CrowdStrikeintermediate

4 min read

title: CrowdStrike Custom IOCs: Create Indicators of Compromise for Threat Detection description: Create custom IOCs (Indicators of Compromise) in CrowdStrike Falcon to detect specific threats. Step-by-step guide to add IP addresses, domains, file hashes, and custom detection rules. difficulty: advanced estimatedReadTime: 12 lastUpdated: January 2025 featured: false faqItems:

  • question: How do I make sure my custom file hash IOCs don't block legit files? answer: >- To avoid inadvertently blocking legitimate files when creating custom file hash IOCs, always use full hashes instead of partial ones. Additionally, test the hash in a controlled environment before deploying it broadly. Implement a monitoring phase to observe the impact of the IOC on system behavior. This allows for adjustments based on real-world detections and reduces the risk of false positives, ensuring operational continuity.
  • question: >- What do I need to think about when blocking domains or IPs with custom IOCs? answer: >- When creating domain or IP IOCs, verify that blocking these addresses will not affect legitimate services in your environment. Conduct thorough research on the domain or IP to confirm its malicious nature. Consider using threat intelligence feeds to cross-reference your findings. It's also advisable to implement the IOC in a 'Detect Only' mode initially, monitoring for any unintended disruptions before switching to 'Detect & Prevent' mode.
  • question: How can I keep track of and update my custom IOCs over time? answer: >- Regularly review and audit your custom IOCs by setting a scheduled process, such as quarterly reviews. Remove outdated or ineffective IOCs to reduce noise in detection summaries. Utilize the 'Detection Summary' feature to analyze the effectiveness of each IOC, adjusting actions based on real-world data. Document changes and monitor the impact of removed IOCs to ensure that your security posture remains strong without unnecessary alerts. heroImage: "https://images.unsplash.com/photo-1567443024551-f3e3cc2be871?w=1200&h=630&fit=crop"

Indicators of Compromise (IOCs) allow security teams to identify, track, and block known threats in CrowdStrike Falcon. By creating custom IOCs, administrators can proactively defend against specific malicious files, domains, or IP addresses.

This guide explains how to create and manage custom IOCs in the CrowdStrike Falcon Console.

Step 1: Log Into the Falcon Console

  1. Open a browser and go to the CrowdStrike console. There are two possibilities (Will depend on your tenant):
  2. Sign in using your admin credentials

Step 2: Navigate to the IOC Management Page

  1. In the left-hand menu, click Threat Intelligence > IOC Management.
  2. You will see a list of existing IOCs.

Step 3: Add a Custom IOC

Option 1: Create a File Hash IOC

To block or track a specific file:

  1. Click Add IOC > File Hash.
  2. Enter the SHA256, SHA1, or MD5 hash of the file.
  3. Choose an Action:
    • Detect Only – Flag detections but allow the file to execute.
    • Detect & Prevent – Block execution immediately.
  4. Assign Severity Level (Low, Medium, High, or Critical).
  5. Add a Description (e.g., “Known Ransomware Sample”).
  6. Click Save.

Option 2: Create a Domain or IP IOC

To block access to a malicious domain or IP address:

  1. Click Add IOC > Domain or IP.
  2. Enter the malicious domain (e.g., badsite.com) or IP address.
  3. Set the Action:
    • Detect Only – Flag detections without blocking.
    • Detect & Prevent – Block all connections to this domain/IP.
  4. Click Save.

Step 4: Assign IOCs to a Prevention Policy

  1. Navigate to Configuration > Prevention Policies.
  2. Select a policy (e.g., Standard, High Security, Custom).
  3. Click Edit Policy and go to Custom IOCs.
  4. Click Add IOC and select the newly created IOCs.
  5. Click Save and Apply Policy.

Step 5: Monitor IOC Activity

  1. Go to Activity > Detection Summary.
  2. Filter results by IOC Name to see if the indicator has been triggered.
  3. Adjust IOC actions if needed based on real-world detections.

Best Practices for Custom IOCs

Use File Hashes for Known Malware – Avoid using partial hashes that could match legitimate files.
Be Careful with Domain/IP Blocking – Ensure that blocking a domain/IP won’t impact legitimate services.
Review IOCs Regularly – Remove outdated IOCs to prevent unnecessary detections.

Need Professional Help?

Our team of experts can help you implement and configure these solutions for your organization.

Contact Our TeamView Our Services

Related Articles

Read More →

CrowdStrike Exchange Exclusions | Configure Falcon for Exchange Server

Configure essential CrowdStrike exclusions for Microsoft Exchange Server. Protect database files, transaction logs, and processes to prevent corruption and ensure mail flow.

Read More →

Deploy CrowdStrike Falcon via GPO | Active Directory Guide

Step-by-step guide to deploy CrowdStrike Falcon sensors using Group Policy. Silent installation, startup scripts, troubleshooting tips for AD environments.

Read More →
Back to CrowdStrike