After this lesson, you will be able to: Use IoCs and understand STIX/TAXII sharing protocols.
IoCs (Indicators of Compromise) are atomic facts: 'this IP is malicious', 'this hash is malware'. STIX/TAXII is the standard format and protocol for sharing them across organizations.
Network. IPs, domains, URLs, JA3 fingerprints. Host, file hashes (MD5/SHA256), filenames, registry keys. Behavioral, process trees, command lines, parent/child relationships. Email, sender addresses, subject patterns.
JSON-format threat info structure:
{"type": "indicator","spec_version": "2.1","id": "indicator--abc123...","created": "2026-01-15T10:00:00Z","name": "Malicious IP from APT28 campaign","pattern": "[ipv4-addr:value = '1.2.3.4']","pattern_type": "stix","valid_from": "2026-01-15T00:00:00Z","labels": ["malicious-activity"]}
TAXII = the protocol to publish/subscribe STIX. Free TAXII feeds: AlienVault OTX, MISP communities. Commercial: most TI vendors (Anomali, Recorded Future).
Sign in and purchase access to unlock this lesson.