https://community.cisco.com/t5/security-analytics/stealthwatch-slic-issue-question/m-p/4171607#M589 <P>We have experienced similar cases several times, mostly associated with Azorult and Smokeloader.<BR />As was stated above, I also think this will probably happen bcause Google or other service providers have malware hosted on one server and this IP gets flagged as C&amp;C server which triggers the events for normal google traffic.<BR /><BR />As far as I know, Cisco is working on a migration for the security intelligence feed to TALOS, so I guess we can expect a change for this behaviour in the future.&nbsp;</P> Thu, 22 Oct 2020 09:03:26 GMT FloKo 2020-10-22T09:03:26Z https://community.cisco.com/t5/security-analytics/stealthwatch-slic-issue-question/m-p/4027556#M430 <P>Things appeared to go sideways yesterday (02/10) with regard to the data in the SLIC feed - as we received 40+ alerts of C&amp;C activity as users were browsing to <A href="http://www.google.com" target="_blank" rel="noopener">www.google.com</A> - the destination IPs were what is expected for Google</P><P>&nbsp;</P><P>The destination C&amp;C server group in question was Azorult</P><P>&nbsp;</P><P>Today it seems to have returned to normal</P><P>&nbsp;</P><P>Couple of questions:</P><P>&nbsp;</P><P>I'm looking for a way to query the IP addresses in a given SLIC feel host group</P><P>&nbsp;</P><P>Curious if anybody else saw similar behavior</P><P><BR />Thanks,<BR />Bob</P> Tue, 11 Feb 2020 14:16:10 GMT https://community.cisco.com/t5/security-analytics/stealthwatch-slic-issue-question/m-p/4027556#M430 reheindel 2020-02-11T14:16:10Z https://community.cisco.com/t5/security-analytics/stealthwatch-slic-issue-question/m-p/4028730#M433 <P>We have no option to look IP in the SLIC database. This data is OEMed and they don't give permission to do it.</P> <P>&nbsp;</P> <P>Recently there are many cloud-based hosted services like Google Cloud, AWS and so on. If one of the public hosted IP is infected malware and become a one of botnet, SLIC will add the IP in the list. In another case, our vendor's honey pod finds attacks that has a crafted source IP same as Google-owned and adds it to the list.</P> <P>If you find this kind of issue, please contact TAC and they can escalate it to OEM vendor to resolve it.</P> <P>&nbsp;</P> <P>In your case, probably the vendor gets a support request from someone who owns/runs the IP and fix it. Security Intelligence is based on mutual cooperation, so customer feedback is important to the accurate database maintain.</P> Thu, 13 Feb 2020 05:43:44 GMT https://community.cisco.com/t5/security-analytics/stealthwatch-slic-issue-question/m-p/4028730#M433 kyoshiik 2020-02-13T05:43:44Z https://community.cisco.com/t5/security-analytics/stealthwatch-slic-issue-question/m-p/4171607#M589 <P>We have experienced similar cases several times, mostly associated with Azorult and Smokeloader.<BR />As was stated above, I also think this will probably happen bcause Google or other service providers have malware hosted on one server and this IP gets flagged as C&amp;C server which triggers the events for normal google traffic.<BR /><BR />As far as I know, Cisco is working on a migration for the security intelligence feed to TALOS, so I guess we can expect a change for this behaviour in the future.&nbsp;</P> Thu, 22 Oct 2020 09:03:26 GMT https://community.cisco.com/t5/security-analytics/stealthwatch-slic-issue-question/m-p/4171607#M589 FloKo 2020-10-22T09:03:26Z