How to Create Custom Indicators of Compromise (IOCs) in CrowdStrike Falcon

3 February 11, 2025

Indicators of Compromise (IOCs) allow security teams to identify, track, and block known threats in CrowdStrike Falcon. By creating custom IOCs, administrators can proactively defend against specific malicious files, domains, or IP addresses.

This guide explains how to create and manage custom IOCs in the CrowdStrike Falcon Console.

Step 1: Log Into the Falcon Console

  1. Open a browser and go to https://falcon.crowdstrike.com.
  2. Sign in with your admin credentials.

Step 2: Navigate to the IOC Management Page

  1. In the left-hand menu, click Threat Intelligence > IOC Management.
  2. You will see a list of existing IOCs.

Step 3: Add a Custom IOC

Option 1: Create a File Hash IOC

To block or track a specific file:

  1. Click Add IOC > File Hash.
  2. Enter the SHA256, SHA1, or MD5 hash of the file.
  3. Choose an Action:
    • Detect Only – Flag detections but allow the file to execute.
    • Detect & Prevent – Block execution immediately.
  4. Assign Severity Level (Low, Medium, High, or Critical).
  5. Add a Description (e.g., “Known Ransomware Sample”).
  6. Click Save.

Option 2: Create a Domain or IP IOC

To block access to a malicious domain or IP address:

  1. Click Add IOC > Domain or IP.
  2. Enter the malicious domain (e.g., badsite.com) or IP address.
  3. Set the Action:
    • Detect Only – Flag detections without blocking.
    • Detect & Prevent – Block all connections to this domain/IP.
  4. Click Save.

Step 4: Assign IOCs to a Prevention Policy

  1. Navigate to Configuration > Prevention Policies.
  2. Select a policy (e.g., Standard, High Security, Custom).
  3. Click Edit Policy and go to Custom IOCs.
  4. Click Add IOC and select the newly created IOCs.
  5. Click Save and Apply Policy.

Step 5: Monitor IOC Activity

  1. Go to Activity > Detection Summary.
  2. Filter results by IOC Name to see if the indicator has been triggered.
  3. Adjust IOC actions if needed based on real-world detections.

Best Practices for Custom IOCs

Use File Hashes for Known Malware – Avoid using partial hashes that could match legitimate files.
Be Careful with Domain/IP Blocking – Ensure that blocking a domain/IP won’t impact legitimate services.
Review IOCs Regularly – Remove outdated IOCs to prevent unnecessary detections.