Look up IOCs (Indicators of Compromise) of IP addresses, URLs and domains in a local copy of CrowdStrike's curated database of IOCs and annotate the events with the associated security information.
Parameter | Type | Required | Default Value | Description |
---|---|---|---|---|
confidenceThreshold | string | optional[a] | high | The lowest level of confidence of IOCs to consider. |
Valid Values | ||||
high | High level of confidence that the item is an IOC | |||
low | Low level of confidence that the item is an IOC | |||
medium | Medium level of confidence that the item is an IOC | |||
unverified | IOC for this item has been reported but not yet verified | |||
field [b] | array of strings | required | The field(s) containing either IP addresses, URLs or domains to check for IOCs. | |
include | array of strings | optional[a] | All columns | Specifies the columns from the IOC database to include. |
Valid Values | ||||
indicator | The IOC found in the event | |||
labels | One or more labels indicating the IOC information | |||
last_updated | The date the IOC was last updated | |||
malicious_confidence | The confidence level of the IOC, high ,
medium ,low , or
unverified | |||
published_date | The date the IOC was first published | |||
type | The type of the IOC detected, ip_address ,
url , or domain | |||
prefix | string | optional[a] | ioc | Prefix for the names of all the output fields. |
strict | boolean | optional[a] | false | If true , only output events where at least one of the selected fields matches an IOC; if false (the default), let all events through. |
Valid Values | ||||
false | Pass all events | |||
true | Only output events where at least one of the selected fields matches an IOC | |||
type | string | required | Specifies the type of IOCs to search for a match. Specifying the wrong type may lead to inconsistent or inconclusive results. | |
Valid Values | ||||
domain | Source value is a domain or hostname | |||
ip_address | Source value is an IP address | |||
url | Source value is a URL | |||
[a] Optional parameters use their default value unless explicitly set. |
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
field
can be omitted; the following forms of this function are equivalent:logscale Syntaxioc:lookup(["value"],type="value")
and:
logscale Syntaxioc:lookup(field=["value"],type="value")
These examples show basic structure only.
Hide negatable operation for this function
Negatable Function OperationThis function is negatable, implying the inverse of the result. For example:
logscale Syntax!ioc:lookup()
Or:
logscale Syntaxnot ioc:lookup()
For more information, see Negating the Result of Filter Functions.
Important
The ioc:lookup()
function cannot be used to lookup
custom indicators when deployed within a multi-tenant environment.
If any of the selected fields match an IOC, the field
ioc (by default, controlled via
the prefix
parameter) will
be added to each event. If an IOC is identified, the returned information
will be an array of values
prefix.detected will be added to
the event with the value true
, where
prefix is the value of the
prefix
argument.
Detailed information on the IOC will then be added to an array
ioc (or
prefix
parameter). For
example:
ioc.detected | ioc[0].indicator | ioc[0].labels | ioc[0].last_updated | ioc[0].malicious_confidence | ioc[0].published_date | ioc[0].type |
---|---|---|---|---|---|---|
true | 91.92.242.184 | KillChain/C2,Malware/AsyncRAT,Malware/Remcos,ThreatType/Commodity,ThreatType/CredentialHarvesting,ThreatType/Criminal,ThreatType/Modular,ThreatType/OpenSource,ThreatType/RAT | 1706062241000 | unverified | 1703421875000 | ip_address |
IP addresses can be either IPv4 or IPv6 addresses. Short-hand notation for IPv6 addresses is supported and can be matched against non-short-hand notation. URLs and domains use case-insensitive string matching.
The function can be negated, but only with
strict=true
.
For information about how to configure the IOC database, see IOC Configuration.
Returned Fields
The function will set
ioc.detected to
true
for any event that has an
identified indicator of compromise. Additional fields then contain
specific information about the IOC trigger.
By default, a full set of fields is returned, and because an entry could
match one or more IOCs, the information is returned as an array for each
of these fields. The returned fields can be limited by using the
include
argument. For
example:
ioc:lookup(field=[lookupfield], type="domain",include=["labels", "type"])
Might return:
@id | ioc.detected | ioc[0].labels | ioc[0].malicious_confidence | lookupfield |
---|---|---|---|---|
9ihO66MGBDUAtd1snMEbrWFR_3_44_1709295971 | true | MaliciousConfidence/High,Malware/AsyncRAT,ThreatType/Commodity,ThreatType/Criminal,ThreatType/Modular,ThreatType/OpenSource,ThreatType/RAT | high | doinhulon.ddns.net |
The list of fields that can be returned and their contents are described in the table below:
Column | Type | Description |
---|---|---|
indicator | string | The IOC that was found in the event field. |
type | string |
The type of IOC detected. One of
ip_address ,
url , and domain.
