IOC Configuration
LogScale includes an IOC (Indicator of Compromise) database from
CrowdStrike to enable lookup of IP addresses, URLs and domains for
malicious activity using the ioc:lookup()
query
function.
The database is updated hourly. If the database cannot be updated, any calls to
ioc:lookup()
will cause a warning in the query, but still add (potentially outdated) information.By default, the database is automatically updated via an update service hosted by LogScale, if the cluster is running with a valid LogScale license. If the LogScale license becomes invalid, the IOC database will be deleted and any calls to
ioc:lookup()
will fail.The location of the update server is configured by the
IOC_UPDATE_SERVER_URL
environment variable.The usage of HTTP proxy can be set using the
IOC_USE_HTTP_PROXY
environment variable.If you have an API key for the CrowdStrike Intel API yourself, you can update the IOC database directly from the CrowdStrike API, instead of using the update service. To do so, the token needs to have read access to Indicators (Falcon Intelligence) (ensure the relevant Read box in the API scopes is checked). Also, the variables below must be set as follows:
IOC_CROWDSTRIKE_API_URL
to the url of the CrowdStrike APIIOC_CROWDSTRIKE_API_CLIENT_ID
to the client ID of your CrowdStrike API keyIOC_CROWDSTRIKE_API_CLIENT_SECRET
to the client secret of your CrowdStrike API key