Logz.io cross references incoming logs against lists of known IOCs (Indicator of Compromise) to automatically detect threats . Whenever an IOC is detected, the original log is enriched with the relevant details.
Logz.io pulls lists of IOCs, aka Threat Intelligence feeds, from industry recommended sources that crowdsource and scrape the internet for malicious and suspicious indicators, including:
- md5/sha1/sha256 hash signatures
- User-Agent headers
In addition to the feeds that are automatically generated by Logz.io, you can add your own Private Feeds for any of the above IOC types or another, custom type of your choice. Generally, custom IOCs are used to create lists of usernames or email addresses.
Review your Threat Intelligence feeds
To view the list of your threat intelligence feeds, navigate to SIEM > Threat Intelligence Feeds.
You can search the table for IP addresses, domains, or URLs across the different feeds. The table includes the following information:
This lists the names of different threat intelligence feeds.
IOCs, Indicator of Compromise, are identified by IP, hash, domain, URL, user-agent header, or other custom indicators.
Indicates the reliability score of the feed, assigned by Logz.io's team of security analysts.
URLs provided here are links to the sources of the feeds, where one can find more detailed information or investigate the threats further.
There are two different types of feeds:
Logz.io threat feed is a predefined threat feed. It is included by default and cannot be edited. Logz.io threat feeds have a Logz.io feed tag.
Private threat feed is a feed added by you or your team members. You can add, edit, or delete a private feed. Private feeds have a Private feed tag.
Logz.io syncs each feed once daily to look for updates. The table shows the date when the feed was last updated or synchronized.