July 14, 2026
Day 9: IOC vs. IOA — Understanding the Difference Between Evidence and Behavior
In previous articles, we explored Windows Event Logs and Sysmon, two important sources of telemetry for Security Operations Centers (SOCs).

By SIAM AHMED
2 min read
However, collecting data is only the first step.
The next challenge is determining what that data tells us.
Security analysts often classify suspicious activity using two important concepts:
- Indicators of Compromise (IOCs)
- Indicators of Attack (IOAs)
Although these terms are sometimes used interchangeably, they represent two different approaches to detecting cyber threats.
Understanding the distinction is essential for SOC analysts, threat hunters, and incident responders.
What Is an Indicator of Compromise (IOC)?
An Indicator of Compromise (IOC) is a piece of evidence suggesting that a system has already been compromised or malicious activity has occurred.
IOCs are often discovered after an attack and are used to identify known threats across an environment.
Think of IOCs as the digital fingerprints left behind by an attacker.
Common Examples of IOCs
- Malicious IP addresses
- Malicious domains
- File hashes (MD5, SHA-1, SHA-256)
- Suspicious URLs
- Registry keys
- Malware filenames
- Email addresses
- Known command-and-control (C2) infrastructure
Organizations often receive IOC feeds from threat intelligence providers and use them to enrich detections within SIEM or EDR platforms.
Limitations of IOCs
Although IOCs are valuable, attackers can easily modify them.
For example, an attacker can:
- Change a file hash by recompiling malware.
- Register a new domain.
- Switch to a different IP address.
- Rename a malicious executable.
Because of this, IOC-based detection is often considered reactive.
What Is an Indicator of Attack (IOA)?
An Indicator of Attack (IOA) focuses on what the attacker is doing, rather than what tools they are using.
Instead of relying on known signatures or infrastructure, IOAs detect suspicious behaviors that commonly occur during an attack.
This approach is particularly effective against new or previously unseen malware.
Common Examples of IOAs
- PowerShell executed with Base64-encoded commands
- Office applications spawning Command Prompt or PowerShell
- Attempts to access LSASS memory
- Suspicious use of Windows Management Instrumentation (WMI)
- Lateral movement using remote administration tools
- Creation of scheduled tasks for persistence
- Unusual privilege escalation
- Credential dumping behavior
These actions may indicate malicious intent even when no known malware signatures are present.
IOC vs. IOA
FeatureIOCIOAFocusEvidenceBehaviorDetection TypeReactiveProactiveBest ForKnown threatsKnown and unknown threatsChanges EasilyYesNoThreat HuntingUsefulHighly effective
Real-World Example
Imagine an attacker delivers ransomware.
IOC-Based Detection
The SOC detects:
- Known ransomware hash
- Known malicious IP address
- Known command-and-control domain
This works well — unless the attacker changes those indicators.
IOA-Based Detection
Instead, the SOC detects:
- PowerShell launched with encoded commands
- Mass file encryption activity
- Volume Shadow Copy deletion
- Creation of persistence mechanisms
- Unusual process behavior
Even if the malware has never been seen before, these behaviors remain suspicious.
This demonstrates why modern security products increasingly rely on behavioral analytics.
How Modern Security Solutions Use IOAs
Behavior-based detection is a core capability in many modern security platforms, including:
- Microsoft Defender XDR
- Microsoft Defender for Endpoint
- Microsoft Sentinel analytics
- CrowdStrike Falcon
- SentinelOne
- Elastic Security
- Wazuh (through custom detection rules)
- Splunk Enterprise Security
These platforms combine behavioral analytics with threat intelligence to improve detection accuracy and reduce reliance on static indicators.
IOC + IOA = Stronger Detection
Neither approach replaces the other.
The most effective SOCs combine both.
A mature detection strategy uses:
- IOC feeds from threat intelligence
- Behavioral detections based on IOAs
- MITRE ATT&CK mapping
- SIEM correlation rules
- Endpoint telemetry from Sysmon and EDR
Together, these capabilities help identify both known and emerging threats.
Key Takeaways
- IOCs are pieces of evidence that indicate a compromise has occurred.
- IOAs identify suspicious attacker behavior before or during an attack.
- IOCs are easier for attackers to change, while behaviors are much harder to disguise.
- Combining IOC-based and IOA-based detections provides stronger visibility and resilience against modern cyber threats.
In Day 10, we'll explore the MITRE ATT&CK Framework — the industry-standard knowledge base used by SOC analysts, threat hunters, and detection engineers to understand adversary tactics, techniques, and procedures (TTPs).