick Southern | CLASS: Unclassified
// THE OBJECTIVE
Most SOCs rely on static correlation rules (“If X happens 5 times, fire alert”). Sophisticated actors know these rules and fly just below the radar. To catch them, we don’t wait for an alert; we Hunt.
// SCENARIO 1: DETECTING C2 BEACONING
Command & Control (C2) traffic often looks like regular web browsing. However, automated beacons have a “heartbeat”—a mathematical regularity that human browsing lacks.
The Query (Standard Deviation Analysis):
| streamstats current=f window=5 last(_time) as last_time by src_ip dest_ip
| eval gap = _time – last_time
| stats avg(gap) as avg_gap, stdev(gap) as stdev_gap, count by src_ip, dest_ip
| where count > 50 AND stdev_gap < 5
| sort stdev_gap asc
Analysis: We are looking for high connection counts with a very low standard deviation in time gaps. Humans are messy; scripts are precise. If the `stdev` is near zero, it’s a machine talking.
// SCENARIO 2: LATERAL MOVEMENT (WIN EVENTS)
Once inside, an attacker needs to move. They often use standard admin tools (PsExec, WMI) to jump between hosts. We hunt for “anomalous logins” using Windows Event Code 4624 (Type 3).
The Query (Rare Relationship Hunting):
| stats count by src_ip, dest_ip, user
| eventstats sum(count) as total_logins by user
| eval rarity = count / total_logins
| where rarity < 0.01
| table _time, user, src_ip, dest_ip, rarity
Analysis: This query ignores the “noisy” normal traffic (admins logging into their usual servers) and highlights the 0.01% rare connections—where an admin account touches a machine it has never touched before.
SPL is not just a query language; it is an investigation framework. By using statistical analysis (`stdev`, `eventstats`) rather than simple string matching, we uncover the threats that silence the alarms.