IOCs are observables that were identified during the investigation, or that led to the case creation upon monitoring activities.
Add an IoC
An IoC object could be created by going to
IOC. Clicking on
Add IOC in the top right corner brings up a new window for the IoC creation.
A new window appears, requesting additional information. The following information is required:
- Type: Type of the IOC. This will have an impact on available modules.
- IOC Value: The actual IoC.
- TLP: Traffic Light Protocol value. (
The following information is optional:
- Description: A .md formatted description of the IoC.
- Task tags: List of tags.
Save is clicked, the ioc is created.
Update an IoC
IoC object data can be updated by clicking on the IoC value in the
IOC table. A popup appears and allows to change required and non-required fields.
Update is clicked, the IoC is updated.
Enrich an IoC
IoC objects can be enriched in order to add valuable information to it.
Comment an IoC
To comment an IoC, one can right click on it, in the
IOC menu, and select
Comment. A new pop-up appears and allows to leave comments. This is also achievable by clicking on the IoC value in the
IOC table, and by clicking on the
Launch a module on an IoC
To have more information about modules, see the Modules section.
A set of modules can be launched to enrich IoCs. To do so, one can right click on the IoC , in the
IOC table, and select the module of choice.
This is also achievable by clicking on the IoC value in the
IOC table, by clicking the
Option button, and selecting the desired module.
The results of the module will appear in newly created tabs, in the IoC details. To view the tabs, click on the the IoC value.
Delete an IoC
This will permanently delete the IoC and its attributes
To delete an IoC, one could either right click on the IoC, and select
Delete, or click on the IoC value, and click on the
The IOC is only unlinked from the case if it references other cases