How to Ingest IOCs and Integrate with SIEM Solutions

CrowdStrike Falcon® supports importing Indicators of Compromise (IOCs). This can be done manually in the user interface, or programmatically via the Falcon IOC Import API. When using the API, a search is done during the import. This search scans your Threat Graph for any past hits on that IOC, and also starts monitoring for future instances of it on your endpoints. You can also manually search for IOCs in the Investigate and Events Apps. This demo also includes a walkthrough of how these events can be pushed to a SIEM. For illustration purposes we use Soltra and HP ArcSight in this demo.

Read Video Transcript

How to Ingest IOCs and Integrate with SIEM Solutions with CrowdStrike Falcon®

In this demo, we’ll see how Falcon can automatically ingest IOCs via the Falcon API. We will also see any hits against this IOC being fed into a SIEM.

First, let’s start by creating an IOC. We do this by discovering a new piece of malware. In this case, we’ll call it Nasty Rat. If we generate an MD5 hash for this file, we now have an indicator that we can use to make our IOC. To do this, we switch over to Soltra.

Here we can start by choosing to create an indicator. Then we can give it a name and populate all the details that we have about the Nasty Rat malware. Once we publish the IOC, it is now ready to be sent to Falcon. This is done via our API.

So here we see a very simple Python script that consumes the IOC and sends it to Falcon. To prove that the IOC is now in Falcon, we will execute the Nasty Rat virus on our test system. You can see it run. And now, we switch to the Falcon management console to verify that this was detected.

You can see a new detection with the scenario “Intel.” This indicates that the event was caused by the IOC that we imported. Now that we have this event in Falcon, the next step is to publish this into a SIEM. In this case, we are using HP ArcSight. Again, we use the API to send the event from Falcon to the SIEM.

You can see that the script successfully ran. So now let’s verify in the ArcSight UI that the event has been logged. And here you can see the Nasty Rat event in the SIEM. And with that, you’ve seen the full life cycle of a custom detection. We started with a new piece of intelligence, turned it into an IOC, saw Falcon detection against that IOC, and then sent the event to the SIEM.


  • OS icon
  • deployment icon
  • installation icon

For technical information on installation, policy configuration and more, please visit the CrowdStrike Tech Center.

Visit the Tech Center