ml-beacon-sessions
ml-beacon-sessions
Fetch session logs for detected beaconing connections.
Syntax
ml-beacon-sessions [schema=Schema] [from=yyyyMMddHHmmss] [to=yyyyMMddHHmmss] [duration=NUM{mon|w|d|h|m|s}] [threshold=Threshold]
Options
- schema=Schema
- Optional. Schema name (default: session)
- from=yyyyMMddHHmmss
- Optional. Start time (yyyyMMddHHmmss)
- to=yyyyMMddHHmmss
- Optional. End time (yyyyMMddHHmmss)
- duration=NUM{mon|w|d|h|m|s}
- Optional. Time duration (e.g., 1d, 1h)
- threshold=Threshold
- Optional. Average interval threshold in seconds (default: 600)
Output Fields
| Field | Type | Name | Description |
|---|---|---|---|
| _time | Date | Time | Session time. e.g. 2025-01-01 00:00:00 |
| _table | String | Table | Table name. e.g. pfsession |
| log_type | String | Log type | Log type. e.g. session |
| subtype | String | Subtype | Log subtype. e.g. start, end |
| session_id | Long | Session ID | Session identifier. e.g. 123456 |
| src_ip | IP address | Source IP | Source IP address. e.g. 192.168.0.1 |
| src_port | Integer | Source port | Source port number. e.g. 54321 |
| dst_ip | IP address | Destination IP | Destination IP address. e.g. 8.8.8.8 |
| dst_port | Integer | Destination port | Destination port number. e.g. 443 |
| protocol | String | Protocol | Protocol. e.g. TCP, UDP, ICMP |
| app | String | Application | Application name. e.g. ssl, ms-netlogon, incomplete |
| policy | String | Policy | Policy name. e.g. allow-internet |
| action | String | Action | Action taken. e.g. allow, deny |
| end_reason | String | End reason | Session end reason. e.g. aged-out, tcp-rst-from-client, tcp-rst-from-server |
| reason | String | Reason | Reason. e.g. policy-deny |
| src_zone | String | Source zone | Source zone. e.g. untrust, intranet |
| dst_zone | String | Destination zone | Destination zone. e.g. untrust, intranet |
| nat_src_ip | IP address | NAT source IP | NAT source IP. e.g. 203.0.113.1 |
| nat_src_port | Integer | NAT source port | NAT source port. e.g. 12345 |
| nat_dst_ip | IP address | NAT destination IP | NAT destination IP. e.g. 8.8.8.8 |
| nat_dst_port | Integer | NAT destination port | NAT destination port. e.g. 443 |
| total_bytes | Long | Total bytes | Total bytes transferred. e.g. 3072000 |
| sent_bytes | Long | Sent bytes | Bytes sent. e.g. 1024000 |
| rcvd_bytes | Long | Received bytes | Bytes received. e.g. 2048000 |