How-To: Search for IP Indicators of Compromise (IoC) Across a Data Set
IP addresses are a typical IoC. With LogScale, it's easy to use LogScale
Query Language (LQL) to determine a possible threat using the
lookup() function.
For example:
logscale
// Ignore RFC1918-ish IP address on the "src_ip" field.
!cidr(src_ip, subnet=["224.0.0.0/4", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8", "169.254.0.0/16", "0.0.0.0/32"])
// Perform the lookup. The strict option only returns matches.
| ioc:lookup(src_ip, type=ip_address, confidenceThreshold=unverified, strict=true)