matchioc()

The matchioc() function checks whether a specific value is included in the threat intelligence feed for a specified indicator of compromise (IOC) type.

Syntax

matchioc(STR_FEED_TYPE, STR_EXPR)

Parameters

STR_FEED_TYPE
The IOC feed type to search. Specify as a string literal; the value is case-insensitive. If an invalid type is specified, an error occurs at query parse time.
STR_FEED_TYPEDescription
URLURL IOC feed
DOMAINDomain IOC feed
EMAILEmail IOC feed
IPIP address IOC feed
REGISTRYRegistry IOC feed
MD5MD5 hash IOC feed
SHA1SHA1 hash IOC feed
SHA256SHA256 hash IOC feed
STR_EXPR
The field or expression containing the value to search for in the feed. Supports string and IP address types.

Description

The matchioc() function returns true if STR_EXPR exists in the threat intelligence feed for the specified IOC type, or false if it does not.

If STR_EXPR is null, false is returned. If STR_EXPR is an IP address type, it is converted to a string before searching the feed.

Unlike the matchfeed() function, matchioc() selects the feed by IOC type rather than by feed name. If no feed matcher can be found for the specified type, an error occurs at query parse time.

Error codes

N/A

Usage examples

  1. Check whether the value of the src_ip field exists in the IP IOC feed

    json "{'src_ip': '192.0.2.1'}"
| eval result = matchioc("IP", src_ip)
| # result: false

  2. Check whether an MD5 hash value exists in the malware IOC feed

    json "{'file_md5': 'd41d8cd98f00b204e9800998ecf8427e'}"
| eval result = matchioc("MD5", file_md5)
| # result: false

  3. Check whether a domain exists in the IOC feed

    json "{'dst_domain': 'example.com'}"
| eval result = matchioc("DOMAIN", dst_domain)
| # result: false

  4. STR_EXPR value is null

    json "{'src_ip': null}"
| eval result = matchioc("IP", null)
| # result: false

Compatibility

matchioc() has been available since before Sonar 4.0.