Splunk Enterprise Security

Help with Suspect IP hits to my web.

satyaallaparthi
Path Finder

Hello,
I have WEB IIS Logs.

we have IP addresses in the web logs and want to know when web hits from suspect IP's

I want to check our web data model events against known bad_IP addresses.

Anyone know where we can get a list of ip addresses from known bad actors. bots, hackers etc and How to Ingest in to SPLUNK and check.

Any help would be Appreciated!

Thanks,

0 Karma
1 Solution

satyaallaparthi
Path Finder

Hello,

Do you have any idea about the threat feed data and to which index that data will go when ever the feed is done..

Thanks,

0 Karma

solarboyz1
Builder

It would depends. ThreatConnect, when using the Add-on, stored its data in kvstores, iSight used an index.

0 Karma

satyaallaparthi
Path Finder

We will get some Pre built threat feeds in splunk ES.. right ?? When we Enable those feeds.. To Which index that data will go ?

Index = ioc ? or index = stix ? or index = threat_activity?

what is IOC(indicator of Compromise) format or STIX format ?

0 Karma

solarboyz1
Builder

The threat feeds configured via threat intelligence download in ES are put into kvstores, like service_intel, file_intel, ip_intel, etc..

You can view the data in them:
| inputlookup ip_intel

For more detail, Enterprise Security -> Security Intelligence -> Threat Intelligence -> Threat Artifacts. use the "open in search" icon to open the "threat overview" panel in search mode to see the search syntax and where that data is pulled from.

0 Karma