Indicators of Compromise
DFIRe includes a built-in IOC registry for capturing, classifying, enriching, and sharing Indicators of Compromise across your investigations. Indicators use the STIX 2.1 type taxonomy and can be shared externally via TAXII 2.1 and MISP-compatible feeds.
Overview
The IOC subsystem provides a global indicator registry that spans all cases in your DFIRe instance. Each indicator is stored once and linked to cases through associations, allowing you to:
- Capture IOCs during investigations — manually, via bulk import, or by extracting them from notes
- Classify and tag indicators as malicious, suspicious, benign, or unknown
- Enrich indicators with data from up to 12 threat intelligence providers
- Detect cross-case correlations when the same indicator appears in multiple investigations
- Share published indicators via TAXII 2.1 server and MISP-compatible feeds
- Import and export in CSV, STIX 2.1, and plaintext formats
DFIRe’s IOC support is designed to complement dedicated threat intelligence platforms like MISP or your SIEM. It provides a convenient way to capture and manage indicators in the context of an investigation, and export them when needed.
Supported IOC Types
DFIRe uses the STIX 2.1 Cyber Observable (SCO) type taxonomy. The following 18 indicator types are supported:
| Type | Description | Example |
|---|---|---|
| IPv4 Address | IPv4 address or CIDR block | 203.0.113.42, 173.245.48.0/20 |
| IPv6 Address | IPv6 address or CIDR block | 2001:db8::1 |
| Domain Name | DNS domain or subdomain | evil.example.com |
| URL | Full HTTP/HTTPS URL | https://evil.example.com/payload.exe |
| Email Address | Email address | attacker@evil.com |
| Email Message | Email metadata (subject, headers) | Phishing email subject line |
| File Hash | MD5, SHA-1, or SHA-256 hash | d41d8cd98f00b204... |
| Process | Process name or command | svchost.exe |
| Registry Key | Windows registry path | HKLM\Software\...\Run |
| Network Traffic | Network connection metadata | Port, protocol, src/dst |
| User Account | User account name | Administrator |
| MAC Address | Hardware MAC address | 00:1A:2B:3C:4D:5E |
| Software | Software name, version, or CVE | CVE-2021-44228 |
| Artifact | Generic binary or text artifact | Base64 payload fragment |
| Autonomous System | BGP AS number | AS13335 |
| Directory | File system path | C:\Windows\Temp |
| Mutex | Named mutex object | Global\evil_mutex |
| X.509 Certificate | Certificate serial or thumbprint | Certificate SHA-256 thumbprint |
Indicator Properties
Each indicator in the registry has the following properties:
Classification
Every indicator has a classification reflecting the analyst’s assessment:
- Unknown (default) — Not yet assessed
- Benign — Determined to be harmless
- Suspicious — Warrants further investigation
- Malicious — Confirmed threat indicator
Confidence
The confidence level reflects how certain you are about the classification:
- Low — Preliminary assessment, needs verification
- Medium — Reasonable certainty based on available evidence
- High — Confirmed through multiple sources or direct observation
TLP (Traffic Light Protocol)
TLP controls how widely an indicator can be shared:
| TLP Level | Sharing Scope | Can Publish? |
|---|---|---|
| TLP:CLEAR | No restrictions | Yes |
| TLP:GREEN | Community-wide sharing | Yes |
| TLP:AMBER | Need-to-know basis | Yes |
| TLP:AMBER+STRICT | Organization only, no further dissemination | Yes |
| TLP:RED | Named recipients only | No |
TLP:RED indicators cannot be published. This is enforced at the system level. If you change a published indicator’s TLP to RED, it is automatically unpublished.
Tags
Free-form text tags for organizing indicators. Examples: apt29, phishing, ransomware, c2-server. Tags are set when creating or editing individual indicators.
Public Notes
Shared notes that are visible to all users with indicator view permission, regardless of which case the indicator is associated with. Use public notes for information that does not reveal case details, such as “Known Cobalt Strike C2 infrastructure”.
Adding Indicators to a Case
There are several ways to add indicators to a case:
Manual Entry
- Open the case and navigate to the IOCs tab
- Click Add Indicator
- Enter the indicator value — the type is auto-detected as you type
- Optionally set the classification, confidence, TLP, and tags
- Add context notes (these are private to this case)
- Click Add
If the indicator already exists in the global registry, it is linked to the case rather than duplicated. If it is new, it is created in the registry and linked.
