Blog Improve Efficiency of Intelligence Analysis Using IOC Management Feature

Improve Efficiency of Intelligence Analysis Using IOC Management Feature

Cyber observables and IOCs are the building blocks of intelligence analysis. They're critical to making accurate decisions throughout the investigative workflow, but effectively managing this vast amount of IOC data is challenging.

Today we are excited to release our new IOC Management feature that will streamline IOC management throughout the entire indicator lifecycle. This new feature will help you upload large numbers of IOCs, classify IOCs into groups, augment them with additional context, and automatically surface them in internal investigations and threat hunts. 


How is this different than existing capabilities on TruSTAR?

Until now, IOCs on the TruSTAR platform were always embedded in reports. They didn’t exist as independent entities. Reports provide an elegant way of grouping related threat intelligence so that it can be viewed as comprehensive analysis, but they limit an analyst’s ability to investigate a specific IOC or a group of IOCs and contextualize them. This change is a first step in a larger initiative that will allow users to more easily analyze cyber and fraud investigations and track TTP’s, campaigns, and actors, and visualize relationships between them.

Great! Tell me more…

As an end user of the TruSTAR platform you can now take the following actions:

  • Mass Enrichment - Upload large lists of IOC’s and their associated context into one or more enclaves and let TruSTAR automatically augment them with additional enrichment.
  • Group Tagging - Use tags to easily manage IOCs as individual entities or large groups of IOCs that share some common characteristics - like “ddos”, “brand protection,” “APT28,” etc.
  • Visualize Context - Track enrichment of individual IOCs over time in our graph visualizations and quickly identify correlations with other intelligence sources.


These actions will let analysts quickly complete tasks including:

  • Batch Processing - Send a large number of IOCs to TruSTAR using the API or Station via structured or unstructured data format and have the platform provide enrichment for each IOC.
  • Mass Exporting - Export enriched IOCs, like IP addresses, that have a specific tag associated with them, i.e. “ddos.”
  • Continuous Tracking - Keep a running list of IOCs and continuously update them with new context using the API or the Station.


Enrichment from our Machine Learning capabilities.

All IOCs processed by TruSTAR are rated using our machine learning models (you can read more about our model here). All IOCs rated as HIGH PRIORITY will be labeled accordingly and you will see them prominently displayed in the Explore view and the graph visualization.

I have a list of IOCs. How can I get started?

We have a number of options to get you started quickly based on how you have been storing IOCs. Check out our support site article and release notes to get started in less than five minutes.

We value your feedback and would like to learn about how to improve this feature. Don’t hesitate to get in touch with us at to get started.

TruSTAR Intel Workflows Series: Shifting from App-Centric to Data-Centric Security Operations We recently introduced API 2.O featuring TruSTAR Intel Workflows. This blog series will explain our motivations for building this feature, how it ... Read More
How to Get the Most out of Your Community Plus Toolkit TruSTAR is the Intelligence Management Platform that powers some of the largest ISAC/ISAO threat intelligence exchanges in North America.  Read More
Announcing TruSTAR Phishing Triage & New Intelligence Scoring Capabilities Today TruSTAR has launched Phishing Triage, a new suite of features designed to automatically ingest, extract, normalize, prioritize, and take action ... Read More
COVID-19 Intelligence Briefing: What Happens Next? TruSTAR recently held an intelligence briefing with leaders from IBM X-Force IRIS, BAE Systems, and Intel471 to discuss the threatscape surrounding ... Read More