Skip to content

IOC Detection

IOC detection is a critical mechanism in detecting attacks that are trying to harm your system or have already breached it. The Sekoia SOC platform is powered by our Threat Detection & Research (TDR) team, which constantly enriches our IOC database with its state-of-the-art investigations and extensive expertise in Intelligence.

With IOC detection, you can automatically identify potential threats in your past and future events by monitoring active IOCs.

How does IOC detection at Sekoia work?

Sekoia Threat Detection & Research (TDR) team maintains the CTI database with millions of IOCs through their investigation and dedicated expertise. All this incredible work benefits Sekoia XDR clients, who can consult the number of IOCs available on the Rules catalog page in the section Active IOCs.

verified iocs

Each new event ingested by Sekoia XDR is scanned against our CTI database. If an Indicator is detected, our Sekoia Intelligence Feed rule will immediately alert you.

Sekoia Retrohunt engine

Each time a new indicator is added to our CTI database, Sekoia XDR will also perform retrohunting on all available events that were ingested in the past. It means that Sekoia XDR doesn't miss any past or ongoing attacks within your system.

How do you recognize a retrohunt alert?

On the Alerts page, look for the Detection type of the alert. CTI Retrohunt alerts are triggered retroactively when a new indicator appears in our CTI database.

detection type

Would your SOC team like to scan a specific list of IOCs to perform retrohunt?

That’s possible via the IOC collections. You can import a specific list of IOCs to perform retrohunting. Please see the dedicated documentation on IOC Collections.

Technical dive into IOC detection

We will detail some technical concepts around IOC detection and explain how to enable and correctly use IOC detection.

Enable IOC detection

Our recommendation is to enable the Sekoia Intelligence Feed rule. You will automatically benefit from the protection of our CTI database and its IOCs. Another option is to create your own custom CTI rule and choose a feed source. The feed source can be an IOC Collections provided by your SOC team.

If no CTI rule is enabled, a warning message will be displayed on the Rules catalog page.

retrohunt disabled

How far in the past is retrohunting performed?

Our IOC detection will perform a retrohunt based on the valid period of the indicator (valid from and valid until). By default, 5 additional days are always added to handle cases where the indicator has a specified valid period.

Is retrohunt performed immediately after I import an indicator?

Sekoia XDR will perform retrohunting as soon as possible, depending on resource availability. We select the appropriate moment to perform this operation without altering user experience.

Which event fields are verified when performing IOC detection?

The tables below list the ECS event fields that are verified by IOC detection.

Observable type: Domain Name

STIX path ECS event field
domain-name:value client.domain
client.registered_domain
destination.domain
destination.registered_domain
dns.question.name
dns.question.registered_domain
server.domain
server.registered_domain
source.domain
source.registered_domain
tls.[client/server].x509.alternative_names
tls.[client/server].x509.subject.common_name
url.domain
url.registered_domain

Observable type: Email Address

STIX path ECS event field
email-addr:value client.user.email
destination.user.email
destination.user.full_name
email.from.address
email.sender.address
email.to.address
email.cc.address
email.bcc.address
file.x509.alternative_names
server.user.email
source.user.email
source.user.full_name
user.email
user.effective.email
user.target.email
tls.[client/server].x509.alternative_names
email-addr:display_name destination.user.full_name
source.user.full_name

Observable type: File

STIX path ECS event field
file:ctime file.created
file:hashes.MD5 dll.hash.md5
email.attachments.file.hash.md5
file.hash.md5
process.hash.md5
file:hashes.SSDEEP file.hash.ssdeep
file.hash.SHA-1 file.hash.sha1
dll.hash.sha1
email.attachments.file.hash.sha1
process.hash.sha1
file.hash.SHA-256 file.hash.sha256
dll.hash.sha256
email.attachments.file.hash.sha256
process.hash.sha256
file.hash.SHA-512 file.hash.sha512
dll.hash.sha512
email.attachments.file.hash.sha512
process.hash.sha512
file:mime_type file.mime_type
file:mtime file.ctime
file:name file.name
file:size file.size

Observable type: IPv4 Address & IPv6 Address

Note

To avoid false positives, IP addresses that are marked as "Command an Control" are only matched against destination.ip.

STIX path ECS event field
ipv4-addr:value
ipv6-addr:value
client.ip
destination.ip
host.ip
server.ip
source.ip

Observable type: Network Traffic

STIX path ECS event field
network-traffic:dst_port destination.port
network-traffic:dst_ref.value destination.ip
network-traffic:extensions.http-request-ext.request_header.User-Agent user_agent.original
network-traffic:src_port source.port
network-traffic:src_ref.value source.ip

Observable type: URL

STIX path ECS event field
url:value url.full
url.original

Observable type: Windows Registry Key

STIX path ECS event field
windows-registry-key:key registry.key
windows-registry-key:values registry.value

Observable type: X.509 Certificate

STIX path ECS event field
x509-certificate:issuer x509.issuer.common_name
x509.issuer.distinguished_name
x509-certificate:serial_number x509.serial_number
x509-certificate:signature_algorithm x509.signature_algorithm
x509-certificate:subject x509.subject.common_name
x509.subject.distinguished_name
x509-certificate:subject_public_key_algorithm x509.public_key_algorithm
x509-certificate:subject_public_key_exponent x509.public_key_exponent
x509-certificate:validity_not_before x509.not_before
x509-certificate:validity_not_after x509.not_after