TIP IOCs

The TIP > IOCs page displays a centralized view of all indicators of compromise (IOCs). These IOCs may be IP addresses, URLs, domains, file hashes, or email addresses.

IOCs are extracted from selected TIP sources or they can be uploaded by the user. Regardless of where they are from, you can use the IOCs page to view and manage them.

temporary placeholder

By default, IOCs are filtered by Last Reported (in the past 30 days) of any severity and sorted by Last Reported. The creenshot above is filtered for matching a specific tag, too. The amount of IOCs that matched the filter is displayed above the IOCs list.

You can filter the IOCs with the filter buttons at the top of the page. Depending on how recently the IOC was last seen, it may be considered active or retired. For more information, see IOC states.

When you hover over an IOC value, you can see its properties in the popover that is displayed. This helps gain 360 degree visibility of all relevant context, enabling timely triage and informed decisions.

Use the IOCs page to:

  • Search for IOCs that match the selected criteria. For example:

    • IOCs, by the exact or partial IOC name.
    • IOCs from a specific period of time or extracted from a specific feed.
    • IOCs uploaded by the user or in an active or retired state.
    • IOCs that match a user policy.
      If the policy was created to send IOCs to security devices (for example, SIEM or firewall), use this option to see which IOCs were sent.
    • IOCs with either of these tags:
      • System tags
        These system-added tags present more information about the IOC, as collected or analyzed from the different feeds and enrichment sources. For example, a "phishing" tag indicates that the IOC is used for phishing.
      • User tags
        These tags are added by the user, primarily to group like IOCs together.
  • Change the severity of an IOC.

  • Tags - add or remove tags.

  • Whitelist - add (or remove) an IOC to the user whitelist.

    Whitelisted IOCs are not sent to security devices.

  • Investigate an IOC.

  • Relate IOCs to cyberterms.

  • Blocklist - add or remove IOCS to the Remediation blocklist.

  • You can send the Remediation blocklist to integrated devices.

  • Export IOCs to a downloadable CSV file.

Some indicators are suspicious and should be managed. Others may either be:

  • Invalid indicators (for example, an incomplete IP address or incorrectly formatted domain)
    These indicators are not shown on the IOCs page.
  • Known not to be threats, that is, they are whitelisted, either by the system or by the user. Whitelisted IOCs are shown on the IOCs page, with a Low severity and the  temporary placeholder icon.

For more information on the whitelisting reasons and actions, see Whitelisted IOCs.

In either case, the IOCs page helps you focus your energy on those IOCs that need attention.

IOC states

To enable you to focus on the most relevant threats, you can filter for whether an IOC is active or retired.

The determination of active or retired is described in the following table:

IOCActive, if it was last seen within
Domain3 months
Email address2 months
File hash1 year
IP address2 weeks
URL2 months

Whitelisted IOCs

When an IOC is whitelisted, it will not be sent to integrated security devices.

These are the ways that an IOC can become whitelisted:

  • System listed - Threat Command automatically whitelists certain IOCs, such as the company assets as well as the IOCs described in this table. You can override this designation or ensure that certain IOCs will not be system whitelisted.

  • User listed - You can add an IOC to your user whitelist (even if it is already on the system whitelist). If you change your mind, you can then revert that decision to rely again on the system designation.

    Both types of IOCs are shown on the IOCs page, with a Low severity and the  temporary placeholder icon. System whitelisting

The following table shows why some IOCs are whitelisted by the system:

IOCWhitelisted when any of the following occur
DomainThe domain is in a list of popular domains. The domain is in the list of Cisco umbrella popular domains. A subdomain of either of the above. Top 10K most-used sites from Tranco. Top 1000 websites from Alexa.
IP addressThe IP address is in the list of Cisco umbrella 10K most popular IP addresses. The IP address resolves to a root DNS. The IP address resolves to a public DNS. Known GCP (Google Cloud Platform) IP address ranges. Specialized list of IPv4 addresses belonging to common VPN providers and datacenters. Known IPv4 public DNS resolvers, Microsoft Azure Datacenter IP Ranges, SMTP sending IP ranges, or Amazon AWS IP address ranges.
URLIf the URL includes an IP address, that part is validated, as above. The domain part of the URL is whitelisted.
Email addressNo whitelisting is performed.

Search for IOCs

You can search for a particular IOC, or all IOCs that match a specific pattern.

