From d80ae43b41a7e338b6a0a131e94dda3776a85e15 Mon Sep 17 00:00:00 2001
From: Alex Teixeira <alexandre.abreu@gmail.com>
Date: Mon, 26 Jun 2017 21:30:04 +0100
Subject: [PATCH] Pure SPL code using stats/streamstats/eventstats

---
 hunts/beacon_detection_via_intra_request_time_deltas.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/hunts/beacon_detection_via_intra_request_time_deltas.md b/hunts/beacon_detection_via_intra_request_time_deltas.md
index 4d9c111..d99e6ac 100644
--- a/hunts/beacon_detection_via_intra_request_time_deltas.md
+++ b/hunts/beacon_detection_via_intra_request_time_deltas.md
@@ -20,3 +20,5 @@ Malware C2 often utilizes regular request intervals ("beacons") to maintain cont
 - [Detecting Malware Beacons Using Splunk](http://pleasefeedthegeek.wordpress.com/2012/12/20/detecting-malware-beacons-using-splunk/)
 
 - [Tweet by @jackcr](https://twitter.com/jackcr/status/747786867093946368)
+
+- [How to (systematically) detect beaconing traffic with Splunk?](https://github.com/inodee/threathunting-spl/blob/master/hunt-queries/Detecting_Beaconing.md)