This is the Trace Id: e76b6354868de65ab421b9d2bf09772f
Skip to main content Microsoft Defender Microsoft Entra Microsoft Intune Microsoft Purview Microsoft Security Copilot Microsoft Sentinel View all products AI-powered cybersecurity Cloud security Data security & governance Identity & network access Privacy & risk management Security for AI Small & medium business Unified SecOps Zero Trust Pricing Services Partners Why Microsoft Security Cybersecurity awareness Customer stories Security 101 Product trials Industry recognition Microsoft Security Insider Microsoft Digital Defense Report Security Response Center Microsoft Security Blog Microsoft Security Events Microsoft Tech Community Documentation Technical Content Library Training & certifications Compliance Program for Microsoft Cloud Microsoft Trust Center Service Trust Portal Microsoft Secure Future Initiative Business Solutions Hub Contact Sales Start free trial Microsoft Security Azure Dynamics 365 Microsoft 365 Microsoft Teams Windows 365 Microsoft AI Azure Space Mixed reality Microsoft HoloLens Microsoft Viva Quantum computing Sustainability Education Automotive Financial services Government Healthcare Manufacturing Retail Find a partner Become a partner Partner Network Microsoft Marketplace Software companies Blog Microsoft Advertising Developer Center Documentation Events Licensing Microsoft Learn Microsoft Research View Sitemap
Here’s the alt text as requested, without mentioning the blurred face: **Alt text:** A person holding a tablet in a server room, viewing a dashboard with charts and system metrics displayed on the screen.

What are indicators of compromise (IOCs)?

Learn how to monitor, identify, use, and respond to indicators of compromise.
Discover Microsoft Defender Threat Intelligence

Indicators of compromise explained

An indicator of compromise (IOC) is evidence that someone may have breached an organisation’s network or endpoint. This forensic data doesn’t just indicate a potential threat, it signals that an attack, such as malware, compromised credentials, or data exfiltration, has already occurred. Security professionals search for IOCs on event logs, extended detection and response (XDR) solutions, and security information and event management (SIEM) solutions. During an attack, the team uses IOCs to eliminate the threat and mitigate damage. After recovery, IOCs help an organisation better understand what happened, so the organisation’s security team can strengthen security and reduce the risk of another similar incident.

Examples of IOCs

In IOC security, IT monitors the environment for the following clues that an attack is in progress:

Network traffic anomalies

In most organisations there are consistent patterns to network traffic passing in and out of the digital environment. When that changes, such as if there is significantly more data leaving the organisation or if there is activity coming from an unusual location in the network, it may be a sign of an attack.

Unusual sign-in attempts

Much like network traffic, people’s work habits are predictable. They typically sign in from the same locations and at roughly the same times during the week. Security professionals can detect a compromised account by paying attention to sign-ins at odd times of day or from unusual geographies, such as a country where an organisation doesn’t have an office. It’s also important to take note of multiple failed sign-ins from the same account. Although people periodically forget their passwords or have trouble signing in, they’re usually able to resolve it after a few tries. Repeated failed sign-in attempts may indicate that someone is trying to access the organisation using a stolen account.

Privilege account irregularities

Many attackers, whether they’re insiders or outsiders, are interested in accessing administrative accounts and acquiring sensitive data. Atypical behavior associated with these accounts, such as someone attempting to escalate their privileges, may be a sign of a breach.

Changes to systems configurations

Malware is often programmed to make changes to systems configurations, such as enabling remote access or disabling security software. By monitoring for these unexpected configuration changes, security professionals can identify a breach before too much damage has occurred.

Unexpected software installations or updates

Many attacks begin with the installation of software, such as malware or ransomware, that is designed to make files inaccessible or to give attackers access to the network. By monitoring for unplanned software installations and updates, organisations can catch these IOCs quickly.

Numerous requests for the same file

Multiple requests for a single file may indicate that a bad actor is attempting to steal it and has tried several methods to access it.

Unusual Domain Name Systems requests

Some bad actors use an attack method called command and control. They install malware on an organisation’s server that creates a connection to a server that they own. They then send commands from their server to the infected machine to try to steal data or disrupt operations. Unusual Domain Name Systems (DNS) requests helps IT detect these attacks.

How to identify IOCs

The signs of a digital attack are recorded in the log files. As part of IOC cybersecurity, teams regularly monitor digital systems for suspicious activity. Modern SIEM and XDR solutions simplify this process with AI and machine learning algorithms that establish a baseline for what’s normal in the organisation and then alert the team about anomalies. It’s also important to engage employees outside of security, who may receive suspicious emails or accidentally download an infected file. Good security training programs help workers get better at detecting compromised emails and provide ways for them to report anything that seems off.

Why IOCs are important

Monitoring IOCs is critical to reducing an organisation’s security risk. Early detection of IOCs enables security teams to respond to and resolve attacks quickly, reducing the amount of downtime and disruption. Regular monitoring also gives teams greater insight into organisational vulnerabilities, which can then be mitigated.

