How-To: Search for IP Indicators of Compromise (IOC) Across a Data Set

IP addresses are a typical IOC. With LogScale, it's easy to use LogScale Query Language (LQL) to determine a possible threat using the lookup() function.

For example:

// Ignore RFC1918-ish IP address on the "src_ip" field. 
!cidr(src_ip, subnet=["", "", "", "", "", "", ""])
// Perform the lookup. The strict option only returns matches. 
| ioc:lookup(src_ip, type=ip_address, confidenceThreshold=unverified, strict=true)