The following table shows the types of searches that are supported:

To search for thisDo thisExampleFinds
Exact IOCType the exact IOCintsights.comintsights.com
Matches a string at the beginningType <string>*intsights*Any IOC with "intsights" at the beginning
Matches a string at the endType *<string>*intsightsAny IOC that ends with "intsights"
Contains the string anywhereType *<string>**intsights*Any IOC that contains "intsights"

When performing a string search, you must use at least 3 characters. When searching for an IP address string, use at least the first two dotted decimals, for example, search for 1.1*

String search is limited to the following cases:

  • File hash IOC - only exact matches are supported.
  • URL IOC - Searches take place within the domain and subdomain.

Filter the IOC list

You can filter the IOCs list to display only those that match selected criteria.

To filter the IOC list:

  • From the IOCs page, filter according to the options in the following table:

    To show these IOCsDo this
    Of a specific typeClick the Type filter and select from these IOC types:

    Domains temporary placeholder, Email addresses temporary placeholder, File hashes temporary placeholder, IP addresses temporary placeholder,
    or URLs - temporary placeholder

    Within file hashes, you can filter for IOCs with a specific type of file hash.
    With a specific severityClick the Severityfilter and select severity levels.
    Reported from specific TIP feeds (sources)Click the Reporting Feedsfilter and select from which feeds to show IOCs.
    Last reported in a specific time rangeClick theLast Reportedfilter and select a time range.
    Were whitelistedClick the Whitelist filter and select Show only whitelisted IOCs.
    Matching system or user tagsClick the Tagsfilter and select tags to match.
    First reported in a specific time rangeClick theFirst Reportedfilter and select a time range.​
    Were found by specific policy rulesClick thePolicy Rules filter and select from which policy rules to show IOCS.
    In active or retired stateClick theStatefilter and selectActiveorRetired.
    Matching specific MITRE ATT&CK tacticsClick the MITRE Tactics filter and select tactics to match.
    Matching specific Kill Chain phasesClick theKill Chain Phasesfilter and select phases to match.
    Matching system tagsClick the System Tagsfilter and select tags to match.
    Show all IOCsClickClear all filters.

The selected IOCs are displayed.

Change an IOC severity

IOC default severity is determined by its source. You can change the severity, thus overriding the system severity.

When you upload IOCs from an email message or document, you can set their severity, as described in Add IOCs to TIP Sources.

To change the severity of multiple IOCs, see Perform operations on multiple IOCs.

To change the severity of an IOC:

  1. From the IOCs  page, select the Severity  level for an IOC.
  2. From the drop-down arrow, select a new severity.
    temporary placeholder
    The severity is changed. The severity icon changes to indicate that it was changed manually.

To revert the IOC to the system-assigned severity, repeat the above procedure and select Revert to Default :temporary placeholder

Add or remove IOC tags

You can add new user tags or remove existing user tags. Tags assigned by the system cannot be removed.

To add tags to multiple IOCs, see Perform operations on multiple IOCs.

To add or remove IOC tags:

  1. From the IOCs  page, hover over an IOC row and click Add or remove IOC tags :
    temporary placeholder
  2. (Optional) To remove an existing tag, search for the tag, then click the X  in the tag.
    The tag is removed.
  3. (Optional) To add a new tag, click the +, enter the tag name, press Enter, then click Close.
    The new tag is added to the IOC and is displayed in the IOCs table and in the Investigation page.

Whitelisting activities

The following table describes the IOC whitelist statuses and the actions that can be done per status:

Whitelist statusIconDescriptionAvailable actions
Not on any whitelistNoneWill be passed to integrated devices.- Add to user whitelist- Do not whitelist
On the system whitelisttemporary placeholderWill not be passed to integrated devices.- Add to user whitelist. If the IOC drops off the system whitelist, it will still be on the user whitelist.- Do not whitelist
On the user whitelisttemporary placeholderWill not be passed to integrated devices.- Do not whitelist- Revert to default
Added to the "do not whitelist" listtemporary placeholderWill be passed to integrated devices, even if the IOC is on the system whitelist.- Add to user whitelist- Revert to default

You can control the whitelist status of IOCs by performing the following:

  • Add IOCs to the user whitelist - You can add (or remove) IOCs to the user whitelist.
  • Mark IOCs as "Do not whitelist" - Marked IOCs will not be treated as whitelisted. If the IOC is on the system whitelist, this user action will override that, and the IOC will be sent to devices.
  • Revert IOC whitelist control - Defer to the system decision about IOC whitelisting.

