Update IOC Explorer docs for GA

[janine-c]

What does this PR do? What is the motivation?

Updates the existing IOC Explorer docs for GA release 🎉

Merge instructions

I'll check this box when I have PM approval 🫡

Merge readiness:

• Ready for merge

For Datadog employees:

Your branch name MUST follow the <name>/<description> convention and include the forward slash (/). Without this format, your pull request will not pass CI, the GitLab pipeline will not run, and you won't get a branch preview. Getting a branch preview makes it easier for us to check any issues with your PR, such as broken links.

If your branch doesn't follow this format, rename it or create a new branch and PR.

[6/5/2025] Merge queue has been disabled on the documentation repo. If you have write access to the repo, the PR has been reviewed by a Documentation team member, and all of the required checks have passed, you can use the Squash and Merge button to merge the PR. If you don't have write access, or you need help, reach out in the #documentation channel in Slack.

AI assistance

Additional notes

[github-actions]

Preview links (active after the build_preview check completes)

Modified Files

• https://docs-staging.datadoghq.com/janine/ioc-explorer-ga/security/cloud_siem/triage_and_investigate/ioc_explorer

[datamarmot]

Added some updates for @janine-c , thank you

[datamarmot]

replace the leading sentence: Indicators of Compromise (IOC) are evidence that your systems have experienced a security breach.

with

Indicators of Compromise (IOCs) are reputation data associated with entities such as IP addresses, file hashes, and domains that help responders make informed decisions about attacks and potential compromises.

[datamarmot]

This line can be removed. I think line 25, The indicator of compromise must be in a threat feed that was available to Datadog at the time of the log acquisition. covers this.

[datamarmot]

Update for the example:

Alice sends Bob an email whose message body mentions 192.0.2.100, an IP address that is an IOC.

If the OCSF Matching toggle is on, Datadog only matches IOCs found in relevant mapped OCSF fields, such as normalized source or destination IP address fields in the email event. Because 192.0.2.100 appears only in the message body and not in a mapped OCSF field, it does not appear in the IOC Explorer.

If the OCSF Matching toggle is off, Datadog matches 192.0.2.100 because it searches the full event payload, including unstructured text such as the message body. The IOC appears in the IOC Explorer.

[janine-c]

@datamarmot Applied all your suggestions, thank you!

[joepeeples]

Added a few non-blocking edit suggestions, thanks!

[joepeeples]

"Investigation/investigate" appears 3 times, maybe change one to mix it up:

Suggested change

Indicators of Compromise (IOCs) are reputation data associated with entities such as IP addresses, file hashes, and domains that help responders make informed decisions about attacks and potential compromises. The [IOC Explorer][1] is a searchable, filterable investigation surface where you can investigate, sort, and prioritize compromises. You can also view related matches in Signals Explorer and Logs Explorer, so you can investigate potential compromises in more detail.

Indicators of Compromise (IOCs) are reputation data associated with entities such as IP addresses, file hashes, and domains that help responders make informed decisions about attacks and potential compromises. The [IOC Explorer][1] is a searchable, filterable investigation surface where you can examine, sort, and prioritize compromises. You can also view related matches in Signals Explorer and Logs Explorer, so you can investigate potential compromises in more detail.

"Analyze" could be a good replacement too.

[joepeeples]

Spell out or explain acronym AS

[joepeeples]

A sub-bullet isn't necessary if there's only one sub-item for each main bullet. Would regular line breaks work instead?

Suggested change

	- Turn the toggle **on** if you want **higher-confidence matches** tied to normalized security attributes:
	- When the toggle is on, IOC matches only appear in the Explorer if values appear in mapped OCSF fields, such as the source IP, destination IP, or client IP. This helps ensure the match reflects the structured meaning of the data, rather than just the presence of the IOC somewhere in the raw log.
	- Turn the toggle **off** if you want **broader threat hunting** across the full event payload:
	- When the toggle is off, IOC matches appear in the Explorer if IOCs appear anywhere in the event, including unstructured text like a message body, or other freeform fields.
	- Turn the toggle **on** if you want **higher-confidence matches** tied to normalized security attributes.
	When the toggle is on, IOC matches only appear in the Explorer if values appear in mapped OCSF fields, such as the source IP, destination IP, or client IP. This helps ensure the match reflects the structured meaning of the data, rather than just the presence of the IOC somewhere in the raw log.
	- Turn the toggle **off** if you want **broader threat hunting** across the full event payload.
	When the toggle is off, IOC matches appear in the Explorer if IOCs appear anywhere in the event, including unstructured text like a message body, or other freeform fields.

[joepeeples]

Add links to docs/app for these Explorers?