How-To: Search for IP Indicators of Compromise (IoC) Across a Data Set

IP addresses are a typical IoC. With LogScale, it's easy to use LogScale Query Language (LQL) to determine a possible threat using the lookup() function.

For example:

logscale
// Ignore RFC1918-ish IP address on the "src_ip" field. 
!cidr(src_ip, subnet=["224.0.0.0/4", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8", "169.254.0.0/16", "0.0.0.0/32"])
// Perform the lookup. The strict option only returns matches. 
| ioc:lookup(src_ip, type=ip_address, confidenceThreshold=unverified, strict=true)