How to Search for IOCs Across Devices in CrowdStrike

Learn how to search for Indicators of Compromise (IOCs) across devices in CrowdStrike to identify malware and prevent further infection.

Patrick Londa
Author
Mar 22, 2023
 • 
 min read
Share this post

When malware is detected on one of your organization’s devices, it will have characteristics called Indicators of Compromise (IOCs), such as certain hash values, urls, or IP addresses.

You can use these IOCs to look across your organization’s devices to identify lateral movement associated with an attack.

In this guide, we’ll show you how to use CrowdStrike to detect if IOCs associated with malware are present on any other devices at your organization.

Searching for an IOC Across CrowdStrike Hosts

Using the CrowdStrike Console:

1.  First log in to the CrowdStrike Falcon Console.

2.  Open the left-hand menu and select Investigate.

Investigate Menu in CrowdStrike

3.  Depending on your IOC type, choose the related link under the Search section. For example, if you are looking for an IOC that is a domain, you can choose Bulk domains.

Domain Search in CrowdStrike

4.  Input your IOC value and specify the time range you care about. Then click Submit.

In the results, you’ll see which hosts have observed the IOCs you’re investigating and you’ll see details on the process-level as well.

You may want to contain any additional hosts now associated with the IOC. We wrote a guide on containing hosts here. For your audit trail, you can export this data by hovering over either section and clicking the Export icon.

Using the CrowdStrike Falcon API:

The platform also offers an API which allows administrators to easily programmatically manage their sensors. You can use the endpoint that geographically aligns with your specific CrowdStrike account:

  • US-1 “api.crowdstrike.com”
  • US-2 “api.us-2.crowdstrike.com”
  • US-GOV-1 “api.laggar.gcw.crowdstrike.com”
  • EU-1 “api.eu-1.crowdstrike.com”

In the examples we show later, we’ll use “api.us-2.crowdstrike.com”.

CrowdStrike’s API documentation is available after you log in here, and you’ll see information about how to use OAuth2 for authenticating your requests.

Before you start, you need to make an access token request, including your client ID and client secret. You’ll get an access token in response that will be valid for 30 minutes after that. The API calls you make after that initial call will include that token.

Next, make a GET request to this endpoint with IOC type and value specified:

https://api.us-2.crowdstrike.com/indicators/queries/devices/v1?type=sha256&value=XYZ

You can use the following IOC types:

  • sha256
  • md5
  • domain
  • ipv4
  • ipv6

You can also use the parameters limit and offset to manage pagination of results. With the response, you’ll be able to see all the resources that have observed the specific IOC.

Automatically Search Across Devices for IOCs with Blink Copilot

Checking if malicious IOCs exist on other devices at your organization is one of many steps in responding to a malware alert. It takes time and context-switching.

With Blink Copilot, you can run tasks like this automatically. Just type a simple text prompt to instantly create a new automated workflow.

 

With this workflow, you simply input the IOCs you want to search for and get the results.

This workflow runs the following steps:

  1. On a new CrowdStrike malware alert, get a list of IOCs for the alert.
  2. Check if the IOCs are likely malicious using VirusTotal.
  3. If the IOCs are likely malicious, checks other devices for the IOCs.
  4. Add other suspect devices to a list and add it to a Jira ticket.
  5. Send the Jira ticket to the #Security channel in Slack.

Need a different workflow? Just type a custom prompt that fits your needs. You can try it here! Blink Copilot utilizes hundreds of native integrations to generate workflows with the right API calls and contextual messages.

You can also use any of the 5K pre-built automated workflows in the Blink Library.

Get started with Blink today to see how easy automation can be.

Expert Tip