EDR: How to do a bulk IOC search for IP addresses under the Process Search page
search cancel

EDR: How to do a bulk IOC search for IP addresses under the Process Search page

book

Article ID: 291240

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

How to properly format the syntax for bulk IOC searches for IP addresses under the Process Search page

Environment

  • EDR: All Supported Versions

Resolution

You can search for multiple IOCs by using bulk search criteria in both the Process Search and Binary Search pages. EDR provides special interfaces for bulk searches that do this for you when given a list of terms. You can type or paste multiple terms into a bulk search text box, following these syntax requirements:
  1. Each term must be on its own line.
  2. No punctuation is required or allowed (for example, no comma-separated lists, no parentheses).
  3. You must use the “ipaddr:” prefix to successfully use a list of IP addresses in a bulk search.
In the case of IP addresses without the “ipaddr:” prefix, the search will fail because the terms will be dealt with as individual numbers rather than the four-part address.

To do a bulk IOC search on the Process Search page:
  1. .On the Process Search page, unless you have already entered some terms that you want to include in your search, click the Reset Search button under the search box to make certain you are starting with a fresh search
  2. Click Add Search Terms under the search box.
  3. In the New Search Terms dialog, use the Choose Criteria menu to choose Bulk IOC > IOCs.
  4. In the text box to right of the IOCs, type or paste the list of IOCs you want to search for, making sure they meet the syntax requirements.
  5. Although for most search criteria, you are likely to be interested in records that match one of the items on your list, you also can choose to get results that do not match your terms. You can use the is / is not toggle in the dialog to make this choice.
  6. If you want to include additional search criteria, you can click the Add Search Termlink in the dialog to continue defining terms.
  7. When you have finished defining your search, click the Add Terms button.Your search is initiated and the results (if any) are shown in the table on the Process Search page. If necessary, you can continue to refine your search using the search facet tables or additional manually entered terms.
Powered by Wolken Software