Indicator
An indicator is an observable whose evidence makes it relevant to a security investigation or detection. It becomes an indicator of compromise only when the evidence supports compromise or malicious activity.
Frequently Asked Questions
What is Indicator?
An indicator is an observable whose evidence makes it relevant to a security investigation or detection. It becomes an indicator of compromise only when the evidence supports compromise or malicious activity.
How is Indicator related to Observable?
Indicator and Observable are both key concepts in threat intelligence. An observable is a domain, IP address, URL, file hash, email address, phone number, or wallet address that can be examined during a security investigation. A submitted observable is not automatically malicious and is not automatically an indicator of compromise.
Related Terms
Observable
An observable is a domain, IP address, URL, file hash, email address, phone number, or wallet address that can be examined during a security investigation. A submitted observable is not automatically malicious and is not automatically an indicator of compromise.
IOC (Indicator of Compromise)
An indicator of compromise is an indicator supported by evidence of compromise or malicious activity. Security teams use IOCs to detect, contain, and investigate threats; an arbitrary IP address, domain, URL, file hash, or email address is only an observable until evidence supports that promotion.
Threat Intelligence
Threat intelligence is evidence-based knowledge about cyber threats, including observed infrastructure, behaviors, campaigns, and likely intent. It combines source observations with context so security teams can make a specific detection, triage, containment, or response decision.
Put this intelligence to work
Query indexed indicators — IPs, domains, URLs, and hashes — in seconds.