Indicator of Compromise. A piece of forensic data (file hash, IP, domain, registry key) that suggests a system has been compromised.
IoCs are the atomic facts a SOC sees: a SHA256 hash, a destination IP that contacted command-and-control, a process name that should not exist on a managed host, a domain in DNS query logs. Detection rules combine IoCs with behavioural patterns (TTPs) to identify an active intrusion rather than a stale historical match.
Pure IoC matching has decay: attackers rotate hashes and IPs frequently. TTP-level detection (the ATT&CK matrix) is more durable because changing the underlying technique requires changing the attack itself. CloudSigma rules combine both: TTP-shaped detection logic plus a default falsepositives section the operator extends in their SIEM with environment-specific known-good IoCs.