Automating Threat Hunting Queries

The Scenario

You suspect a compromised host is beaconing out to a C2 server. The traffic is encrypted (HTTPS) so you cannot see the payload. But you can look for the pattern: regular intervals, consistent byte sizes, connections to uncommon domains. You need SIEM queries to hunt for this — AI writes them.

---

The Prompt

I suspect C2 beaconing activity in my network. Write threat hunting queries for Splunk that detect:

1. BEACONING: Any internal host making HTTPS connections to the same external IP at regular intervals (every 30-120 seconds) over the past 24 hours
2. DNS TUNNELING: Unusually long DNS query names (>50 chars) or high volume of DNS queries to a single domain
3. DATA EXFILTRATION: Any host sending more than 500MB to a single external IP in 24 hours
4. LATERAL MOVEMENT: RDP (3389) or SMB (445) connections between hosts that do not normally communicate
5. PERSISTENCE: New scheduled tasks or services created on any host (Windows event logs)

My environment:
- Firewall logs in index=firewall
- DNS logs in index=dns
- Windows events in index=wineventlog
- Proxy logs in index=proxy

---

What AI Gives You

Five ready-to-run Splunk queries, each with:

• The SPL query
• What to look for in the results
• How to filter out false positives (e.g., known update servers, CDNs)
• Next steps if you find a match

---

Review and Validate

• Beaconing detection generates false positives — Windows Update, AV updates, and NTP all beacon. Build a whitelist
• 500MB threshold for exfil may be too high or low for your network — baseline first
• Run queries in a limited time window first to check performance before querying 24 hours

---

Try It Yourself

Run query #1 (beaconing) against your last 4 hours of firewall data. You will likely find a few hits. Investigate each — most will be legitimate, but the exercise builds the skill.