Responding to indicators of compromise

Once security teams identify an IOC, they need to respond effectively to ensure as little damage to the organisation as possible. The following steps help organisations stay focused and stop threats as quickly as possible:

Establish an incident response plan

Responding to an incident is stressful and time sensitive because the longer attackers remain undetected, the more likely they are to achieve their goals. Many organisations develop an incident response plan to help guide teams during the critical phases of a response. The plan outlines how the organisation defines an incident, roles and responsibilities, the steps needed to resolve an incident, and how the team should communicate to employees and outside stakeholders.

Isolate compromised systems and devices

Once an organisation has identified a threat, the security team rapidly isolates applications or systems that are under attack from the rest of the networks. This helps prevent the attackers from accessing other parts of the business.

Conduct forensic analysis

Forensic analysis helps organisations uncover all aspects of a breach, including the source, the type of attack, and attacker goals. Analysis is done during the attack to understand the extent of the compromise. Once the organisation has recovered from the attack, additional analysis helps the team understand possible vulnerabilities and other insights.

Eliminate the threat

The team removes the attacker and any malware from affected systems and resources, which may involve taking systems offline.

Implement security and process improvements

Once the organisation has recovered from the incident, it’s important to evaluate why the attack happened and if there’s anything the organisation could have done to prevent it. There may be simple process and policy improvements that will reduce the risk of a similar attack in the future, or the team may identify longer-range solutions to add to a security roadmap.



IOC Solutions

Most security breaches leave a forensic trail in log files and systems. Learning to identify and monitor these IOCs helps organisations quickly isolate and eliminate attackers. Many teams turn to SIEM solutions, like Microsoft Sentinel and Microsoft Defender XDR, which use AI and automation to surface IOCs and correlate them with other events. An incident response plan enables teams to get ahead of attacks and quickly shut them down. When it comes to cybersecurity, the faster companies understand what’s happening, the more likely they are to stop an attack before it costs them money or damages their reputation. IOC security is key to helping organisations reduce their risk of a costly breach.
Resources

Learn more about Microsoft Security

  1.
A man and woman sitting at a table, with the woman writing on a book and a laptop visible.

Microsoft threat protection

Identify and respond to incidents across your organisation with the latest in threat protection.
Learn more
A person sitting at a desk using a laptop.

Microsoft Sentinel

Unify security data and context to power agentic defense with SIEM & AI-first platform.
Learn more
A woman looking at her mobile phone.

Microsoft Defender XDR

Stop attacks across endpoints, email, identities, applications, and data with XDR solutions.
Learn more
A group of three people in a bright office, smiling and engaged as they look at a laptop held by one person.

Threat intelligence community

Get the latest updates from the Microsoft Defender Threat Intelligence community edition.
Learn more
Back to Related products section
FAQ

Frequently asked questions

  • There are several types of IOCs. Some of the most common are:
    • Network traffic anomalies
    • Unusual sign-in attempts
    • Privilege account irregularities
    • Changes to system configurations
    • Unexpected software installations or updates
    • Numerous requests for the same file
    • Unusual Domain Name Systems requests
  • An indicator of compromise is digital evidence that an attack has already occurred. An indicator of an attack is evidence that an attack is likely to occur. For example, a phishing campaign is an indicator of attack because there’s no evidence that the attacker has breached the company. However, if someone clicks on a phishing link and downloads malware, the installation of the malware is an indicator of compromise.
  • Indicators of compromise in email include a sudden flood of spam, strange attachments or links, or an unexpected email from a known person. For example, if an employee sends a coworker an email with a strange attachment, it may indicate their account has been compromised.
  • There are multiple ways to identify a compromised system. A change in network traffic from a particular computer could be an indicator that it’s been compromised. If a person who typically doesn’t need a system begins accessing it regularly, that’s a red flag. Changes to the configurations on the system or an unexpected software installation may also indicate that it’s been compromised.
  • Three IOC examples are:
    • A user account that is based in North America begins signing into company resources from Europe.
    • Thousands of access requests across several user accounts, indicating that the organisation is a victim of a brute force attack.
    • New Domain Name Systems requests coming from a new host or a country where employees and customers don’t reside.

Follow Microsoft Security

Surface Pro Surface Laptop Surface Laptop Ultra Copilot for organisations Copilot for personal use AI in Windows Explore Microsoft products Windows 11 apps Account profile Download Center Microsoft Store Support Returns Order tracking Recycling Microsoft Store Promise Microsoft in education Devices for education Microsoft Teams for Education Microsoft 365 Education Office Education Educator training and development Deals for students and parents Azure for students
Microsoft AI Microsoft Security Azure Dynamics 365 Microsoft 365 Microsoft 365 Copilot Microsoft Teams Small Business Microsoft Developer Microsoft Learn Support for AI marketplace apps Microsoft Tech Community Microsoft Marketplace Microsoft Power Platform Software companies Visual Studio Careers About Microsoft Company news Privacy at Microsoft Investors Sustainability
English (United Kingdom) Consumer Health Privacy Contact Microsoft Privacy Manage cookies Terms of use Trademarks About our ads EU Compliance DoCs Regulatory reporting