You can create a custom Indicator of Compromise (IOC) by adding a query to an existing or newly created threat report in an existing or newly created watchlist.

To effectively search for enriched event data on the Investigate page, the watchlist's IOC query must include the enriched:true search.

Procedure

  1. On the left navigation bar, click Investigate.
  2. Execute a query from the search text box and confirm the results.
  3. To include this query in a watchlist's IOC, click the Add search to Threat Report link under the search text box.
    The Add Query window displays.
  4. Do one of the following:
    • Select an existing watchlist and threat report.
      1. Select a watchlist from the drop-down menu in the Select a Watchlist section.
      2. Select a threat report from the drop-down menu in the Add a query to a report section.
    • Select an existing watchlist and create a new threat report.
      1. Select a watchlist from the drop-down menu in the Select a Watchlist section.
      2. Click Add new in the Add query to a report section.
      3. Enter a meaningful name for the new threat report.
      4. Optionally, include a description, level of severity to trigger the watchlist hit and related tags for the new threat report.
    • Create a new watchlist and threat report.
      1. Click Add new in the Select a Watchlist section.
      2. Enter a meaningful name for the new watchlist.
      3. Optionally, provide the purpose of the watchlist by populating the rest of the fields for the new watchlist.

        The Alert on hit setting determines how (or if) you are notified when an event matches the query.

      4. Click Add new in the Add query to a report section.
      5. Enter a meaningful name for the new threat report.
      6. Optionally, include a description and level of severity to trigger the watchlist hit and related tags for the new threat report.
  5. To apply the changes, click Save.

Results

A Successfully created IOC notification appears on the top of the screen.

What to do next

Locate the search query and perform actions on it.
  1. On the left navigation bar, click Enforce > Watchlists page and select the custom watchlist.
  2. Select the Reports tab and click the name of the custom threat report.

    You can view the newly added query that is listed under IOC and perform actions on it. You can edit, disable, delete, or investigate the query.