Splunk IOC Scanner: a use case every-single-SOC needs

TL;DR: tstats + term() + walklex = super speedy (and accurate) queries. Leveraging Splunk terms by addressing a simple, yet highly demanded SecOps use case.

How do you search for IOCs in Splunk?

When you have an IP address, do you map all data sources that might contain a valid IP address entry? What if a field is not CIM…