Splunk IOC Scanner: a use case every-single-SOC needs
TL;DR: tstats + term() + walklex = super speedy (and accurate) queries. Leveraging Splunk terms by addressing a simple, yet highly demanded SecOps use case.
How do you search for IOCs in Splunk?
When you have an IP address, do you map all data sources that might contain a valid IP address entry? What if a field is not CIM…