Solved

Custom alerting for IOC Match

Forum|Forum|3 months ago
September 3, 2025
1 reply
124 views

+3

hisoofun
Bronze 1

Someone please help how to set up custom alerting to get alerts for the IOC Matches shown in Dashboard

Best answer by vaskenh

Hi @hisoofun, in this scenario you are describing the process of manually alerting on IOCs as opposed to using the pre-built IOC Matches dashboard, right? To do this, you’ll need to reference the entity graph within a YARA-L rule, and you’ll want to create one of these rules for every IOC type.

To get you started I’ve shown an example excerpt from a rule where I reference the entity graph for the purpose of checking whether a domain exists as an IOC in VirusTotal, after I’ve pulled the hostname out. You’ll want to approach this similarly for the other IOC types.

$e.metadata.event_type = "NETWORK_DNS" $e.network.dns.questions.name = $hostname $i.graph.metadata.vendor_name = "VirusTotal" $i.graph.metadata.entity_type = "DOMAIN_NAME" $i.graph.entity.hostname = $hostname

+13

vaskenh
Staff
Answer
Forum|Forum|3 months ago
September 8, 2025

Hi @hisoofun, in this scenario you are describing the process of manually alerting on IOCs as opposed to using the pre-built IOC Matches dashboard, right? To do this, you’ll need to reference the entity graph within a YARA-L rule, and you’ll want to create one of these rules for every IOC type.

To get you started I’ve shown an example excerpt from a rule where I reference the entity graph for the purpose of checking whether a domain exists as an IOC in VirusTotal, after I’ve pulled the hostname out. You’ll want to approach this similarly for the other IOC types.

$e.metadata.event_type = "NETWORK_DNS" $e.network.dns.questions.name = $hostname $i.graph.metadata.vendor_name = "VirusTotal" $i.graph.metadata.entity_type = "DOMAIN_NAME" $i.graph.entity.hostname = $hostname

Like

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded