---
title: IOC Explorer
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > Cloud SIEM > Triage and Investigate > IOC Explorer
---

# IOC Explorer

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Overview{% #overview %}

Indicators of Compromise (IOCs) are reputation data associated with entities such as IP addresses, file hashes, and domains that help responders make informed decisions about attacks and potential compromises. The [IOC Explorer](https://app.datadoghq.com/security/siem/ioc-explorer) is a searchable, filterable investigation surface where you can analyze, sort, and prioritize compromises. You can also view related matches in Signals Explorer and Logs Explorer, so you can investigate potential compromises in more detail.

{% image
   source="https://docs.dd-static.net/images/security/security_monitoring/ioc_explorer_2.6c4b5eeb71ab4fff89a73decd5f8fa81.png?auto=format&fit=max&w=850 1x, https://docs.dd-static.net/images/security/security_monitoring/ioc_explorer_2.6c4b5eeb71ab4fff89a73decd5f8fa81.png?auto=format&fit=max&w=850&dpr=2 2x"
   alt="The IOC Explorer, showing an IP address that has been flagged as an indicator of compromise" /%}

## Prerequisites{% #prerequisites %}

To view data in the IOC Explorer, all of the following must be true:

- Your organization must subscribe to Cloud SIEM.
- The indicator of compromise must be in a threat feed that was available to Datadog at the time of the log acquisition.
  - For more information on the threat intelligence feeds the IOC Explorer displays content from, see [Threat intelligence sources](https://docs.datadoghq.com/security/threat_intelligence.md#threat-intelligence-sources).
- The time frame for the Explorer is fixed to the last 30 days. The log must be from within that time frame. If your organization has recently onboarded, the Explorer shows data from when you onboarded.

## Use the IOC Explorer{% #use-the-ioc-explorer %}

To access the IOC Explorer in Datadog, go to **Security** > **Cloud SIEM** > **Investigate** > [**IOC Explorer**](https://app.datadoghq.com/security/siem/ioc-explorer).

### Query and filter indicators of compromise{% #query-and-filter-indicators-of-compromise %}

You can write custom queries or apply filters to determine which indicators of compromise you can see in the explorer. You can query or filter by:

- Severity score
- Signal name
- [Threat intelligence source](https://docs.datadoghq.com/security/threat_intelligence.md#threat-intelligence-sources)
- Tag, including outputs from the scoring engine
- Indicator
- [Indicator type](https://docs.datadoghq.com/security/threat_intelligence.md#entity-types)
- [Threat intelligence category](https://docs.datadoghq.com/security/threat_intelligence.md#threat-intelligence-categories)
- Autonomous system (AS) type
- Matched OCSF fields

Additionally, you can click a column heading in the Explorer to sort by that column's values.

### Understand OCSF matching{% #understand-ocsf-matching %}

You can turn the **OCSF Matching** toggle on or off to have more control over how Datadog identifies IOC matches.

- Turn the toggle **on** if you want **higher-confidence matches** tied to normalized security attributes.

When the toggle is on, IOC matches only appear in the Explorer if values appear in mapped OCSF fields, such as the source IP, destination IP, or client IP. This helps ensure the match reflects the structured meaning of the data, rather than just the presence of the IOC somewhere in the raw log.

- Turn the toggle **off** if you want **broader threat hunting** across the full event payload.

When the toggle is off, IOC matches appear in the Explorer if IOCs appear anywhere in the event, including unstructured text like a message body, or other freeform fields.

#### Example{% #example %}

Alice sends Bob an email whose message body mentions `192.0.2.100`, an IP address that is an IOC.

- If the OCSF Matching toggle is **on**, Datadog only matches IOCs found in relevant mapped OCSF fields, such as normalized source or destination IP address fields in the email event. Because `192.0.2.100` appears only in the message body and not in a mapped OCSF field, it does not appear in the IOC Explorer.
- If the OCSF Matching toggle is **off**, Datadog matches `192.0.2.100` because it searches the full event payload, including unstructured text such as the message body. The IOC appears in the IOC Explorer.

### Get more context on an indicator of compromise{% #get-more-context-on-an-indicator-of-compromise %}

In the IOC Explorer, click an indicator of compromise to view additional information you can use to prioritize your remediation efforts:

- Any categories assigned to the indicator, and the threat intelligence feeds it appeared in
- Any ratings assigned to the indicator, and the threat intelligence feeds associated with those ratings
- A breakdown of the indicator's severity score
- The environment associated with the indicator, including related sources and services
- Related items the indicator can have an impact on
- Links to related investigation surfaces:
  - Signal matches, which you can view in [Signals Explorer](https://docs.datadoghq.com/security/cloud_siem/triage_and_investigate/investigate_security_signals.md#signals-explorer)
  - Related logs, which you can view in [Log Explorer](https://docs.datadoghq.com/logs/explorer.md)

## Understand severity scoring{% #understand-severity-scoring %}

It's important to have proper context for the severity score for an indicator, so you can properly prioritize investigations. For example, [IP addresses](https://docs.datadoghq.com/security/threat_intelligence.md#ip-addresses-dynamic-and-transient) can be volatile and require frequent reassessments as a result.

In the IOC Explorer side panel, you can see the factors that contribute to the severity score. Severity score starts from a base score based on classification, and increases or decreases based on additional factors:

- **Classification**: The base score associated with the indicator's category and intent
- **Corroboration**: Whether the indicator appears on multiple threat intelligent feeds
- **Persistence**: How long threat intelligence feeds have been reporting on the indicator
- **Hosting Type**: Used for IP and domain entity types; evaluates whether the hosting infrastructure type is commonly used for attacks
- **Signal Activity**: Whether the indicator has been observed in Signals

## Further reading{% #further-reading %}

- [What's new in Cloud SIEM: AI-powered investigations, enhanced threat intelligence, and scalable security operations](https://www.datadoghq.com/blog/cloud-siem-whats-new-rsa-2026)
- [Threat Intelligence](https://docs.datadoghq.com/security/threat_intelligence.md)
- [Bring Your Own Threat Intelligence](https://docs.datadoghq.com/security/cloud_siem/ingest_and_enrich/threat_intelligence.md)