tag:blogger.com,1999:blog-5331176366167100625.post7007148912501122369..comments2024-03-20T03:15:18.893-07:00Comments on SecuritySynapse: Quick and Flexible IOC Hunting in SplunkTony Leehttp://www.blogger.com/profile/04935721260910647091noreply@blogger.comBlogger5125tag:blogger.com,1999:blog-5331176366167100625.post-90425249317520622382021-10-21T12:23:15.580-07:002021-10-21T12:23:15.580-07:00index=protect
[| inputlookup your_ioc.csv
...index=protect <br /> [| inputlookup your_ioc.csv <br /> | table File_Hash] <br />| dedup File_Hash | table _time ,File_Hash,file_path,DeviceName,UserName,sourcetypeAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-5331176366167100625.post-70830671396634196722021-10-20T17:31:58.119-07:002021-10-20T17:31:58.119-07:00Great question. The longevity of an IP address is ...Great question. The longevity of an IP address is much less than a domain name. If the IP address is rather unique and hardcoded within the RAT/c2, then it might be worth adding. However, if it maps back to a CDN or cloud provider it might result in FPs. If this is the case, simply remove it from the list. Consider using domain names over IPs if possible.Tony Leehttps://www.blogger.com/profile/04935721260910647091noreply@blogger.comtag:blogger.com,1999:blog-5331176366167100625.post-23196875210499513042021-10-20T15:47:41.523-07:002021-10-20T15:47:41.523-07:00Thanks for this post, it helped me a lot. I am jus...Thanks for this post, it helped me a lot. I am just wondering, If I am getting the IOCS from the Threat Intelligence, in this case , I am talking about IP types. Sometimes we have a lot of positives, right? because some ips could be webhosting service providers. So, How Could we remove these false positives and avoid those IPs come back when we do the append with the threat intelligence again?Anonymoushttps://www.blogger.com/profile/09036269862198149008noreply@blogger.comtag:blogger.com,1999:blog-5331176366167100625.post-50370503158944378122020-04-21T04:20:53.939-07:002020-04-21T04:20:53.939-07:00Thanks for the feedback!Thanks for the feedback!Tony Leehttps://www.blogger.com/profile/04935721260910647091noreply@blogger.comtag:blogger.com,1999:blog-5331176366167100625.post-41589795493324625002020-04-20T15:03:24.835-07:002020-04-20T15:03:24.835-07:00Great stuff! Thank you!Great stuff! Thank you!Anonymousnoreply@blogger.com