01
Classify the indicator
Write the indicator type, source, and observation time.
Check: The type and time are visible.
Back to workflows
IOC
Read threat indicators without overclaiming.
A workflow for checking IPs, domains, URLs, and hashes as defensive signals.
Goal
Use indicators as context, not as automatic proof of compromise or attribution.
Best for
Threat intelligence notes, SOC triage, and defensive enrichment.
Inputs
IP, Domain, URL, Hash, Observation time
Steps
02
Check several sources
Compare reputation, passive DNS, malware feeds, and reports.
Check: One feed is not the only basis.
03
Read freshness
Record first seen, last seen, and whether the signal is old.
Check: Old indicators are not treated as current activity.
04
Write a defensive conclusion
Suggest monitoring, blocking, or review only when the evidence supports it.
Check: Attribution is not overstated.
Output
Indicator context, source comparison, freshness note, and defensive action.
Report line
The indicator appears in open threat sources, but freshness, context, and local relevance must be checked before action.