Collecting Indicators of Compromise

What Is This

The "Collecting Indicators of Compromise" skill provides a systematic approach to gathering, categorizing, and distributing Indicators of Compromise (IOCs) during and after security incidents. IOCs are technical artifacts or observable data points that indicate a system may have been breached or is under attack. Examples include malicious IP addresses, file hashes, URLs, domain names, suspicious process activity, and email artifacts. This skill leverages recognized formats like STIX (Structured Threat Information eXpression) and TAXII (Trusted Automated eXchange of Indicator Information) for standardization, and integrates with threat intelligence platforms such as MISP (Malware Information Sharing Platform).

By activating this skill, security teams can efficiently extract, tag, and share IOCs from incident evidence, enriching their threat detection and response capabilities. It is especially valuable during incident response, for building detection rules in security tools, and for sharing intelligence with industry partners or law enforcement.

Why Use It

Systematic IOC collection is critical for effective incident response and threat intelligence. Properly extracted and categorized IOCs allow organizations to:

• Detect and block ongoing adversary activity by quickly deploying IOCs to SIEM, EDR, and network security tools.
• Document the full scope of an incident for post-mortem analysis and compliance reporting.
• Share timely and actionable threat intelligence with peers, industry groups, and law enforcement, amplifying collective defense.
• Enrich IOCs with threat context, supporting risk-based prioritization and remediation efforts.
• Enable automated detection and response workflows through standardized IOC formats.

Failure to collect and distribute IOCs can result in missed opportunities to contain threats, repeated compromises, or inadequate incident documentation.

How to Use It

This skill is designed to activate when handling requests related to IOC collection, indicator extraction, threat indicator sharing, STIX export, or IOC enrichment. It encompasses the following steps:

1. Identify and Extract

IOCs

Start by gathering evidence from relevant sources, such as SIEM, EDR, firewall logs, email gateways, and forensic images. Typical IOCs include:

• Network indicators: malicious IP addresses, domains, URLs, C2 infrastructure.
• Host indicators: file hashes (SHA256/MD5), registry modifications, malicious processes or services.
• Email indicators: suspicious sender addresses, subject lines, attachments, links.
• Behavioral indicators: abnormal command execution, persistence mechanisms.

Example:

Extracting IOCs from SIEM logs

import re

def extract_ips(log_data):
    pattern = r'\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b'
    return set(re.findall(pattern, log_data))

log_entry = "Suspicious connection from 192.168.1.100 to 8.8.8.8 detected"
print(extract_ips(log_entry))
## Output: {'192.168.1.100', '8.8.8.8'}

2. Categorize and Enrich

IOCs

Classify each IOC by type (IP, hash, domain, etc.) and context (first seen, threat actor, campaign). Enrich with threat intelligence sources to provide additional context, such as known associations or risk scores.

Example:

Categorizing IOCs for STIX packaging

{
  "type": "indicator",
  "spec_version": "2.1",
  "pattern": "[ipv4-addr:value = '8.8.8.8']",
  "labels": ["C2 Server", "High Risk"],
  "description": "Malicious IP observed in phishing campaign."
}

3. Format and Distribute

IOCs

Prepare IOCs in standardized formats such as STIX for interoperability. Use TAXII or MISP for sharing with internal teams or trusted partners. Ensure sensitive data is sanitized prior to distribution.

Example:

Exporting to STIX 2.1

from stix2 import Indicator

indicator = Indicator(
    name="Malicious IP Address",
    pattern="[ipv4-addr:value = '8.8.8.8']",
    pattern_type="stix",
    labels=["malicious-activity"]
)
print(indicator.serialize(pretty=True))

4. Integrate with Detection and Response

Tools

Ingest collected IOCs into SIEM, EDR, IDS/IPS, or SOAR platforms to enable real-time detection and blocking. Update detection rules and alerting policies as needed.

5. Share and

Collaborate

Distribute IOCs with sector partners, Information Sharing and Analysis Centers (ISACs), or law enforcement as appropriate. Use MISP or TAXII servers to automate sharing and synchronization.

When to Use It

• During an active security incident to identify and block adversary infrastructure.
• Immediately post-incident to document and analyze all IOCs for future detection and compliance.
• When building or tuning detection rules in SIEM, EDR, or network security solutions.
• While enriching IOCs with threat intelligence for prioritization and response.
• When sharing intelligence with sector partners, ISACs, or law enforcement.

Do not use this skill for behavioral TTP (Tactics, Techniques, and Procedures) analysis unless technical indicators are present. For pure behavioral analysis, refer to MITRE ATT&CK mappings.

Important Notes

• Ensure access to relevant evidence sources, such as SIEM logs, EDR telemetry, and network captures, prior to IOC collection.
• Always validate and sanitize IOCs before deploying them to production detection systems to avoid false positives.
• Use standardized formats (STIX/TAXII) for seamless sharing and integration.
• Maintain compliance with privacy and data handling regulations when distributing IOCs, especially if sharing externally.
• Regularly review and retire obsolete IOCs to maintain detection efficacy and operational efficiency.
• This skill aligns with NIST CSF functions for incident response and recovery, and maps to MITRE ATT&CK techniques T1071, T1059, T1547, and T1053.

By systematically collecting, categorizing, and distributing IOCs, organizations can enhance their threat detection, response, and intelligence sharing capabilities, supporting a proactive security posture.