Search for IOCs

  • Updated on Mar 6, 2025
  • Published on May 10, 2023

About IOC Search

IOC Search allows you to quickly search your organization’s raw data logs to determine if a known IOC has been in your environment. The IOC Search tool is a search bar that essentially replaces the need to run an SQL query on raw data. Quickly locating IOCs enables you to also pinpoint the identities (devices, usernames, etc.) that have interacted with an IOC.

The IOC Search tool currently supports searches for domain names, IP addresses, and file hashes with no maximum time range. You can search for one or more IOCs by entering values into the search bar or uploading a CSV.

📘 Search coverage

IOC search currently supports a limited list of log types, specified in the IOC Search page. Hunters continuously expands this list.

Note that URLs are currently not supported in the IOC search.


To use IOC Search:

  1. From the Hunters Side menu, navigate to Investigation > IOC Search.
    image

  2. To perform a manual search, type one or more IOCs (domain name, IP address, or file hash) into the search bar and select a desired time range. Otherwise, click Upload CSV file to search for a list of IOCs.
    image

⚠️ Attention

The uploaded csv file must adhere to the following guidelines:

  • The CSV must include a header, which can be arbitrary.
  • Apart from the header, we expect to see IP Addresses, Domain names & File Hashes within each line without any required order.
  • There is no limit to the number of IOCs in the file.
💡Tip

You can search as far back as you want. There is no time frame limit.

Understanding the IOC results

📘 Note

It may take up to 30 minutes for data registered in the data lake to appear in IOC search results.

Initial results

The IOC Search will return a separate response line for each IOC searched, even if nothing was found. IOCs without findings will be displayed as a simple list of values, while IOCs with findings will provide the following information:

  • Data Sources - This section will show the count of log results within each matching data source (if there aren’t hits within a data source, it won’t be shown there).
  • Activity over time - This section will show how these IOC events spread out over time.

image

📘 Learn more

You can filter out data sources by checking or unchecking the box next to a given data source.

Deep-dive into results

By clicking on a detected IOC, you can open a detailed view that displays event times, IOC Key, IOC Value, Event Type, and Identifier Key and Identifier Value.

image

📘 Note

Because you are searching across different data types and event types, Identifier Key and Identifier Value will be specific to that event. For example, for EDR data sources, the Identifier Key will be AID, which is the database column name that lists EDR agent IDs, and the Identifier Value would be the specific agent ID relevant for the specific row.

The following table is an explanation of the fields that are displayed in IOC Search.

Field Description
# of Events per hour Total count of events that are logged for that specific IOC in the designated hourly bucket
Event Time The event time, rounded to hourly buckets
Data source Original log source where the IOC appeared
IOC key The location in the original logs where the IOC value was discovered
IOC value The IOC that was found
Event type The event type in the original log line (e.g. connection accepted/denied, process execution, etc.)
Identifier key The type of entity that interacted with this IOC. These will differ based on log source, for example, “AID” for CrowdStrike, “MACHINE_NAME” for Windows Event Logs, etc.
Identifier value The value of the identifier specified in “Identifier key”, for example, the agent id of the machine that interacted with this IOC.

Working with IOC results

Exporting results

For further investigation, you can export the results by clicking Export to CSV at the top right of the window.
image

Grouping and filtering results

To group results by any field, click the column heading and drag it into the top bar.
image

Filter any set of results by clicking the Filters tab on the right side of the results table.

image

📘 Learn more

If you wish to further investigate found IOCs or search fields that are not currently supported by IOC Search, you can do so via a Notebook or your own data lake if you are a Partner Connect customer.

FAQs

Why is data rolled up to the nearest hour and not searching the raw logs?

The Hunters engineering team spent months benchmarking and testing different IOC search architectures with a tradeoff between cost, latency, comprehensiveness, and query speed, and ultimately found that this format optimized for the fastest searches while still providing enough context to the analyst so they can conduct their investigation.

Why just IPs, domain names, and file hashes?

Our user research indicated that these were the most common IOC types users wanted to search on, but we are very open to feedback. Please contact Hunters if there are specific IOC types that are important to your organization that you think we should cover.

Does this replace Entity Search?

Not yet, but we are working to integrate these two features into a unified data exploration workflow.

Will utilizing IOC Search cost customers more money/credits?

In almost all cases, there will be a very small increase in your data warehouse credit usage that should not affect customers in an impactful way. The slight increase will be due to the initial build cost (around 15-20 credits) and minor additional monthly maintenance costs. If you’re currently a Partner Connect customer and notice any anomalies in your monthly bill, please reach out.

How can I search for IOCs if my desired log source is not yet supported?

Hunters recommends using a Notebook to run queries for any log source that is not yet supported by IOC Search. Hunters will consistently be adding log sources to the supported list until all integrations are supported, so please let us know if you have a log source that you would like us to prioritize.

How will I know which log sources are being searched?

The bottom of the IOC Search page will tell you which log sources are currently supported for your search.

Under the hood

Hunters IOC Search has been optimized to return results in a fraction of the time compared to a raw data search in a traditional SIEM. Hunters achieves those numbers by leveraging a combination of its proprietary rollup and indexing system with best-in-class search optimization features by modern data warehouses, returning answers to complex queries over long time ranges in seconds.

📘 What is a rollup?

On a high-level, our proprietary rollup is innovative tech that the Hunters team developed to optimize data analysis. Essentially, Hunters takes raw data from supported log sources and normalizes it into a more readable format. When there are instances where multiple logs contain the same data, they are rolled up into one entry.

For example, if there are 10 logs coming from Okta that contain the same IP address, those are combined to create 1 entry. Instead of Hunters having to search through the 10 Okta raw logs, it only needs to scan the singular rollup. When performed at scale, the time and compute savings for searching data are substantial.

image

📘 Note

These searches are so fast in part because this is not a raw-text search over all fields, but a more narrow query over just the log fields that may contain IOCs.