View an IoC

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read

    • IoCs, sometimes referred to as indicators, are most typically retrieved from a threat data source as STIX data. If needed, you can also create IoCs.

    Before you begin

    Role required: sn_ti.write

    Procedure

    1. After the scheduled job has retrieved IoC data from the defined data source, navigate to Threat Intelligence > IoC Repository > Indicators.
      The retrieved IoCs are listed.
    2. Click the IoC you want to view.
    3. The following information displays.
      Field Description
      Select classification tag If you set up and activated security tags to add metadata to the record, you can select one or more tags to specify the degree of sensitivity of the IoC.

      If you did not set up or activate security tags, this drop-down list is not displayed.
      Title A descriptive name for this indicator.
      First Seen The first date this indicator was observed in the system.
      Last Seen The most recent date this indicator was observed in the system.
      Encountered count The number to times the indicator has been encountered.
      Sourced count The number to times the indicator was imported from defined threat sources.
      Notes Any additional notes about the indicator. This field can also contain JSON key/value pairs.
    4. You can click any of the following related lists to view additional information.
      Related Links and Related Lists Description
      Show Relationships Opens the STIX Visualizer where you can view the relationship of the STIX object.

      Show Relationships appears only when the object has an associated object.
      Related Observables Lists observables that are linked to the current indicator.
      Related Attack mode/method Lists related attack modes/methods that have been identified as related to this indicator.
      Associated Type Lists other indicator types that are associated with this IoC.
      Indicator Sources Lists the sources of this indicator, along with the confidence level of the source.
      Associated Tasks Lists all tasks, changes, and incidents associated with the IoC.
      Indicator Metadata If the Notes field contains valid JSON key/value pairs, they are parsed and displayed. If no JSON key/value pairs are present, or if the JSON is invalid, this related list is not displayed.
      Security Annotations
      Indicator External References
      Associated Kill Chain Phases Lists kill chain phases associated with this object.
      Attack Patterns Lists the attack patterns that help categorize attacks that are associated with this object.
      Campaigns Lists campaigns associated with this object.
      Intrusion Set Lists a set of adversarial behaviors and resources with common properties associated with this object.
      Malware Lists malicious code associated with this object.
      Threat Actors Lists individuals, groups, or organizations who act with malicious intent associated with this object.