analyst security skill risk: medium

Zeek Conn.log Beaconing Pattern Detector

Loads Zeek conn.log data with ZAT, groups connections by source/destination pairs, computes inter-arrival intervals, and flags low-variation pairs as potential C2 beacons using Pyt…

Policy sensitive
Human review

SKILL 4 files · 2 folders

SKILL.md

Download

---
name: detecting-beaconing-patterns-with-zeek
description: "Performs statistical analysis of Zeek conn.log connection intervals to detect C2 beaconing patterns. Uses the"
---
# Detecting Beaconing Patterns with Zeek


## When to Use

- When investigating security incidents that require detecting beaconing patterns with zeek
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques

## Prerequisites

- Familiarity with security operations concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities

## Instructions

Load Zeek conn.log data using ZAT (Zeek Analysis Tools), group connections by
source/destination pairs, and compute timing statistics to identify beaconing.

```python
from zat.log_to_dataframe import LogToDataFrame
import numpy as np

log_to_df = LogToDataFrame()
conn_df = log_to_df.create_dataframe('/path/to/conn.log')

# Group by src/dst pair and calculate inter-arrival time
for (src, dst), group in conn_df.groupby(['id.orig_h', 'id.resp_h']):
    times = group['ts'].sort_values()
    intervals = times.diff().dt.total_seconds().dropna()
    if len(intervals) > 10:
        std_dev = np.std(intervals)
        mean_interval = np.mean(intervals)
        # Low std_dev relative to mean = likely beaconing
```

Key analysis steps:
1. Parse Zeek conn.log into DataFrame with ZAT LogToDataFrame
2. Group connections by source IP and destination IP pairs
3. Calculate inter-arrival time intervals between consecutive connections
4. Compute standard deviation and coefficient of variation
5. Flag pairs with low coefficient of variation as potential beacons

## Examples

```python
from zat.log_to_dataframe import LogToDataFrame
log_to_df = LogToDataFrame()
df = log_to_df.create_dataframe('conn.log')
print(df[['id.orig_h', 'id.resp_h', 'ts', 'duration']].head())
```

REQUIRED CONTEXT

path to Zeek conn.log file

OPTIONAL CONTEXT

Python environment with ZAT and numpy

EXPECTED OUTPUT

Format

markdown

Constraints

include code examples
list numbered analysis steps
provide when-to-use guidance

EXAMPLES

Includes two Python code snippets demonstrating ZAT usage for loading conn.log and inspecting a dataframe.

CAVEATS

Dependencies

Requires Zeek conn.log file path
Requires Python 3.8+ with ZAT installed

Missing context

Exact coefficient-of-variation or std-dev threshold for flagging
Output format (table, JSON, alert list, etc.)
Handling of large log files or memory constraints

Ambiguities

Description text is truncated: "Uses the"
No explicit threshold or formula given for "low coefficient of variation"
Does not specify desired output format or report structure

QUALITY

OVERALL: 0.68
CLARITY: 0.75
SPECIFICITY: 0.65
REUSABILITY: 0.70
COMPLETENESS: 0.60

IMPROVEMENT SUGGESTIONS

Add a clear success criterion such as "flag if coefficient of variation < 0.3 and connection count > 20"
Specify required output schema or example report format
Include error handling or fallback when ZAT fails to parse the log

USAGE

Copy the prompt above and paste it into your AI of choice — Claude, ChatGPT, Gemini, or anywhere else you're working. Replace any placeholder sections with your own context, then ask for the output.