Search Across Devices
Find hosts that have observed a given custom Indicator of Compromise (IOC). IOC is a piece of digital forensics (identification, investigation, and remediation of cyberattacks) that suggests that an endpoint or network may have been breached. You can find the custom indicators in the IOC Management page.
Basic Parameters
| Parameter | Description |
|---|---|
| Indicator Description | Search by the indicator's description. |
| Search By | Search by the type of the indicator. An indicator is a value based on metrics obtained by comparing logically related attributes about the behavior of an activity. You can find the indicators in the IOC Management page. Valid types include: sha256: A hex-encoded sha256 hash string. Length - min: 64, max: 64. md5: A hex-encoded md5 hash string. Length - min 32, max: 32. domain: A domain name. Length - min: 1, max: 200. ipv4: An IPv4 address. Must be a valid IP address. ipv6: An IPv6 address. Must be a valid IP address. |
Advanced Parameters
| Parameter | Description |
|---|---|
| Limit | The first process to return, where 0 is the latest offset. |
| Offset | The first process to return, where 0 is the latest offset. |
Example Output
{
"meta": {
"query_time": 7.444444,
"pagination": {
"offset": "",
"limit": 100
},
"trace_id": ""0000000-00000-0000-0000-000000000000"",
"entity": "/path/to/device{?ids*}"
},
"resources": [
"000000111111222233333"
],
"errors": []
}
Workflow Library Example
Search Crowdstrike Ioc Across Devices
Preview this Workflow on desktop