I have WEB IIS Logs.
we have IP addresses in the web logs and want to know when web hits from suspect IP's
I want to check our web data model events against known bad_IP addresses.
Anyone know where we can get a list of ip addresses from known bad actors. bots, hackers etc and How to Ingest in to SPLUNK and check.
Any help would be Appreciated!
We will get some Pre built threat feeds in splunk ES.. right ?? When we Enable those feeds.. To Which index that data will go ?
Index = ioc ? or index = stix ? or index = threat_activity?
what is IOC(indicator of Compromise) format or STIX format ?
The threat feeds configured via threat intelligence download in ES are put into kvstores, like service_intel, file_intel, ip_intel, etc..
You can view the data in them:
| inputlookup ip_intel
For more detail, Enterprise Security -> Security Intelligence -> Threat Intelligence -> Threat Artifacts. use the "open in search" icon to open the "threat overview" panel in search mode to see the search syntax and where that data is pulled from.