CrowdStrikeadvanced

CrowdStrike Custom IOCs: Create Indicators of Compromise for Threat Detection

Create custom IOCs (Indicators of Compromise) in CrowdStrike Falcon to detect specific threats. Step-by-step guide to add IP addresses, domains, file hashes, and custom detection rules.

12 min readUpdated January 2026

Want us to handle this for you?

Get expert help →

Indicators of Compromise (IOCs) allow security teams to **identify, track, and block known threats** in CrowdStrike Falcon. By creating custom IOCs, administrators can proactively defend against **specific malicious files, domains, or IP addresses**.

This guide explains how to create and manage **custom IOCs** in the **CrowdStrike Falcon Console**.

---

Step 1: Log Into the Falcon Console

    - Open a browser and go to the CrowdStrike console. There are two possibilities (Will depend on your tenant):

Step 2: Navigate to the IOC Management Page

    - In the **left-hand menu**, click **Threat Intelligence** > **IOC Management**. - You will see a list of **existing IOCs**.
---

Step 3: Add a Custom IOC

Option 1: Create a File Hash IOC

To block or track a specific file:

    - Click **Add IOC** > **File Hash**. - Enter the **SHA256, SHA1, or MD5 hash** of the file. - Choose an **Action**:

    • Detect Only – Flag detections but allow the file to execute.

    • Detect & Prevent – Block execution immediately.

    • Assign Severity Level (Low, Medium, High, or Critical).

    • Add a Description (e.g., “Known Ransomware Sample”).

    • Click Save.

Option 2: Create a Domain or IP IOC

To block access to a malicious domain or IP address:

    - Click **Add IOC** > **Domain or IP**. - Enter the **malicious domain (e.g., badsite.com) or IP address**. - Set the **Action**:

    • Detect Only – Flag detections without blocking.

    • Detect & Prevent – Block all connections to this domain/IP.

    • Click Save.

Step 4: Assign IOCs to a Prevention Policy

    - Navigate to **Configuration** > **Prevention Policies**. - Select a policy (e.g., **Standard, High Security, Custom**). - Click **Edit Policy** and go to **Custom IOCs**. - Click **Add IOC** and select the newly created IOCs. - Click **Save and Apply Policy**.
---

Step 5: Monitor IOC Activity

    - Go to **Activity** > **Detection Summary**. - Filter results by **IOC Name** to see if the indicator has been triggered. - Adjust IOC actions if needed based on real-world detections.
---

Best Practices for Custom IOCs

✅ **Use File Hashes for Known Malware** – Avoid using partial hashes that could match legitimate files.
✅ **Be Careful with Domain/IP Blocking** – Ensure that blocking a domain/IP won’t impact legitimate services.
✅ **Review IOCs Regularly** – Remove outdated IOCs to prevent unnecessary detections.

Frequently Asked Questions

Find answers to common questions

To avoid inadvertently blocking legitimate files when creating custom file hash IOCs, always use full hashes instead of partial ones. Additionally, test the hash in a controlled environment before deploying it broadly. Implement a monitoring phase to observe the impact of the IOC on system behavior. This allows for adjustments based on real-world detections and reduces the risk of false positives, ensuring operational continuity.

Need Expert CrowdStrike Management?

Our team manages CrowdStrike deployments for businesses like yours. Get 24/7 threat detection and response with expert oversight.

Learn About 24/7 Detection & ResponseExplore Vulnerability Management

Related Articles

CrowdStrike Falcon RBAC Guide: User Roles, Permissions & Least Privilege Access

Complete guide to CrowdStrike Falcon RBAC and user permissions. Configure least privilege access, create SOC analyst roles, manage admin permissions, and troubleshoot access issues.

Read More →

CrowdStrike Exchange Exclusions | Configure Falcon for Exchange Server

Configure CrowdStrike exclusions for Exchange Server. Protect database files, logs, and processes to ensure mail flow.

Read More →

Deploy CrowdStrike Falcon via GPO | Active Directory Guide

Step-by-step guide to deploy CrowdStrike Falcon sensors using Group Policy. Silent installation, startup scripts, troubleshooting tips for AD environments.

Read More →
Back to CrowdStrike