While we response any incident, we should make a list including indicators for instance IP address, domain name, file name and path, etc. With the indicator, we check if there is missing evidence or initial sweep.
$ grep -E -f ../IOCs/knownbad.txt ./*.log > ../result.txt
$ cat ../IOCs/knownbad.txt
\bws0\.txt
markup%5D=
[TRIMMED]
Practical Security 