TIP IOCs
The TIP > IOCs page displays a centralized view of all indicators of compromise (IOCs). These IOCs may be IP addresses, URLs, domains, file hashes, or email addresses.
IOCs are extracted from selected TIP sources or they can be uploaded by the user. Regardless of where they are from, you can use the IOCs page to view and manage them.
By default, IOCs are filtered by Last Reported (in the past 30 days) of any severity and sorted by Last Reported. The creenshot above is filtered for matching a specific tag, too. The amount of IOCs that matched the filter is displayed above the IOCs list.
You can filter the IOCs with the filter buttons at the top of the page. Depending on how recently the IOC was last seen, it may be considered active or retired. For more information, see IOC states.
When you hover over an IOC value, you can see its properties in the popover that is displayed. This helps gain 360 degree visibility of all relevant context, enabling timely triage and informed decisions.
Use the IOCs page to:
Search for IOCs that match the selected criteria. For example:
- IOCs, by the exact or partial IOC name.
- IOCs from a specific period of time or extracted from a specific feed.
- IOCs uploaded by the user or in an active or retired state.
- IOCs that match a user policy.
If the policy was created to send IOCs to security devices (for example, SIEM or firewall), use this option to see which IOCs were sent. - IOCs with either of these tags:
- System tags
These system-added tags present more information about the IOC, as collected or analyzed from the different feeds and enrichment sources. For example, a "phishing" tag indicates that the IOC is used for phishing. - User tags
These tags are added by the user, primarily to group like IOCs together.
- System tags
Change the severity of an IOC.
Tags - add or remove tags.
Whitelist - add (or remove) an IOC to the user whitelist.
Whitelisted IOCs are not sent to security devices.
Investigate an IOC.
Relate IOCs to cyberterms.
Blocklist - add or remove IOCS to the Remediation blocklist.
You can send the Remediation blocklist to integrated devices.
Export IOCs to a downloadable CSV file.
Some indicators are suspicious and should be managed. Others may either be:
- Invalid indicators (for example, an incomplete IP address or incorrectly formatted domain)
These indicators are not shown on the IOCs page. - Known not to be threats, that is, they are whitelisted, either by the system or by the user. Whitelisted IOCs are shown on the IOCs page, with a Low severity and the icon.
For more information on the whitelisting reasons and actions, see Whitelisted IOCs.
In either case, the IOCs page helps you focus your energy on those IOCs that need attention.
IOC states
To enable you to focus on the most relevant threats, you can filter for whether an IOC is active or retired.
The determination of active or retired is described in the following table:
IOC | Active, if it was last seen within |
---|---|
Domain | 3 months |
Email address | 2 months |
File hash | 1 year |
IP address | 2 weeks |
URL | 2 months |
Whitelisted IOCs
When an IOC is whitelisted, it will not be sent to integrated security devices.
These are the ways that an IOC can become whitelisted:
System listed - Threat Command automatically whitelists certain IOCs, such as the company assets as well as the IOCs described in this table. You can override this designation or ensure that certain IOCs will not be system whitelisted.
User listed - You can add an IOC to your user whitelist (even if it is already on the system whitelist). If you change your mind, you can then revert that decision to rely again on the system designation.
Both types of IOCs are shown on the IOCs page, with a Low severity and the icon. System whitelisting
The following table shows why some IOCs are whitelisted by the system:
IOC | Whitelisted when any of the following occur |
---|---|
Domain | The domain is in a list of popular domains. The domain is in the list of Cisco umbrella popular domains. A subdomain of either of the above. Top 10K most-used sites from Tranco. Top 1000 websites from Alexa. |
IP address | The IP address is in the list of Cisco umbrella 10K most popular IP addresses. The IP address resolves to a root DNS. The IP address resolves to a public DNS. Known GCP (Google Cloud Platform) IP address ranges. Specialized list of IPv4 addresses belonging to common VPN providers and datacenters. Known IPv4 public DNS resolvers, Microsoft Azure Datacenter IP Ranges, SMTP sending IP ranges, or Amazon AWS IP address ranges. |
URL | If the URL includes an IP address, that part is validated, as above. The domain part of the URL is whitelisted. |
Email address | No whitelisting is performed. |
Search for IOCs
You can search for a particular IOC, or all IOCs that match a specific pattern.
