CrowdStrike IOC
This library package is designed
to help you get started using the ioc:lookup()
function. The package consists of several dashboard templates that are
designed to show how to use different aspects of the IOC data.
To create dashboards from templates, see Managing Dashboards. All the dashboard templates in this package require that you insert field names in before they can work. For example, when you create a new IP overview dashboard, it will look like this:
 |
Figure 31. New IP Dashboard
To see some data, you need to fill in the field names where you have IP addresses. Before filling that in, queries will look something like this:
| ioc:lookup([/*insert name of fields containing IP addresses here*/], type="ip_address", strict=true, confidenceThreshold=?threshold)
| split("ioc")
| groupBy([/*insert name of fields containing IP addresses here*/, "#repo", "ioc.type", "ioc.indicator", "ioc.malicious_confidence", "ioc.published_date", "ioc.last_updated", "ioc.age", "ioc.labels"])Notice that you need to insert the fields multiple times in this particular query. And if you have multiple fields with IP addresses in (if you are searching across multiple different types of logs for example), you can add multiple fields:
| ioc:lookup(["c_ip", "request.ipv4"], type="ip_address", strict=true, confidenceThreshold=?threshold)
| split("ioc")
| groupBy(["c_ip", "request.ipv4", "#repo", "ioc.type", "ioc.indicator", "ioc.malicious_confidence", "ioc.published_date", "ioc.last_updated", "ioc.age", "ioc.labels"])Then the dashboard can start populating with any IOC hits you might have:
 |
Figure 32. Data
Package Contents Explained
This package consists of the following:
Overview — Provides an overview of IOC matches for both IP addresses, domains, and URLs
IP overview — Provides an overview of IOC matches for IP addresses
Domain overview — Provides an overview of IOC matches for domains
URL overview — Provides an overview of IOC matches for URLs