Find hosts that have observed a given custom Indicator of Compromise (IOC). IOC is a piece of digital forensics (identification, investigation, and remediation of cyberattacks) that suggests that an endpoint or network may have been breached. You can find the custom indicators in the IOC Management page.

The following permissions are required to run this action:

  • IOC Management: Read and Write.
  • IOCs (Indicators of Compromise): Read.

External Documentation

To learn more, visit the CrowdStrike documentation.

Basic Parameters

ParameterDescription
Indicator TypeThe type of indicator used to search for hosts.
Return All PagesAutomatically fetch all resources, page by page.
ValueThe string representation of the indicator, can be obtained by using the Get Indicator Details action.

Advanced Parameters

ParameterDescription
LimitMaximum number of hosts to return in the response.
OffsetThe offset at which to start record retrieval.Use with the Limit parameter to manage pagination of results.

Example Output

{
  "meta": {
    "query_time": 7.444444,
    "pagination": {
      "offset": "",
      "limit": 100
    },
    "trace_id": ""0000000-00000-0000-0000-000000000000"",
    "entity": "/path/to/device{?ids*}"
  },
  "resources": [
    "000000111111222233333"
  ],
  "errors": []
}

Workflow Library Example

Search Crowdstrike Ioc Across Devices

Preview this Workflow on desktop