Humio includes an IOC (indicator of compromise) database from CrowdStrike
to enable lookup of IP addresses, URLs and domains for malicious activity
ioc:lookup() query function.
The database is updated hourly. If the database cannot be updated, any
ioc:lookup() will cause a warning in the
query, but still add (potentially outdated) information.
By default, the database is automatically updated via an update service
hosted by Humio, if the cluster is running with a valid Humio license. If
the Humio license becomes invalid, the IOC database will be deleted and
any calls to
ioc:lookup() will fail.
The location of the update server is configured by the
IOC_UPDATE_SERVER_URL environment variable.
If you have an API key for the CrowdStrike Intel API yourself, you can instead update the IOC database directly from the CrowdStrike API, instead of using the update service. To do so, the following must be set: