Indicator of compromise (IOCs)
Indicators of compromise (IOCs) refer to data that indicates a system may have been infiltrated by a cyber threat. They provide cybersecurity teams with crucial knowledge after a data breach or another breach in security. In this section, you can create and manage IOCs for your Cases.
Please note that you can assign multiple IOCs to a single Case or a single IOC to many Cases.
Types of IOCs
- IP Address
- URL String
- File Hash
- Email Address
- Host name
- Username
- Process Name
- File Name
- MAC Address
- Endpoint
- Uniform Resource Locator
- File
- Process
- User
- Registry Key
- Registry Value
- Registry UID
- GEO Location
- Container
- Fingerprint
- Other
- Unknown
If you wish to edit the IOC type, simply go to the IOC table, locate the 
icon next to the IOC Type table heading, and proceed to remove the desired IOC types by clicking the X button, followed by the Save button.
Creating a New IOC
Please note, you can also create IOCs directly from the main IOC table. Simply navigate to the IOC table and click on the New IOC button located in the top-right corner and fill out the required parameters.
- Double click on the Case you want to attach the IOC(s) to, navigate to the Table Tab in the Overview Section of the selected Case, and in the top-right conner select the New Record button.
- A dialog box for creating a new record will appear.
- Fill in all the necessary fields.
| Fields | Description |
|---|---|
| Name | The name of the IOC. |
| IOC Type | The type of the IOC. |
| Value | The value of the IOC |
| Description (Optional) | A written description for the IOC |
| Linked Cases | Cases Linked to the selected IOC |
| Linked Alerts | Alerts Linked to the selected IOC |
| Linked IOC | IOC Linked to the selected IOC |
- Once completed, select the Add Record button in the bottom-right corner.
