> ## Documentation Index
> Fetch the complete documentation index at: https://docs.socdefenders.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Looking up and enriching indicators of compromise

> Search any IP, domain, URL, file hash, or CVE in SOC Defenders for AI risk scoring, MITRE ATT&CK techniques, and auto-generated Splunk and KQL hunting queries.

The IOC lookup feature lets you submit a single indicator — an IP address, domain, file hash, CVE, or other artifact — and receive a complete enrichment package in seconds. SOC Defenders scores the indicator using AI, maps it to relevant MITRE ATT\&CK techniques, and generates ready-to-deploy hunting queries for Splunk and Microsoft Sentinel so you can move from investigation to detection without leaving the platform.

## What is an indicator of compromise?

An indicator of compromise (IOC) is an observable artifact — such as a malicious IP address, domain name, or file hash — that signals a potential intrusion or active threat. IOCs are the raw material of threat hunting: by matching them against your environment, you identify systems that may have been targeted or compromised.

## Supported IOC types

SOC Defenders enriches the following indicator types:

| Type          | Examples                                                           |
| ------------- | ------------------------------------------------------------------ |
| IPv4          | `203.0.113.42`                                                     |
| IPv6          | `2001:db8::1`                                                      |
| Domain        | `malicious-domain.example`                                         |
| URL           | `https://malicious-domain.example/payload`                         |
| MD5           | `d41d8cd98f00b204e9800998ecf8427e`                                 |
| SHA1          | `da39a3ee5e6b4b0d3255bfef95601890afd80709`                         |
| SHA256        | `e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855` |
| CVE           | `CVE-2024-12345`                                                   |
| MITRE ATT\&CK | `T1059`, `TA0001`                                                  |
| Email         | `threat-actor@malicious-domain.example`                            |

## What the enrichment returns

For each indicator you look up, SOC Defenders returns:

* **AI risk score** — a 0–100 score reflecting the indicator's assessed maliciousness
* **Confidence** — low, medium, or high confidence in the risk assessment
* **MITRE ATT\&CK technique mapping** — one or more techniques associated with the indicator's observed behavior
* **Splunk hunting query** — a search query you can paste directly into Splunk to hunt for the indicator in your environment
* **KQL hunting query** — an equivalent query for Microsoft Sentinel / Log Analytics

## Performing a lookup

### Via the platform UI

Navigate to any article that references an IOC. Extracted indicators appear on the article detail page; click any IOC to open the enrichment panel.

### Via the API

Send a `GET` request to `/api/v1/lookup` with the indicator value as a query parameter. Include your API key in the `Authorization` header.

```bash theme={null}
curl -H "Authorization: Bearer YOUR_API_KEY" \
  "https://socdefenders.ai/api/v1/lookup?value=203.0.113.42"
```

The response is JSON and includes the risk score, confidence, MITRE mappings, and hunting queries.

## IOC feed filtering

When working with the full IOC feed (`GET /api/v1/iocs`), you can narrow results using these parameters:

| Parameter    | Description                                                                                  |
| ------------ | -------------------------------------------------------------------------------------------- |
| `type`       | Filter by IOC type: `ipv4`, `ipv6`, `domain`, `url`, `md5`, `sha1`, `sha256`, `cve`, `email` |
| `confidence` | Filter by confidence level: `low`, `medium`, `high`                                          |
| `category`   | Filter by source feed category (e.g., `government`, `commercial`)                            |
| `industry`   | Filter to IOCs relevant to a specific CISA Critical Infrastructure sector                    |
| `since`      | Lookback period — restrict results to IOCs observed within a given timeframe                 |

Free tier accounts have a 1-day lookback period. Pro accounts have access to a 365-day lookback.
