beginner

IOC Collection Guide

Standardized procedures for collecting and documenting indicators of compromise.

Ongoing5 steps8 checklist items

Summary

Best practices for IOC collection, formatting, and sharing during and after incident response.

Step-by-Step Procedure

IOC Identification

Identify indicators during investigation.

Actions

Extract file hashes from malware samples

Document malicious IP addresses and domains

Capture file paths and names

Note registry keys and values

Document user agent strings

IOC Validation

Validate indicators before sharing.

Actions

Check IOCs against legitimate sources

Verify IOCs are not false positives

Confirm IOCs are specific to the threat

Remove internal-only indicators

IOC Documentation

Document IOCs in standard format.

Actions

Use standardized IOC format (STIX/OpenIOC)

Include context and confidence levels

Note first and last seen dates

Reference source of IOC

IOC Deployment

Deploy IOCs for detection.

Actions

Add to threat intelligence platform

Update SIEM detection rules

Add to EDR watchlists

Update firewall/proxy blocklists

IOC Sharing

Share IOCs with appropriate parties.

Actions

Share with ISACs if applicable

Consider sharing with vendors

Document sharing decisions

Track IOC usage and feedback

Completion Checklist

All indicator types collected

IOCs validated against false positives

Internal indicators removed before sharing

IOCs documented in standard format

Context and confidence noted

IOCs deployed to security tools

Sharing decisions documented

IOC effectiveness tracked

Evidence to Collect

IOC list with context
Validation notes
STIX/OpenIOC exports
Sharing records

Join our community to discuss playbooks and share incident response experiences.