The following table shows the types of searches that are supported:
To search for this | Do this | Example | Finds |
---|---|---|---|
Exact IOC | Type the exact IOC | intsights.com | intsights.com |
Matches a string at the beginning | Type <string>* | intsights* | Any IOC with "intsights" at the beginning |
Matches a string at the end | Type *<string> | *intsights | Any IOC that ends with "intsights" |
Contains the string anywhere | Type *<string>* | *intsights* | Any IOC that contains "intsights" |
When performing a string search, you must use at least 3 characters. When searching for an IP address string, use at least the first two dotted decimals, for example, search for 1.1*
String search is limited to the following cases:
- File hash IOC - only exact matches are supported.
- URL IOC - Searches take place within the domain and subdomain.
Filter the IOC list
You can filter the IOCs list to display only those that match selected criteria.
To filter the IOC list:
From the IOCs page, filter according to the options in the following table:
To show these IOCs Do this Of a specific type Click the Type filter and select from these IOC types:
Domains , Email addresses , File hashes , IP addresses ,
or URLs -
Within file hashes, you can filter for IOCs with a specific type of file hash.With a specific severity Click the Severityfilter and select severity levels. Reported from specific TIP feeds (sources) Click the Reporting Feedsfilter and select from which feeds to show IOCs. Last reported in a specific time range Click theLast Reportedfilter and select a time range. Were whitelisted Click the Whitelist filter and select Show only whitelisted IOCs. Matching system or user tags Click the Tagsfilter and select tags to match. First reported in a specific time range Click theFirst Reportedfilter and select a time range. Were found by specific policy rules Click thePolicy Rules filter and select from which policy rules to show IOCS. In active or retired state Click theStatefilter and selectActiveorRetired. Matching specific MITRE ATT&CK tactics Click the MITRE Tactics filter and select tactics to match. Matching specific Kill Chain phases Click theKill Chain Phasesfilter and select phases to match. Matching system tags Click the System Tagsfilter and select tags to match. Show all IOCs ClickClear all filters.
The selected IOCs are displayed.
Change an IOC severity
IOC default severity is determined by its source. You can change the severity, thus overriding the system severity.
When you upload IOCs from an email message or document, you can set their severity, as described in Add IOCs to TIP Sources.
To change the severity of multiple IOCs, see Perform operations on multiple IOCs.
To change the severity of an IOC:
- From the IOCs page, select the Severity level for an IOC.
- From the drop-down arrow, select a new severity.
The severity is changed. The severity icon changes to indicate that it was changed manually.
To revert the IOC to the system-assigned severity, repeat the above procedure and select Revert to Default :
Add or remove IOC tags
You can add new user tags or remove existing user tags. Tags assigned by the system cannot be removed.
To add tags to multiple IOCs, see Perform operations on multiple IOCs.
To add or remove IOC tags:
- From the IOCs page, hover over an IOC row and click Add or remove IOC tags :
- (Optional) To remove an existing tag, search for the tag, then click the X in the tag.
The tag is removed. - (Optional) To add a new tag, click the +, enter the tag name, press Enter, then click Close.
The new tag is added to the IOC and is displayed in the IOCs table and in the Investigation page.
Whitelisting activities
The following table describes the IOC whitelist statuses and the actions that can be done per status:
Whitelist status | Icon | Description | Available actions |
---|---|---|---|
Not on any whitelist | None | Will be passed to integrated devices. | - Add to user whitelist- Do not whitelist |
On the system whitelist | Will not be passed to integrated devices. | - Add to user whitelist. If the IOC drops off the system whitelist, it will still be on the user whitelist.- Do not whitelist | |
On the user whitelist | Will not be passed to integrated devices. | - Do not whitelist- Revert to default | |
Added to the "do not whitelist" list | Will be passed to integrated devices, even if the IOC is on the system whitelist. | - Add to user whitelist- Revert to default |
You can control the whitelist status of IOCs by performing the following:
- Add IOCs to the user whitelist - You can add (or remove) IOCs to the user whitelist.