Auto-Extraction from Case Content
DFIRe can scan case notes, item notes, and evidence item values for potential indicators:
- In the case IOCs tab, click Scan Case
- DFIRe scans all notes and evidence item fields in the case for patterns matching IOC types (for example, an email address added as an evidence item is detected as an indicator)
- Review the extracted candidates — each shows the detected type and source note
- Select which candidates to add, adjust classifications if needed
- Click Add Selected
Supported extraction patterns include IPv4/IPv6 addresses (with CIDR), domains, URLs, email addresses, file hashes (MD5, SHA-1, SHA-256), MAC addresses, and CVE identifiers.
Extraction is always a suggestion — DFIRe never automatically adds indicators. You review and confirm every candidate before it is added to the case.
Text Extraction
The Extract function takes arbitrary text input (threat reports, log output, email headers, intelligence feeds) and searches for indicators using regular expressions. Paste or type text, and DFIRe identifies all potential indicators within it. Review the extracted candidates and add the ones you want to keep.
Bulk Import
Import indicators from files in three formats:
- CSV — Spreadsheet with columns for value, type, classification, confidence, TLP, and tags. Column headers are matched flexibly.
- STIX 2.1 — Standard STIX Bundle JSON file. SCO objects are imported and metadata from wrapping SDO Indicator objects (confidence, labels, indicator_types) is preserved.
- Plaintext — One indicator per line. Types are auto-detected. Works well with pasted lists from threat reports or log analysis.
Imports and extraction are available both from the case IOCs tab (case-scoped) and from the global IOC Registry page.
Hierarchical Decomposition
When you add a composite indicator like a URL or email address, DFIRe automatically breaks it down into its component parts and creates parent-child relationships:
Example: URL Decomposition
Adding https://evil.cdn.hosting.com/downloads/payload.exe creates:
- The full URL (your original indicator)
evil.cdn.hosting.com— domain extracted from the URLcdn.hosting.com— parent domainhosting.com— apex domain
Example: Email Decomposition
Adding attacker@mail.evil.com creates:
- The email address (your original indicator)
mail.evil.com— domain from the emailevil.com— apex domain
Example: CIDR Adoption
If individual IP addresses like 173.245.48.5 already exist in the registry and you later add the CIDR block 173.245.48.0/20, those IPs are automatically adopted as children of the CIDR block.
Independent Classification
Each level in the hierarchy has its own classification. A malicious URL might be hosted on a benign hosting provider — the subdomain is malicious, but the apex domain is benign. The hierarchy tree view in the Intelligence page shows each node with its own classification color.
You can disable automatic decomposition when adding an indicator by unchecking the Decompose option in the Add Indicator dialog.
IOC Registry
The IOC Registry is accessible from the main navigation and shows all indicators across all cases in your DFIRe instance. From the registry you can:
- Browse and filter indicators by type, classification, confidence, TLP, published/revoked status, and tags
- Search by indicator value or notes
- Perform bulk operations — classify, set confidence, set TLP, publish, revoke, or delete multiple indicators at once
- Import indicators from CSV, STIX 2.1, or plaintext files
- Export indicators to CSV or STIX 2.1 bundles (up to 50,000 indicators per export)
The registry shows a case count for each indicator — how many cases reference it — but does not reveal which cases. This preserves case isolation while providing useful correlation context.
Intelligence Page
Clicking an indicator in the registry or a case opens its Intelligence page with detailed information organized in tabs:
Details Tab
Shows the indicator value, STIX type, classification, confidence, TLP, tags, and metadata (first seen, last seen, created by). Also lists all case associations visible to you, with case-private context notes.
Relations Tab
Displays the indicator’s position in its hierarchical tree. Parent and child indicators are shown with their classifications, making it easy to see how a URL relates to its domain, or how a domain relates to its apex.
Enrichment Tab
Shows results from all configured enrichment providers. Each provider’s data is displayed in a collapsible panel with the fetch timestamp and TTL. You can manually refresh enrichment data for any provider. See the Enrichment section below for details on available providers.
Cross-Case Correlation
When you add an indicator to a case and it already exists in other cases, DFIRe automatically notifies you:
- You receive a notification: “This indicator has been observed in N other case(s)”
- Other members of your case team also receive the notification
- A webhook event (
ioc_correlation) is fired if configured
The notification contains only the count, not the case numbers or details. This preserves case isolation. To learn which cases share the same indicator, contact an administrator or a user with global case read access who can check the associations and determine whether information can be shared between teams.
Enrichment
DFIRe can automatically look up indicators against external threat intelligence services. Enrichment results are cached with a configurable TTL to avoid redundant API calls.
