CrowdStrikeadvanced

CrowdStrike Custom IOCs: Create Indicators of Compromise for Threat Detection

Create custom IOCs (Indicators of Compromise) in CrowdStrike Falcon to detect specific threats. Step-by-step guide to add IP addresses, domains, file hashes, and custom detection rules.

12 min readUpdated January 2026

Want us to handle this for you?

Get expert help →

Indicators of Compromise (IOCs) allow security teams to identify, track, and block known threats in CrowdStrike Falcon. By creating custom IOCs, administrators can proactively defend against specific malicious files, domains, or IP addresses.This guide explains how to create and manage custom IOCs in the CrowdStrike Falcon Console.

Step 1: Log Into the Falcon Console

  1. Open a browser and go to the CrowdStrike console. There are two possibilities (Will depend on your tenant):
  2. https://falcon.crowdstrike.com.
  3. https://falcon.us-2.crowdstrike.com/
  4. Sign in using your admin credentials

Step 2: Navigate to the IOC Management Page

  1. In the left-hand menu, click Threat Intelligence > IOC Management.
  2. You will see a list of existing IOCs.

Step 3: Add a Custom IOC

Option 1: Create a File Hash IOC

To block or track a specific file:

  1. Click Add IOC > File Hash.
  2. Enter the SHA256, SHA1, or MD5 hash of the file.
  3. Choose an Action:
  4. Detect Only – Flag detections but allow the file to execute.
  5. Detect & Prevent – Block execution immediately.
  6. Assign Severity Level (Low, Medium, High, or Critical).
  7. Add a Description (e.g., “Known Ransomware Sample”).
  8. Click Save.

Option 2: Create a Domain or IP IOC

To block access to a malicious domain or IP address:

  1. Click Add IOC > Domain or IP.
  2. Enter the malicious domain (e.g., badsite.com) or IP address.
  3. Set the Action:
  4. Detect Only – Flag detections without blocking.
  5. Detect & Prevent – Block all connections to this domain/IP.
  6. Click Save.

Step 4: Assign IOCs to a Prevention Policy

  1. Navigate to Configuration > Prevention Policies.
  2. Select a policy (e.g., Standard, High Security, Custom).
  3. Click Edit Policy and go to Custom IOCs.
  4. Click Add IOC and select the newly created IOCs.
  5. Click Save and Apply Policy.

Step 5: Monitor IOC Activity

  1. Go to Activity > Detection Summary.
  2. Filter results by IOC Name to see if the indicator has been triggered.
  3. Adjust IOC actions if needed based on real-world detections.

Best Practices for Custom IOCs

  • Use File Hashes for Known Malware – Avoid using partial hashes that could match legitimate files.
  • Be Careful with Domain/IP Blocking – Ensure that blocking a domain/IP won’t impact legitimate services.
  • Review IOCs Regularly – Remove outdated IOCs to prevent unnecessary detections.

Frequently Asked Questions

Find answers to common questions

To avoid inadvertently blocking legitimate files when creating custom file hash IOCs, always use full hashes instead of partial ones. Additionally, test the hash in a controlled environment before deploying it broadly. Implement a monitoring phase to observe the impact of the IOC on system behavior. This allows for adjustments based on real-world detections and reduces the risk of false positives, ensuring operational continuity.

When creating domain or IP IOCs, verify that blocking these addresses will not affect legitimate services in your environment. Conduct thorough research on the domain or IP to confirm its malicious nature. Consider using threat intelligence feeds to cross-reference your findings. It's also advisable to implement the IOC in a 'Detect Only' mode initially, monitoring for any unintended disruptions before switching to 'Detect & Prevent' mode.

Regularly review and audit your custom IOCs by setting a scheduled process, such as quarterly reviews. Remove outdated or ineffective IOCs to reduce noise in detection summaries. Utilize the 'Detection Summary' feature to analyze the effectiveness of each IOC, adjusting actions based on real-world data. Document changes and monitor the impact of removed IOCs to ensure that your security posture remains strong without unnecessary alerts.

Need Expert CrowdStrike Management?

Whether you're migrating EDR platforms or need managed detection, our team handles seamless transitions and 24/7 monitoring.

Learn About 24/7 Detection & ResponseExplore EDR Migration & Hardening

Related Articles

CrowdStrike Falcon RBAC Guide: User Roles, Permissions & Least Privilege Access

Complete guide to CrowdStrike Falcon RBAC and user permissions. Configure least privilege access, create SOC analyst roles, manage admin permissions, and troubleshoot access issues.

Read More →

CrowdStrike Exchange Exclusions | Configure Falcon for Exchange Server

Configure CrowdStrike exclusions for Exchange Server. Protect database files, logs, and processes to ensure mail flow.

Read More →

Deploy CrowdStrike Falcon via GPO | Active Directory Guide

Step-by-step guide to deploy CrowdStrike Falcon sensors using Group Policy. Silent installation, startup scripts, troubleshooting tips for AD environments.

Read More →

Related Tools

Free tools to help you implement what you learned

EDR Needs Assessment

Evaluate your endpoint detection and response requirements

Try it free →

MITRE ATT&CK Explorer

Map threats to the MITRE ATT&CK framework

Try it free →

Incident Response Playbook

Generate customized IR playbooks for your organization

Try it free →
Back to CrowdStrike