I’m reposting this query I stumbled upon in a blog here. The description states that it can be used to detect malware reporting out to the web. Check out the article it’s a decent read.
search.goes.here | convert mktime(_time) as epoch | sort 0 uri_host,client_ip,epoch | delta epoch as epoch_delta | search epoch_delta>0 epoch_delta<30 | chart count over epoch_delta by uri_host
What time range would you typically use with this search?
When I posted this I got it here:
https://pleasefeedthegeek.wordpress.com/2012/12/20/detecting-malware-beacons-using-splunk/
Never tested it, but thought it was a pretty interesting idea!