How-To: Search for IP Indicators of Compromise (IOC) Across a Data Set

LogScale Documentation Full Library Knowledge Base Release Notes Integrations Training API GraphQL API Contacting Support

Page was created:27 Feb 2024

IP addresses are a typical IOC. With LogScale, it's easy to use LogScale Query Language (LQL) to determine a possible threat using the lookup() function.

For example:

// Ignore RFC1918-ish IP address on the "src_ip" field. 
!cidr(src_ip, subnet=["224.0.0.0/4", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8", "169.254.0.0/16", "0.0.0.0/32"])
// Perform the lookup. The strict option only returns matches. 
| ioc:lookup(src_ip, type=ip_address, confidenceThreshold=unverified, strict=true)

Knowledge Base

How-To: Search for IP Indicators of Compromise (IOC) Across a Data Set

Enter search term