Look up IOCs (Indicators of Compromise) of IP addresses, URLs and domains in a local copy of CrowdStrike's curated database of IOCs and annotate the events with the associated security information.

Function Traits: Negatable, Transformation

ParameterTypeRequiredDefaultDescription
confidenceThresholdstringoptionalhigh The lowest level of confidence of IOCs to consider.
  Valid Valueshigh
   low
   medium
   unverified
field[a]Array of stringsrequired  The field(s) containing either IP addresses, URLs or domains to check for IOCs.
includeArray of stringsoptionalAll columns Specifies the columns from the IOC database to include.
  Valid Valuesindicator
   labels
   last_updated
   malicious_confidence
   published_date
   type
prefixstringoptionalioc Prefix for the names of all the output fields.
strictbooleanoptionalfalse If true, only output events where at least one of the selected fields matches an IOC; if false (the default), let all events through.
  Valid ValuesfalsePass all events
   trueOnly output events where at least one of the selected fields matches an IOC
typestringrequired  Specifies the type of IOCs to look for.
  Valid Valuesdomain
   ip_address
   url

[a] The argument name field can be omitted.

The parameter name for field can be omitted; the following forms are equivalent:

logscale
ioc:lookup("value")

and:

logscale
ioc:lookup(field="value")

If any of the selected fields match an IOC, the field <prefix>.detected will be added with the value true, where <prefix> is the value of the prefix argument. Also, for each field matching an IOC, there will be added fields <prefix>[<index>].<column> where <index> is the first unused index, starting with 0, and column is one of the column names selected by the include argument.

IP addresses can be either IPv4 or IPv6 addresses. Short-hand notation for IPv6 addresses is supported and can be matched against non-short-hand notation. URLs and domains use case-insensitive string matching.

The function can be negated, but only with strict=true.

For information about how to configure the IOC database, see IOC Configuration.

Columns

Column Type Description
indicator string The IOC that was found in the event field.
type string The type of IOC detected. One of ip_address, url, and domain.
published_date Timestamp in Unix time, UTC The date the IOC was first published.
last_updated Timestamp in Unix time, UTC The date the IOC was last updated.
malicious_confidence string

The confidence level by which an IOC is considered to be malicious. Will change over time.

  • high: The IOC has been associated with malicious activity within the last 60 days.

  • medium: The IOC has been associated with malicious activity within the last 60-120 days.

  • low: The IOC has been associated with malicious activity exceeding 120 days.

  • unverified: The IOC has not been verified by a CrowdStrike Intelligence analyst or an automated system.

labels string Detailed information about the IOC, see below.

Labels

The column labels contains a comma-separated list of labels that provide additional context around an indicator. The labels have the form category/value. The categories are described below.

Actors

Have the form Actor/....

The named actor that the indicator is associated with (e.g. "Panda", "Bear", "Spider", etc).

Malware Families

Have the form Malware/....

Indicates the malware family an indicator has been associated with (e.g. "Malware/PoisonIvy", "Malware/Zeus", "Malware/DarkComet", etc). An indicator may be associated with more than one malware family.

Kill Chains

Have the form KillChain/....

The point in the kill chain at which an indicator is associated.

  • Reconnaissance: This indicator is associated with the research, identification, and selection of targets by a malicious actor.

  • Weaponization: This indicator is associated with assisting a malicious actor create malicious content.

  • Delivery: This indicator is associated with the delivery of an exploit or malicious payload.

  • Exploitation: This indicator is associated with the exploitation of a target system or environment.

  • Installation: This indicator is associated with the installation or infection of a target system with a remote access tool or other tool allowing for persistence in the target environment.

  • C2 (Command and Control): This indicator is associated with malicious actor command and control.

  • ActionOnObjectives: This indicator is associated with a malicious actor's desired effects and goals.

Domain Types

Have the form DomainType/....

  • ActorControlled: It is believed the malicious actor is still in control of this domain.

  • DGA: This domain is the result of malware utilizing a domain generation algorithm.

  • DynamicDNS: This domain is owned or used by a dynamic DNS service.

  • DynamicDNS/Afraid: This domain is owned or used by the Afraid.org dynamic DNS service.

  • DynamicDNS/DYN: This domain is owned or used by the DYN dynamic DNS service.

  • DynamicDNS/Hostinger: This domain is owned or used by the Hostinger dynamic DNS service.

  • DynamicDNS/noIP: This domain is owned or used by the NoIP dynamic DNS service.

  • DynamicDNS/Oray: This domain is owned or used by the Oray dynamic DNS service.

  • KnownGood: The domain itself (or the domain portion of a URL) is known to be legitimate, despite having been associated with malware or malicious activity.

  • LegitimateCompromised: This domain does not typically pose a threat but has been compromised by a malicious actor and may be serving malicious content.

