Short Definition
Indicators of Compromise (IOC) are a piece of forensic evidence that indicates potential malicious activity, such as IP addresses, file hashes, malicious domains, registry changes, or process patterns.
Deep Technical Explanation
Indicators of Compromise are discrete artifacts collected from systems, networks, or security tools that signal that a breach has occurred or is currently in progress. IOCs represent observable traces left behind by attacker activity. These can include known malicious IP addresses used for command and control, file hashes belonging to malware samples, suspicious domains, unauthorized registry modifications, process anomalies, or unusual authentication patterns.
IOCs are commonly extracted from multiple telemetry sources, including malware reverse engineering, threat intelligence feeds, SIEM event correlation, EDR detections, sandbox analysis, packet captures, and external research reports. They allow SOC teams to quickly match known malicious artifacts against internal systems and determine if an environment has been compromised.
Typical examples include:
- malicious or command and control IP addresses
- suspicious URLs or newly registered domains
- file hashes associated with malware families
- registry key changes linked to persistence mechanisms
- unauthorized user accounts or privilege escalation artifacts
- unusual outbound network traffic or data exfiltration patterns
IOCs are inherently reactive. They detect activity that has already taken place or is actively ongoing. Because attackers can rapidly modify infrastructure, rotate IP addresses, repack malware to change hashes, or use dynamic domains, IOCs often have a short lifespan. This is why modern detection strategies combine IOC matching with behavioral analysis, also known as IOA, which focuses on tactics and techniques rather than static indicators.
How BlueGrid.io Uses It
We enrich alerts with IOC matches from multiple threat intelligence sources to increase detection accuracy, reduce false negatives, and provide context during investigations.