How to Search for IoCs
To ensure you get the most accurate and comprehensive results, there are three different methods you should try when searching for an IoC:
1. Free Text Search (from the Global Search Bar & Analytics Dashboard)
-
What it does: Searches the Description and Content fields of all Tickets and Signals.
-
Best for: Broad matches when you're unsure where the IP might be mentioned.
-
Example:
2. Structured Search in the Global Search Bar
-
What it does: Searches structured
iocsfields in:-
Raw Intelligence
-
Finished Intelligence
-
RFIs (Requests for Information)
-
Incident Reports
-
-
Best for: Targeted searches when you’re confident the IoC is part of an official report or structured intel.
-
Example:
3. Attribute Search in Analytics Dashboard
-
What it does: Searches extracted attributes from Signals (e.g., when an IoC is detected in a Signal).
-
Best for: Signals-based analysis and detections.
- Example:
Tips for Better Results
-
Always try all three methods if you're not getting hits with one.
-
Consider the context of your search: are you looking for a detection, a historical report, or enriched threat data?
-
Use structured search if you need precision, and free text search for broader exploration.
Why an IoC Might Not Return Results
Even if you use all three search methods, it's possible that the IoC does not appear in any current Signal, Ticket, or Intelligence item.
Note: If you're expecting results similar to what a public IoC reputation lookup platform might return, it's important to note that our solution is different: we focus on contextual intelligence linked to observable activity, not passive indicator scoring.