The IOC lookup feature lets you submit a single indicator — an IP address, domain, file hash, CVE, or other artifact — and receive a complete enrichment package in seconds. SOC Defenders scores the indicator using AI, maps it to relevant MITRE ATT&CK techniques, and generates ready-to-deploy hunting queries for Splunk and Microsoft Sentinel so you can move from investigation to detection without leaving the platform.Documentation Index
Fetch the complete documentation index at: https://docs.socdefenders.ai/llms.txt
Use this file to discover all available pages before exploring further.
What is an indicator of compromise?
An indicator of compromise (IOC) is an observable artifact — such as a malicious IP address, domain name, or file hash — that signals a potential intrusion or active threat. IOCs are the raw material of threat hunting: by matching them against your environment, you identify systems that may have been targeted or compromised.Supported IOC types
SOC Defenders enriches the following indicator types:| Type | Examples |
|---|---|
| IPv4 | 203.0.113.42 |
| IPv6 | 2001:db8::1 |
| Domain | malicious-domain.example |
| URL | https://malicious-domain.example/payload |
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| CVE | CVE-2024-12345 |
| MITRE ATT&CK | T1059, TA0001 |
threat-actor@malicious-domain.example |
What the enrichment returns
For each indicator you look up, SOC Defenders returns:- AI risk score — a 0–100 score reflecting the indicator’s assessed maliciousness
- Confidence — low, medium, or high confidence in the risk assessment
- MITRE ATT&CK technique mapping — one or more techniques associated with the indicator’s observed behavior
- Splunk hunting query — a search query you can paste directly into Splunk to hunt for the indicator in your environment
- KQL hunting query — an equivalent query for Microsoft Sentinel / Log Analytics
Performing a lookup
Via the platform UI
Navigate to any article that references an IOC. Extracted indicators appear on the article detail page; click any IOC to open the enrichment panel.Via the API
Send aGET request to /api/v1/lookup with the indicator value as a query parameter. Include your API key in the Authorization header.
IOC feed filtering
When working with the full IOC feed (GET /api/v1/iocs), you can narrow results using these parameters:
| Parameter | Description |
|---|---|
type | Filter by IOC type: ipv4, ipv6, domain, url, md5, sha1, sha256, cve, email |
confidence | Filter by confidence level: low, medium, high |
category | Filter by source feed category (e.g., government, commercial) |
industry | Filter to IOCs relevant to a specific CISA Critical Infrastructure sector |
since | Lookback period — restrict results to IOCs observed within a given timeframe |