|
published_date | Timestamp in Unix time, UTC | The date the IOC was first published. |
last_updated | Timestamp in Unix time, UTC | The date the IOC was last updated. |
malicious_confidence | string |
The confidence level by which an IOC is considered to be malicious. Will change over time.
|
labels | string | Detailed information about the IOC using a comma-separated list of labels. See Labels. |
Labels
The column labels contains a
comma-separated list of labels that provide additional context around an
indicator. The labels have the form
category/value
. The categories are
described below.
Actors
Have the form Actor/...
.
The named actor that the indicator is associated with (for example,
Panda
,
Bear
,
Spider
, etc).
Malware Families
Have the form Malware/...
.
Indicates the malware family an indicator has been associated with
(for example, Malware/PoisonIvy
,
Malware/Zeus
,
Malware/DarkComet
, etc). An indicator
may be associated with more than one malware family.
Kill Chains
Have the form KillChain/...
.
The point in the kill chain at which an indicator is associated.
KillChain/Reconnaissance
: This indicator is associated with the research, identification, and selection of targets by a malicious actor.KillChain/Weaponization
: This indicator is associated with assisting a malicious actor create malicious content.KillChain/Delivery
: This indicator is associated with the delivery of an exploit or malicious payload.KillChain/Exploitation
: This indicator is associated with the exploitation of a target system or environment.KillChain/Installation
: This indicator is associated with the installation or infection of a target system with a remote access tool or other tool allowing for persistence in the target environment.KillChain/C2
(Command and Control): This indicator is associated with malicious actor command and control.KillChain/ActionOnObjectives
: This indicator is associated with a malicious actor's desired effects and goals.
Domain Types
Have the form DomainType/...
.
DomainType/ActorControlled
: It is believed the malicious actor is still in control of this domain.DomainType/DGA
: This domain is the result of malware utilizing a domain generation algorithm.DomainType/DynamicDNS
: This domain is owned or used by a dynamic DNS service.DomainType/DynamicDNS/Afraid
: This domain is owned or used by the Afraid.org dynamic DNS service.DomainType/DynamicDNS/DYN
: This domain is owned or used by the DYN dynamic DNS service.DomainType/DynamicDNS/Hostinger
: This domain is owned or used by the Hostinger dynamic DNS service.DomainType/DynamicDNS/noIP
: This domain is owned or used by the NoIP dynamic DNS service.DynamicDNS/Oray
: This domain is owned or used by the Oray dynamic DNS service.DomainType/KnownGood
: The domain itself (or the domain portion of a URL) is known to be legitimate, despite having been associated with malware or malicious activity.DomainType/LegitimateCompromised
: This domain does not typically pose a threat but has been compromised by a malicious actor and may be serving malicious content.DomainType/PhishingDomain
: This domain has been observed to be part of a phishing campaign.DomainType/Sinkholed
: The domain is being sinkholed, likely by a security research team. This indicates that, while traffic to the domain likely has a malicious source, the IP address to which it is resolving is controlled by a legitimate 3rd party. It is no longer believed to be under the control of the actor.DomainType/StrategicWebCompromise
: While similar to theDomainType/LegitimateCompromised
label, this label indicates that the activity is of a more targeted nature. Oftentimes, targeted attackers will compromise a legitimate domain that they know to be a watering hole frequently visited by the users at the organizations they are looking to attack.DomainType/Unregistered
: The domain is not currently registered with any registrars.
IP Address Types
Have the form IPAddressType/...
.
IPAddressType/HtranDestinationNode
: An IP address with this label is being used as a destination address with the HTran Proxy Tool.IPAddressType/HtranProxy
: An IP address with this label is being used as a relay or proxy node with the HTran Proxy Tool.IPAddressType/LegitimateCompromised
: It is suspected an IP address with this label is compromised by malicious actors.IPAddressType/Parking
: This IP address is likely being used as parking IP address.IPAddressType/PopularSite
: This IP address could be utilized for a variety of purposes and may appear more frequently than other IPs.IPAddressType/SharedWebHost
: This IP address may be hosting more than one website.IPAddressType/Sinkhole
: This IP address is likely a sinkhole being operated by a security researcher or vendor.IPAddressType/TorProxy
: This IP address is acting as a TOR (The Onion Router) Proxy.
