IOC Basics

Updated 1 week ago by Elvis Hovor

What is an IOC

Indicators of Compromise, or IOCs for short, are pieces of information, such as URLs or email addresses, that indicate an event on a network or device. IOC data enables investigators to determine at an early stage if there is harmful activity on a network, such as a security breach or other suspicious incident. IOCs are sometimes referred to as observables.

IOC types supported by TruSTAR.

Viewing IOCs

The IOCs Panel is where you work with IOCs, either as a list you can filter and sort, or by viewing the details of a specific IOC. You access the IOCs panel by clicking the IOCs icon in the Navigation Bar.

The IOCs panel has two view, each with a separate purpose:

  • List View: Displays a list of IOCs that match the current filters you have set. This is the default view for IOCs. You can always return to the list by clicking on the IOC icon in the Navigation Bar.
  • Constellation View: Provides a detailed look at a selected IOC. To see an IOC in Constellation view, click on the highlighted title of the IOC in List View.

Managing IOCs

IOCs (also called observables) are the building blocks of CTI analysis and are critical to making accurate decisions throughout the investigative workflow, but effectively managing large numbers of IOCs can be a daunting challenge. TruSTAR streamlines IOC management throughout the entire workflow, with support for:

FAQ for IOC Uploading

How Did We Do?