Skip to main content

Search Across Devices

Find hosts that have observed a given custom Indicator of Compromise (IOC). IOC is a piece of digital forensics (identification, investigation, and remediation of cyberattacks) that suggests that an endpoint or network may have been breached. You can find the custom indicators in the IOC Management page.

Basic Parameters

ParameterDescription
Indicator DescriptionSearch by the indicator's description.
Search BySearch by the type of the indicator. An indicator is a value based on metrics obtained by comparing logically related attributes about the behavior of an activity.You can find the indicators in the IOC Management page.Valid types include:
  • sha256: A hex-encoded sha256 hash string. Length - min: 64, max: 64.
  • md5: A hex-encoded md5 hash string. Length - min 32, max: 32.
  • domain: A domain name. Length - min: 1, max: 200.
  • ipv4: An IPv4 address. Must be a valid IP address.
  • ipv6: An IPv6 address. Must be a valid IP address.

Advanced Parameters

ParameterDescription
LimitThe first process to return, where 0 is the latest offset.
OffsetThe first process to return, where 0 is the latest offset.

Example Output

{
"meta": {
"query_time": 7.444444,
"pagination": {
"offset": "",
"limit": 100
},
"trace_id": ""0000000-00000-0000-0000-000000000000"",
"entity": "/path/to/device{?ids*}"
},
"resources": [
"000000111111222233333"
],
"errors": []
}

Workflow Library Example

Search Crowdstrike Ioc Across Devices

Workflow LibraryPreview this Workflow on desktop