How does Leo detects indicators of compromise (IoCs)?

Leo understands and recognizes IoCs mentioned in articles, and can gather them for you automatically.

When an article contains an IoC, Leo will highlight it for you so it’s easy for you to find and confirm, even if it is buried in the text of a long article or threat intelligence report. The overview of all the referenced IoCs can be found on top of the article in Leo prompts section where you can also export them via STIX or markdown format to your threat intelligence platform.

There are 2 ways that Leo searches for IoCs listed in an article:

1) IoC tables or sections

The first way is by looking for any tables where the author lists the IoCs. This is the most effective way for Leo to extract this data as the author has made it clear that this article is about the IoCs in the table.

Table example

2) Article content

The second way Leo finds IoCs, if there is no table of IoCs, is by looking into the body of the article to extract them from the article itself.

Note: When there is both the table/section with IoCs at the bottom of the article and there are some IoCs mentioned within the article as well, Leo extracts just the table and not the entire article content to reduce false positive results. In the rest of the article there may be other IPs that were mentioned without being IoCs, or protected URLs that are simply links to other resources.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.