# Splunk SPL — Basic Search
index=windows_events EventCode=4625 | table _time, src_ip, user, FailureReason | sort -_time

# Count failed logins per user — last 24h
index=windows_events earliest=-24h EventCode=4625
| stats count as failed_logins by user
| where failed_logins > 20
| sort -failed_logins

# זיהוי Beaconing — connection בintervall קבוע
index=network_logs
| bucket _time span=5m
| stats count by _time, src_ip, dest_ip, dest_port
| streamstats avg(count) as avg_count stdev(count) as stdev_count by src_ip, dest_ip, dest_port
| where stdev_count < 2  # deviation נמוכה = regular interval = beaconing
| sort -count

SIEM — Splunk, ELK, Microsoft Sentinel

SIEM — Splunk, ELK, Microsoft Sentinel

SIEM — Splunk, ELK, Microsoft Sentinel