ml-beaconing-connections
Detect beaconing connections by analyzing session patterns.
Syntax
ml-beaconing-connections [schema=Schema] [from=yyyyMMddHHmmss] [to=yyyyMMddHHmmss] [duration=NUM{mon|w|d|h|m|s}] [threshold=Threshold]
Options
- schema=Schema
- Optional. Schema name (default: session)
- from=yyyyMMddHHmmss
- Optional. Start time (yyyyMMddHHmmss)
- to=yyyyMMddHHmmss
- Optional. End time (yyyyMMddHHmmss)
- duration=NUM{mon|w|d|h|m|s}
- Optional. Time duration (e.g., 1d, 1h)
- threshold=Threshold
- Optional. Average interval threshold in seconds (default: 600)
Output Fields
| Field | Type | Name | Description |
|---|---|---|---|
| _table | String | Table | Table name. e.g. pfsession |
| src_ip | IP address | Source IP | Source IP address. e.g. 192.168.0.1 |
| dst_ip | IP address | Destination IP | Destination IP address. e.g. 8.8.8.8 |
| dst_port | Integer | Destination port | Destination port number. e.g. 443 |
| protocol | String | Protocol | Protocol. e.g. TCP, UDP, ICMP |
| app | String | Application | Application name. e.g. ssl, ms-netlogon, incomplete |
| count | Integer | Count | Number of sessions. e.g. 10 |
| stddev | Double | Standard deviation | Standard deviation of intervals. e.g. 5.2 |
| avg | Double | Average interval | Average interval between sessions in seconds. e.g. 600.5 |
| sent_bytes | Long | Sent bytes | Total bytes sent. e.g. 1024000 |
| rcvd_bytes | Long | Received bytes | Total bytes received. e.g. 2048000 |
| first_seen | Date | First seen | First session time. e.g. 2025-01-01 00:00:00 |
| last_seen | Date | Last seen | Last session time. e.g. 2025-01-01 01:00:00 |