Overview: Indicators

Updated 1 month ago by Elvis Hovor

As a security professional, you collect pieces of information, such as URLs or email addresses, that indicate an event on a network or device. TruSTAR takes these Observables and then enriches and scores them to transform them into Indicators (also called iOCs, or Indicators of Compromise). These Indicators help you determine if there is harmful activity on a network, such as a security breach or other suspicious incident.

  • Observable: Data objects with a type and value such as IP addresses, URLs, and hashes used to create relationships between two data records.
  • Indicator: Observables with a normalized TruSTAR score, attributes, and a detection validity time range. The scoring of Indicators can help to determine if an event is malicious or legitimate. Attributes such as a malware family or threat actor can provide strong context to determine why an indicator was scored a certain way.

Related Link: Indicator types supported by TruSTAR.

Viewing Indicators

The IOCs Panel is where you work with Indicators, either as a list you can filter and sort, or by viewing the details of a specific Indicator. You access the IOCs panel by clicking the IOCs icon in the Navigation Bar.

The IOCs panel has two view, each with a separate purpose:

  • List View: Displays a list of Indicators that match the current filters you have set. This is the default view. You can always return to the list by clicking on the IOC icon in the Navigation Bar.
  • Graph View: Provides a detailed look at a selected Indicator. To see an Indicator in Graph view, click on its title while in List View.

Managing Indicators

Indicators are critical to making accurate decisions throughout the investigative workflow, but effectively managing large numbers of them can be a daunting challenge. TruSTAR streamlines Indicator management throughout the entire workflow, with support for:

How Did We Do?