Indicators of Compromise

Indicators of Compromise (IOCs)

This section captures IOCs associated with this incident. Since VERIS focuses on strategic and risk-based information, tactical intelligence bits like IOCs are not included within the base schema. This allows them to be shared and later exported to a more suitable schema like (e.g., STIX).

IOCs

Question Text: Enter any IOCs you wish to associate with this incident.

User notes: IOCs are artifacts related to an incident that indicate assets may be compromised. Examples include IPs, URLs, malware hashes, etc.

Question type: text field for indicator and comment

Variable name: ioc (comprised of the indicator (string) and comment (string) variables)

Purpose: Enables the sharing of simple IOCs along with a VERIS incident. IOCs are useful for a range of tactical and operational purposes (e.g., blacklisting IPs associated with malicious activity).

Developer notes: N/A

Miscellaneous: IOCs in VERIS are structured in a simple array containing the ioc.indicator (string) and ioc.comment (string) objects. There are other schemas that give much more detail and structure around IOCs, and those should be used if the collection and sharing of IOCs is the primary goal.