Filtering IOCs

To narrow down IOC search results for faster, more powerful investigations, you can filter IOCs in List View by any or all of the following means:

  • Enclave (data sources)
  • Tags
  • MITRE ATT&CK
  • Date
  • IOC type

For any of these options, use the arrows on the top right corner of a section to expand or hide that section. To select all items in a section, click Select All. To select individual items, click on the item and you will see a checkmark appear to the right, indicated it is now a selected item.

Selected filters are automatically applied across all searches, IOCs and reports. If you select filters in any of the categories, the same filters is applied for all investigations from that point forward. For example, if you filter to show only EU-CERT intelligence in the Reports view, that filter will only show IOCs from EU-CERT and searches will only use the EU-CERT enclave.

Filtering by Enclave

You can filter IOCs by data sources:

  • My Enclaves
  • Premium Intel enclaves that you have subscribed to.
  • Open Source enclaves that you have subscribed to
  • Intel researchers who you have subscribed to.

Filtering by Tags

You can filter by tags to quickly remove IOCs that don't fit the profile of your investigation. For example, you may want to filter out most terms but keep just a few critical ones, as in this example.

Filtering by MITRE ATT&CK

You can use the MITRE ATT&CK terms to filter IOCs. MITRE ATT&CK is an open-source knowledge base of adversary tactics and techniques based on real-world observations.

Filtering by Date

You can filter by a range of dates, including 1 day, 7 days, 1 month, 6 months, or Max (all dates available).

Filtering by IOC Type

You can select which types of IOC to show in the List view using the IOC Type sub-panel.


How Did We Do?