Status
Have the form Status/...
.
Status/ConfirmedActive
: This indicator is likely to be currently supporting malicious activity.Status/ConfirmedInactive
: This indicator is no longer used for malicious purposes.Status/Historic
: The indicator is no longer used for malicious purposes but could be used again in the future.
Target
Have the form Target/...
.
The activity associated with this indicator is known to target the indicated vertical sector, which could be any of the following:
Target/Aerospace
Target/Agricultural
Target/Chemical
Target/Defense
Target/Dissident
Target/Energy
Target/Extractive
Target/Financial
Target/Government
Target/Healthcare
Target/Insurance
Target/InternationalOrganizations
Target/Legal
Target/Manufacturing
Target/Media
Target/>NGO
Target/Pharmaceutical
Target/Research
Target/Retail
Target/Shipping
Target/Technology
Target/Telecom
Target/Transportation
Target/Universities
Threat Type
Have the form ThreatType/...
.
ThreatType/ClickFraud
: This indicator is used by actors engaging in click or ad fraudThreatType/Commodity
: This indicator is used with commodity type malware such as Zeus or Pony Downloader.ThreatType/PointOfSale
: This indicator is associated with activity known to target point-of-sale machines such as AlinaPoS or BlackPoS.ThreatType/Ransomware
: This indicator is associated with ransomware malware such as Crytolocker or Cryptowall.ThreatType/Suspicious
: This indicator is not currently associated with a known threat type but should be considered suspicious.ThreatType/Targeted
: This indicator is associated with a known actor suspected to associated with a nation-state such asDEEP PANDA
orENERGETIC BEAR
.ThreatType/TargetedCrimeware
: This indicator is associated with a known actor suspected to be engaging in criminal activity such asWICKED SPIDER
.
Vulnerability
Have the form Vulnerability/...
.
The CVE-XXXX-XXX vulnerability the indicator is associated with (for
example, Vulnerability/CVE-2012-0158
).
Testing
If you use this function in a query and it does not produce any IOC results, it can be hard to tell whether there were no results or there is an error in the query. To help with that, we provide some sample IOCs that you can test your query with:
Type | Sample |
---|---|
IP address |
94.232.247.23
|
Domain |
xu4ok-46126.portmap.host
|
URL |
http://5.45.70.137/stats/getinfo.php
|
Since the IOC database is updated constantly, we cannot guarantee that these remain in the database. If you believe that one of them is no longer in the database, please contact us. Also, the malicious_confidence of these IOCs will probably be lowered over time.
For example, to test the IP address you can run the query:
client_ip:="38.92.47.91"
| ioc:lookup(field=[client_ip],type="ip_address",confidenceThreshold=unverified)
Might output:
ioc.detected | ioc[0].indicator | ioc[0].labels | ioc[0].last_updated | ioc[0].malicious_confidence | ioc[0].published_date | ioc[0].type |
---|---|---|---|---|---|---|
true | 94.232.247.23 | Actor/FAMOUSCHOLLIMA,KillChain/C2,MaliciousConfidence/High,Malware/InvisibleFerret,ThreatType/CredentialHarvesting,ThreatType/RAT,ThreatType/Targeted | 1734092900000 | high | 1733991006000 | ip_address |
ioc:lookup()
Examples
Look up IP address IOCs for the field ip and annotate events with the associated security information.
ioc:lookup("ip", type=ip_address)
Without explicitly setting different arguments, the default for these
settings will be used. For example,
confidenceThreshold
will
be applied with the
high
setting. Care should be taken to ensure that appropriate settings are
used when matching against the IOC database.
In the above example, this would mean the function would only return if the IP address was marked with a confidence threshold of high, and may not return anything at all.
Explicitly specifying fields that should be returned will provide more
detail, such as
malicious_confidence
:
ioc:lookup("ip", type=ip_address, include=["malicious_confidence", "labels"])
To explicitly lower the threshold for returned queries:
ioc:lookup("ip", type=ip_address, confidenceThreshold="low" )
Use the prefix detection for returned fields: any added fields.
ioc:lookup("ip", type="ip_address", prefix="detection")
Look up URL IOCs for the field
url
and search IOCs of all
confidence levels.
ioc:lookup("url", type="url", confidenceThreshold="low")
Look up URL IOCs for the field
url
and only keep the
events containing an IOC. Useful for finding IOCs in queries used for
alerts or scheduled searches.
ioc:lookup("url", type="url", strict=true)