Cloud SIEM cross references incoming logs against lists of known Indicators of Compromise (IOCs) to automatically detect threats. IOCs are sourced from recommended Threat Intelligence feeds that crowdsource and scrape the internet for malicious and suspected IPs, DNSs, and URLs.

When an IOC is detected, the original log is enriched with the relevant details.

Review feeds

To open the list of feeds, go to Threats > Threat Intelligence Feeds from the top menu.

TI feeds

The list of feeds shows the feed name and a description of the feed, its IOC type, the calendar date when it was last synced, and includes the direct link to view the source feed.

Logz.io syncs each feed once daily to look for updates. The last sync date is shown.

There is also an option to add a private feed of malicious IPs. See Adding a private feed.

Research an IOC

If you are in need of researching a specific IP, URL, or domain, you can check if it is found in any of your feeds.

You can click the source link to research the indicator and look up additional details.

Look up an IOC