tankmek/ip_threat_feed.spl

## ip_threat_feed.spl
# Reference: https://blog.edie.io/2020/04/30/diy-ip-threat-feed/
# Reference: https://github.com/tankmek/threatfeed/raw/master/ip_threat_feed.csv

index=honeypot eventtype="login_success"
| stats earliest(_time) AS first_seen, dc(host) AS sensor, latest(_time) AS last_seen by src_ip
| fieldformat first_seen=strftime(first_seen, "%Y%m%d %X")
| fieldformat last_seen=strftime(last_seen, "%Y%m%d %X")
| iplocation src_ip
| eval Country = if(isnull(Country), "Unknown", Country)
| lookup tor_exit_nodes exit_node_ip AS src_ip OUTPUTNEW exists AS tor_exit_node
| eval "tor_exit_node"=coalesce('tor_exit_node', "false")
| table src_ip, Country, last_seen, first_seen, tor_exit_node, sensor
| outputlookup override_if_empty=false ip_threat_feed.csv
	# Reference: https://blog.edie.io/2020/04/30/diy-ip-threat-feed/
	# Reference: https://github.com/tankmek/threatfeed/raw/master/ip_threat_feed.csv

	index=honeypot eventtype="login_success"
	\| stats earliest(_time) AS first_seen, dc(host) AS sensor, latest(_time) AS last_seen by src_ip
	\| fieldformat first_seen=strftime(first_seen, "%Y%m%d %X")
	\| fieldformat last_seen=strftime(last_seen, "%Y%m%d %X")
	\| iplocation src_ip
	\| eval Country = if(isnull(Country), "Unknown", Country)
	\| lookup tor_exit_nodes exit_node_ip AS src_ip OUTPUTNEW exists AS tor_exit_node
	\| eval "tor_exit_node"=coalesce('tor_exit_node', "false")
	\| table src_ip, Country, last_seen, first_seen, tor_exit_node, sensor
	\| outputlookup override_if_empty=false ip_threat_feed.csv