- Mark IOCs as "Do not whitelist" - Marked IOCs will not be treated as whitelisted. If the IOC is on the system whitelist, this user action will override that, and the IOC will be sent to devices.
- Revert IOC whitelist control - Defer to the system decision about IOC whitelisting.
Add (or remove) IOCs to the user whitelist
You can add IOCs to a user whitelist. If the IOC was previously added to a whitelist, you can take it off the user whitelist by reverting to the default state.
To add or remove multiple IOCs to the user whitelist, see Perform operations on multiple IOCs.
To add (or remove) an IOC to a whitelist:
- From the IOCs page, hover your pointer over an IOC row, then click Change IOC whitelist status:
- To whitelist the IOC, click Add to whitelist.
- If the IOC was previously added to the user whitelist, you can remove it by clicking Revert to Default.
When you click Revert to default, the IOC will be subject to being whitelisted by the system. A confirmation message is displayed and the icon by the IOC changes accordingly.
To mark an IOC as "Do not whitelist":
- From the IOCs page, hover your pointer over an IOC row, then click Change IOC whitelist status:
- Click Do not whitelist.
A confirmation message is displayed and the icon by the IOC changes accordingly.
To revert an IOC to system control:
- From the IOCs page, hover your pointer over an IOC row, then click Change IOC whitelist status :
- Click Revert to default.
A confirmation message is displayed and the icon by the IOC changes accordingly.
Investigate IOCs
You can launch an Investigation on listed IOCs (not supported for email addresses). For more information, see Investigation.
To investigate an IOC:
Relate IOCs to cyberterms
In addition to the system-defined related IOCs, you can manually relate IOCs to cyberterms. These IOCs are shown when a cyberterm is investigated, and in the Threat Library, too.
This enhances your ability to research and investigate and further enhances the value of the Threat Library as your one-stop repository of all cyberterm-related information.
Email address IOCs cannot currently be related to cyberterms.
To relate (or unrelate) multiple IOCs, see Perform operations on multiple IOCs.
To relate IOCs to a cyberterm:
- From the IOCs page, hover your pointer over an IOC.
- From the menu at the far right, click > Cyberterm relation.
- Select the cyberterms to which the IOC should be related (max: 10), then click Close.
- Click Update IOC.
To unrelate IOCs from a cyberterm:
- From the IOCs page, hover your pointer over an IOC.
- From the menu at the far right, click > Cyberterm relation.
Currently related cyberterms are displayed. - Click X on each cyberterm to unrelate.
- Click Update IOC.
Add (or remove) IOCs to the Remediation blocklist
You can add (or remove) IOCs to the Remediation blocklist. By sending the blocklist to security devices, you can block the IOCs.
To add (or remove) multiple IOCs to the Remediation blocklist, see Perform operations on multiple IOCs.
To add IOCs to the Remediation blocklist:
- From the IOCs page, hover your pointer
- From the menu at the far right, click > Add to blocklist.
If the IOC is already on the blocklist, you can remove it by clicking Remove from blocklist.
The Remediation blocklist is added as a reporting feed.
Perform operations on multiple IOCs
You can perform some operations on multiple IOCs (limit 200) at one time, thus enhancing efficiency. First, select the desired IOCs, then use the multiple IOC toolbar to perform the operations.
The most efficient way to perform operations on multiple IOCs is by using the Public API.
These actions can be performed to multiple IOCs at one time: Add tags, change severity, add (or remove) to Remediation blocklist.
To perform operations on multiple IOCs:
- From the IOCs page, select multiple IOCs:
| To select these | Select like this |
| --- | ---|
|All IOCs (200 limit) |
Each time you select all, 50 IOCs will be selected, until you reach the total of 200. |
|Individual IOCs | |
When you select IOCs, the multiple IOC commands are displayed at the top of the IOC page:
- Click the desired command and perform the activity to all selected IOCs.
Export displayed IOCs
You can export the list of displayed IOCs to a CSV file. You can filter the list before exporting, so only those IOCs that match your selection will be exported.
To export displayed IOCs:
- When the list is displayed, click Export CSV.
The CSV is downloaded to your default download location.