Built-in Providers (No API Key Required)
| Provider | Supported Types | Data Returned |
|---|---|---|
| DNS | Domains, IPs | A/AAAA/MX records, reverse DNS |
| WHOIS | Domains, IPs | Registrar, registration dates, nameservers |
External Providers (API Key Required)
| Provider | Supported Types | Data Returned |
|---|---|---|
| VirusTotal | IPs, Domains, URLs, Hashes | Multi-engine scan results, reputation scores |
| Shodan | IPs | Open ports, services, banners, geolocation |
| GreyNoise | IPs | IP classification (benign scanner, malicious, unknown) |
| AlienVault OTX | IPs, Domains, URLs, Hashes | Pulse reports, community threat intelligence |
| AbuseIPDB | IPs | Abuse reports, confidence score, ISP info |
| URLhaus | URLs, Domains | Malware hosting detection, malware family |
| ThreatFox | IPs, Domains, URLs, Hashes | Malware C2 identification, campaign info |
| MalwareBazaar | Hashes | Malware sample metadata, family, tags |
| URLscan | URLs, Domains | Live page scan, DOM analysis, screenshots |
| Google Safe Browsing | URLs, Domains | Phishing and malware verdicts |
Configuring Enrichment Providers
- Navigate to System Settings > IOC Enrichment
- Each provider shows its status (enabled/disabled) and which indicator types it supports
- Enter your API key and click Save
- Optionally adjust the TTL (cache duration in hours, default 24)
- Use Test to verify your API key is valid
The abuse.ch providers (URLhaus, ThreatFox, MalwareBazaar) share a single API key. Configure it once and it applies to all three.
Rate Limiting
Enrichment requests are rate-limited to 30 requests per minute per provider to avoid overloading external APIs. Built-in providers (DNS, WHOIS) have higher limits. VirusTotal’s free tier is limited to 4 requests per minute — DFIRe respects this automatically.
Publishing and Lifecycle
Indicators in DFIRe have a lifecycle that controls their visibility and sharing status:
States
- Unpublished — Visible only to internal DFIRe users. Not shared externally.
- Published — Available to external consumers via the TAXII 2.1 server and MISP feed. Included in STIX exports.
- Revoked — Marked as no longer valid. Revoked indicators that were published appear with
revoked: truein STIX output so consumers know to remove them.
Auto-Revocation
If an indicator has a Valid Until date set and that date passes, DFIRe automatically revokes it via a background task. This is enabled by default and can be configured in System Settings > IOC Lifecycle:
- Auto-revoke expired indicators — Enable or disable
- Default expiration — Number of days until new indicators expire (leave empty for no default expiration)
- Default TLP — TLP level applied to newly created indicators
- Hard-delete revoked after N days — Permanently remove revoked indicators after a retention period (default: disabled)
Publishing Rules
- TLP:RED indicators cannot be published (this is enforced at the system level)
- Revoked indicators cannot be published (unrevoke first, then publish)
- Bulk publish will skip TLP:RED and revoked indicators and report the count skipped
Sharing Indicators
Published indicators can be shared with external systems via two mechanisms:
TAXII 2.1 Server
DFIRe includes a read-only TAXII 2.1 server that external threat intelligence platforms can poll for indicators. TAXII consumers connect to your DFIRe instance and retrieve published indicators as STIX 2.1 objects.
- Configure TAXII in System Settings > TAXII Server
- Create API Keys for external consumers to authenticate
- Create Collections to organize which indicators are available (filtered by TLP level, classification, or tags)
- TLP:RED indicators are hard-filtered at the database level and never appear in TAXII responses
MISP-Compatible Feed
DFIRe can generate a MISP-compatible JSON feed that remote MISP instances can ingest as a feed source. This provides an alternative to TAXII for organizations using MISP.
- Configure in System Settings > MISP Feed
- The feed generates rolling events organized by TLP level
- TLP:RED indicators are excluded from the feed
- Point your MISP instance to
https://your-dfire/misp-feed/manifest.json
Export and Import
Exporting Indicators
Export indicators from either the global registry or a specific case:
- CSV — Spreadsheet format with columns for value, type, classification, confidence, TLP, tags, context, and metadata. Useful for sharing with analysts or importing into other tools.
- STIX 2.1 Bundle — Standard JSON format containing STIX SCO and SDO objects. Includes TLP marking definitions. Compatible with MISP, OpenCTI, and other STIX-consuming platforms.
Bulk exports from the registry support up to 50,000 indicators per operation. You can apply filters before exporting to select only the indicators you need.
