How-To: Search for Domain Indicators of Compromise (IOC) Across a Data Set Using lower()

Domains can be indicators of a compromised network, and are a typical IOC. To look up a domain to determine a possible threat using the ioc:lookup() function:

logscale
// Ensure the domain name has a '.' somewhere.
DomainName=/\./
// Ignore certain domain types.
| DomainName!=/(\.local?.$|\.arpa?.$|_|\.localmachine$)/i
// Put everything in lowecase.
| DomainName:=lower(DomainName)
// Look for IOCs in DNS. The strict option only returns matches. 
| ioc:lookup(field=DomainName, type=domain, confidenceThreshold=unverified, strict=true)