Indicators of Compromise, OpenIOC and CyBOX

Indicator of compromise IOC

IOC in computer forensics is an artifact observed on a network or in operating system that with high confidence indicates a computer intrusion.
Typical IOCs are virus signatures and IP addresses, MD5 hashes of malware files or URLs of botnet command and control centers.


OpenIOC stands for Open Indicators of Compromise. OpenIOC is an extensible XML schema for the description of technical characteristics that identify a known threat, an attacker’s methodology, or other evidence of compromise. OpenIOC was created by MANDIANT.


Cyber Observable eXpression (CybOX) is a standardized language for representing cyber observables, whether from observation in the operational cyber domain or as patterns of observables that could be observed.

from FAQ:

A4. What is the difference between “cyber observables” and “cyber indicators”?

Cyber observables are statements of fact; they capture what was observed or could be observed in the cyber operational domain.

Cyber indicators are cyber observable patterns with relevant contextual information that provide meaning and guidance around the observable patterns, such as a registry key value associated with a known bad actor or a spoofed email address used on this date and sent to these accounts on this date.

Other links

This entry was posted in ICT, ICT Standards, Security Incidents and Cases, Security Standardization and Practises, Security Threats. Bookmark the permalink.

Comments are closed.