Add (or remove) IOCs to the user whitelist

You can add IOCs to a user whitelist. If the IOC was previously added to a whitelist, you can take it off the user whitelist by reverting to the default state.

To add or remove multiple IOCs to the user whitelist, see Perform operations on multiple IOCs.

To add (or remove) an IOC to a whitelist:

  1. From the IOCs page, hover your pointer over an IOC row, then click Change IOC whitelist status: temporary placeholder
  2. To whitelist the IOC, click Add to whitelist.
  3. If the IOC was previously added to the user whitelist, you can remove it by clicking Revert to Default.
    When you click Revert to default, the IOC will be subject to being whitelisted by the system. A confirmation message is displayed and the icon by the IOC changes accordingly.

To mark an IOC as "Do not whitelist":

  1. From the IOCs page, hover your pointer over an IOC row, then click Change IOC whitelist status:
    temporary placeholder
  2. Click Do not whitelist.

A confirmation message is displayed and the icon by the IOC changes accordingly.

To revert an IOC to system control:

  1. From the IOCs  page, hover your pointer over an IOC row, then click Change IOC whitelist status :
    temporary placeholder
  2. Click Revert to default.

A confirmation message is displayed and the icon by the IOC changes accordingly.

Investigate IOCs

You can launch an Investigation on listed IOCs (not supported for email addresses). For more information, see Investigation.

To investigate an IOC:

  • From the IOCs page, hov your pointer over an IOC row, then clickInvestigate IOC.
    temporary placeholder

Relate IOCs to cyberterms

In addition to the system-defined related IOCs, you can manually relate IOCs to cyberterms. These IOCs are shown when a cyberterm is investigated, and in the Threat Library, too.

This enhances your ability to research and investigate and further enhances the value of the Threat Library as your one-stop repository of all cyberterm-related information.

Email address IOCs cannot currently be related to cyberterms.

To relate (or unrelate) multiple IOCs, see Perform operations on multiple IOCs.

To relate IOCs to a cyberterm:

  1. From the IOCs page, hover your pointer over an IOC.
  2. From the menu at the far right, click temporary placeholder > Cyberterm relation.
  3. Select the cyberterms to which the IOC should be related (max: 10), then click Close.
  4. Click Update  IOC.

To unrelate IOCs from a cyberterm:

  1. From the IOCs page, hover your pointer over an IOC.
  2. From the menu at the far right, click temporary placeholder > Cyberterm relation.
    Currently related cyberterms are displayed.
  3. Click X on each cyberterm to unrelate.
  4. Click Update  IOC.

Add (or remove) IOCs to the Remediation blocklist

You can add (or remove) IOCs to the Remediation blocklist. By sending the blocklist to security devices, you can block the IOCs.

To add (or remove) multiple IOCs to the Remediation blocklist, see Perform operations on multiple IOCs.

To add IOCs to the Remediation blocklist:

  1. From the IOCs page, hover your pointer
  2. From the menu at the far right, click temporary placeholder > Add to blocklist.

If the IOC is already on the blocklist, you can remove it by clicking Remove from blocklist.

The Remediation blocklist is added as a reporting feed.

Perform operations on multiple IOCs

You can perform some operations on multiple IOCs (limit 200) at one time, thus enhancing efficiency. First, select the desired IOCs, then use the multiple IOC toolbar to perform the operations.

The most efficient way to perform operations on multiple IOCs is by using the Public API.

These actions can be performed to multiple IOCs at one time: Add tags, change severity, add (or remove) to Remediation blocklist.

To perform operations on multiple IOCs:

  1. From the IOCs page, select multiple IOCs:

| To select these | Select like this | | --- | ---| |All IOCs (200 limit) | temporary placeholder
Each time you select all, 50 IOCs will be selected, until you reach the total of 200. | |Individual IOCs | temporary placeholder | When you select IOCs, the multiple IOC commands are displayed at the top of the IOC page: temporary placeholder

  1. Click the desired command and perform the activity to all selected IOCs.

Export displayed IOCs

You can export the list of displayed IOCs to a CSV file. You can filter the list before exporting, so only those IOCs that match your selection will be exported.

To export displayed IOCs:

  • When the list is displayed, click Export CSV
    The CSV is downloaded to your default download location.