Importing Indicators
Import indicators into a case or the global registry:
- CSV — Flexible header matching (accepts
IOC Value,Value,indicator, etc.). Type names are mapped flexibly (ipv4,ip,ipv4-addrall work for IPv4 addresses). - STIX 2.1 Bundle — Imports SCO objects from a STIX Bundle. Metadata from wrapping SDO Indicator objects (confidence, labels, indicator_types) is preserved.
- Plaintext — One indicator per line, types are auto-detected. Ideal for pasting lists from threat reports, log analysis, or intelligence feeds.
Duplicate indicators (same value and type) are automatically skipped during import. The import summary shows the count of added and skipped indicators.
Bulk Operations
From both the IOC Registry and the case Indicators tab, you can select multiple indicators and perform bulk actions:
- Classify — Set classification (unknown, benign, suspicious, malicious) for all selected
- Set Confidence — Update confidence level for all selected
- Set TLP — Change TLP designation (auto-unpublishes if changed to RED)
- Publish — Make selected indicators available via TAXII/MISP (skips TLP:RED and revoked)
- Unpublish — Remove from external visibility
- Revoke — Mark as no longer valid
- Unrevoke — Restore revoked indicators
- Delete — Remove indicators from the registry entirely
- Export — Export selected as CSV or STIX 2.1
Bulk operations can also be applied using the current filter instead of manual selection, allowing you to operate on large sets efficiently.
Indicators in Investigation Reports
When generating an investigation report for a case, DFIRe automatically includes an IOC Summary section listing all indicators associated with the case. This section includes each indicator’s value, type, classification, confidence, public notes, and any case-specific context notes added by the case team.
Webhook Events and Custom Triggers
The following webhook event types are available for IOC-related activities. Configure these in System Settings > Webhooks:
| Event | Triggered When |
|---|---|
ioc_added | An indicator is added to a case |
ioc_classification_changed | An indicator’s classification changes |
ioc_classified_malicious | An indicator is classified as malicious |
ioc_classified_suspicious | An indicator is classified as suspicious |
ioc_classified_benign | An indicator is classified as benign |
ioc_published | An indicator is published to TAXII/MISP |
ioc_unpublished | An indicator is unpublished |
ioc_revoked | An indicator is revoked |
ioc_unrevoked | An indicator revocation is removed |
ioc_correlation | An indicator is found in multiple cases |
Custom Webhook Triggers
In addition to the built-in events, the IOC Enrichment settings allow you to define custom webhook triggers that appear as response buttons on IOC Intelligence pages. This lets you create custom automated actions such as “Block IP on Firewall” or “Add to Blocklist” on the Respond tab of an indicator's Intelligence page.
To set up a custom trigger:
- Go to Settings > IOC Enrichment and scroll to Webhook Triggers
- Click Add Trigger and define a name and trigger ID
- Go to Settings > Webhooks and create an outgoing webhook
- Select the corresponding custom trigger event type
- Configure the webhook endpoint and payload template with the indicator data
When an analyst clicks the trigger button on an IOC’s Intelligence page, the configured webhook fires with the indicator data, enabling integration with firewalls, SIEMs, SOAR platforms, or any HTTP endpoint.
Permissions
IOC management requires the following permissions, assigned through user groups:
| Permission | Allows |
|---|---|
manage_indicators | Create, edit, delete, classify, tag, publish, and revoke indicators |
export_indicators | Export indicators in CSV and STIX 2.1 formats |
import_indicators | Import indicators from CSV, STIX 2.1, and plaintext |
Viewing indicators in the global registry requires the standard view_indicator permission. Adding indicators to a specific case requires both indicator permissions and write access to that case.
After upgrading to DFIRe 1.2.0 or later, you must assign the new IOC permissions to your user groups. Users will not see the IOC features until these permissions are granted.
Search Integration
Indicators are included in DFIRe’s global search. When you search from the top navigation bar, results include matching indicators alongside cases, evidence, notes, and entities. Indicator search matches against the IOC value, public notes, and STIX type.
Deduplication and Normalization
DFIRe automatically normalizes indicator values to prevent duplicates:
- Domains and emails are lowercased
- URLs have their scheme and host lowercased (path case is preserved)
- IPv4 addresses have leading zeros stripped; CIDR host bits are normalized
- IPv6 addresses are expanded to standard form
- File hashes are lowercased
- AS numbers are normalized to
AS<number>format
Two indicators are considered duplicates if they have the same normalized value and STIX type. When you add a duplicate, the existing indicator is linked to your case rather than creating a new entry.