My first Threat Intelligence Report

25.10.2025

I went poking around in my Wazuh dashboards and visualizations and decided I wanted more information on who is trying to probe this site.

I went into visualizions and after alot of playing around I finally was able to create the table below.

EvilIPCount

This chart takes any IPs that have raised an alarm in my SIEM and orders them by the amount of times they have raised an alarm. As you can see, there's one that sticks out:

52.178.223.71

It hammered my site a wopping 144 times!

I decided it's time to dial in my efforts, get as much information I can about this specific IP and write a detailed report about what this IP is doing.

The report can be read in full here.

Hopefully the information in this report can be used in idenitfying future threat patterns/actors. Or maybe it will be lost in the tsunami of constant probes.

I'm immensily curious about these persistent probes. They are like scouts being sent into enemy territory looking for any information that could be useful.

If we had more information about them, or better ways to mitigate agains this kind of probing, could we make the internet a safer place?

Lessons learned: there are many constant threats coming in, but taking the time to study one in detail is one step closer to understanding the enemy and one step closer to security.

← Blog
© 2025 A project by Luke Jacobson