HI all,
Anyone out there had any benefit from the free Threat intel List in Splunk ES? Its causing alot of noise, I am not sure about the accuracy. Please shed some light someone?
alexa_top_one_million_sites
cisco_top_one_million_sites
emerging_threats_compromised_ip_blocklist
emerging_threats_ip_blocklist
hailataxii_malware
iblocklist_logmein
iblocklist_piratebay
iblocklist_proxy
iblocklist_rapidshare
iblocklist_spyware
iblocklist_tor
iblocklist_web_attacker
icann_top_level_domain_list
local_certificate_intel
local_domain_intel
local_email_intel
local_file_intel
local_http_intel
local_ip_intel
local_process_intel
local_registry_intel
local_service_intel
local_user_intel
malware_domains threatlist_domain
maxmind_geoip_asn_ipv4
maxmind_geoip_asn_ipv6
mozilla_public_suffix_list
phishtank
sans
zeus_bad_ip_blocklist
zeus_standard_ip_blocklist
No. None of the included lists are of value. You are better off seeking sources within your industry such as ISACs etc
Thanks Mate. Do you have any other recommendations that you may possibly use in your environment?