How-To: Search for Domain Indicators of Compromise (IOC) Across a Data Set Using lower()
Domains can be indicators of a compromised network, and are a typical
IOC. To look up a domain to determine a possible threat using the
ioc:lookup() function:
logscale
// Ensure the domain name has a '.' somewhere.
DomainName=/\./
// Ignore certain domain types.
| DomainName!=/(\.local?.$|\.arpa?.$|_|\.localmachine$)/i
// Put everything in lowecase.
| DomainName:=lower(DomainName)
// Look for IOCs in DNS. The strict option only returns matches.
| ioc:lookup(field=DomainName, type=domain, confidenceThreshold=unverified, strict=true)