  • PhishingDomain: This domain has been observed to be part of a phishing campaign.

  • Sinkholed: The domain is being sinkholed, likely by a security research team. This indicates that, while traffic to the domain likely has a malicious source, the IP address to which it is resolving is controlled by a legitimate 3rd party. It is no longer believed to be under the control of the actor.

  • StrategicWebCompromise: While similar to the DomainType/LegitimateCompromised label, this label indicates that the activity is of a more targeted nature. Oftentimes, targeted attackers will compromise a legitimate domain that they know to be a watering hole frequently visited by the users at the organizations they are looking to attack.

  • Unregistered: The domain is not currently registered with any registrars.

IP Address Types

Have the form IPAddressType/....

  • HtranDestinationNode: An IP address with this label is being used as a destination address with the HTran Proxy Tool.

  • HtranProxy: An IP address with this label is being used as a relay or proxy node with the HTran Proxy Tool.

  • LegitimateCompromised: It is suspected an IP address with this label is compromised by malicious actors.

  • Parking: This IP address is likely being used as parking IP address.

  • PopularSite: This IP address could be utilized for a variety of purposes and may appear more frequently than other IPs.

  • SharedWebHost: This IP address may be hosting more than one website.

  • Sinkhole: This IP address is likely a sinkhole being operated by a security researcher or vendor.

  • TorProxy: This IP address is acting as a TOR (The Onion Router) Proxy.

Status

Have the form Status/....

  • ConfirmedActive: This indicator is likely to be currently supporting malicious activity.

  • ConfirmedInactive: This indicator is no longer used for malicious purposes.

  • Historic: The indicator is no longer used for malicious purposes but could be used again in the future.

Target

Have the form Target/....

The activity associated with this indicator is known to target the indicated vertical sector, which could be any of the following:

  • Aerospace

  • Agricultural

  • Chemical

  • Defense

  • Dissident

  • Energy

  • Extractive

  • Financial

  • Government

  • Healthcare

  • Insurance

  • InternationalOrganizations

  • Legal

  • Manufacturing

  • Media

  • NGO

  • Pharmaceutical

  • Research

  • Retail

  • Shipping

  • Technology

  • Telecom

  • Transportation

  • Universities

Threat Type

Have the form ThreatType/....

  • ClickFraud: This indicator is used by actors engaging in click or ad fraud

  • Commodity: This indicator is used with commodity type malware such as Zeus or Pony Downloader.

  • PointOfSale: This indicator is associated with activity known to target point-of-sale machines such as AlinaPoS or BlackPoS.

  • Ransomware: This indicator is associated with ransomware malware such as Crytolocker or Cryptowall.

  • Suspicious: This indicator is not currently associated with a known threat type but should be considered suspicious.

  • Targeted: This indicator is associated with a known actor suspected to associated with a nation-state such as DEEP PANDA or ENERGETIC BEAR.

  • TargetedCrimeware: This indicator is associated with a known actor suspected to be engaging in criminal activity such as WICKED SPIDER.

Vulnerability

Have the form Vulnerability/....

The CVE-XXXX-XXX vulnerability the indicator is associated with (e.g. Vulnerability/CVE-2012-0158).

Testing

If you use this function in a query and it does not produce any IOC results, it can be hard to tell whether there were no results or there is an error in the query. To help with that, we provide some sample IOCs that you can test your query with:

Type Sample
IP address 203.131.222.102
Domain interesting-news.zapto.org
URL http://jac.gehennas.com:80/images/

Note

Since the IOC database is updated constantly, we cannot guarantee that these remain in the database. If you believe that one of them is no longer in the database, please contact us. Also, the malicious_confidence of these IOCs will probably be lowered over time. If you have a query using the ioc:lookup() function on the field client_ip, you can alter that query and add client_ip:="95.77.201.199" to the query before the ioc:lookup() function to have it match a known IOC. You might need to add confidenceThreshold=unverified argument to the ioc:lookup() function in order to find this IOC.

ioc:lookup() Examples

Look up IP address IOCs for the field ip and annotate events with the associated security information.

logscale
ioc:lookup("ip", type=ip_address)

Only include the columns malicious_confidence and labels.

logscale
ioc:lookup("ip", type=ip_address, include=["malicious_confidence", "labels"])

Use the prefix detection as prefix for any added fields.

logscale
ioc:lookup("ip", type="ip_address", prefix="detection")

Look up URL IOCs for the field url and search IOCs of all confidence levels.

logscale
ioc:lookup("url", type="url", confidenceThreshold="low")

Look up URL IOCs for the field url and only keep the events containing an IOC. Useful for finding IOCs in queries used for alerts or scheduled searches.

logscale
ioc:lookup("url", type="url", strict=true)