Hi ​@hisoofun, in this scenario you are describing the process of manually alerting on IOCs as opposed to using the pre-built IOC Matches dashboard, right?   To do this, you’ll need to reference the entity graph within a YARA-L rule, and you’ll want to create one of these rules for every IOC type. 

To get you started I’ve shown an example excerpt from a rule where I reference the entity graph for the purpose of checking whether a domain exists as an IOC in VirusTotal, after I’ve pulled the hostname out.  You’ll want to approach this similarly for the other IOC types.

$e.metadata.event_type = "NETWORK_DNS" $e.network.dns.questions.name = $hostname     $i.graph.metadata.vendor_name = "VirusTotal" $i.graph.metadata.entity_type = "DOMAIN_NAME"

$i.graph.entity.hostname = $hostname