Which lookup type in Enterprise Security contains information about known hostile IP addresses?

The lookup type that contains information about known hostile IP addresses is the threat intel lookup. This type of lookup is specifically designed to integrate threat intelligence data into Splunk’s Enterprise Security environment. It helps security analysts correlate incoming data with known malicious entities, such as IP addresses, domains, and URLs that are associated with harmful activities.

Threat intel lookups can be updated regularly with the latest data from various threat intelligence providers, allowing organizations to stay informed about potential threats. By leveraging this lookup, security teams can enhance their detection capabilities and respond more effectively to incidents involving known malicious actors, thereby improving overall security posture.

The other lookup types do not serve the same purpose. Security domains are often used to organize security-related information based on various criteria but do not specifically include hostile IP data. Assets typically relate to the organizational infrastructure components, such as servers and systems that need monitoring, while domains usually categorize web domains without a direct focus on threat intelligence.