Indicators of compromise are artifacts that indicate a compromise. Tools such as [[Malware Information Sharing Platform]] can be used to share Indicators of compromise. [[Incident Response & Computer Forensics, Third Edition]] describing the concept of Indicator of compromise: > IOC (pronounced eye-oh-cee) creation is the process of documenting characteristics and artifacts of an incident in a structured manner. This includes everything from both a host and network perspective—things beyond just malware. Think about items such as working directory names, output file names, login events, persistence mechanisms, IP addresses, domain names, and even malware network protocol signatures. The goal of IOCs is to help you effectively describe, communicate, and find artifacts related to an incident. Because an IOC is only a definition, it does not provide the actual mechanism to find matches. You must create or purchase technology that can leverage the IOC language. You need some way to search for IoCs effectively. This is most often done through a [[Security Information and Event Management]] system.