Indicators of Malicious Activity and Basic Detection Logic

SOC Analyst Mindset

You will practice looking at logs and alerts the way a SOC analyst does: scanning for signs that something is wrong, not just reacting to every noisy alert.

Where This Fits in Security+

This content lives mainly in Security Operations, but connects to Threats, Vulnerabilities, and Mitigations and Security Architecture because detection depends on how systems are built.

Key Definitions

• Indicator of malicious activity: any observable data point suggesting hostile or abnormal behavior.
• IoC: evidence a system has likely already been compromised.
• IoA: evidence an attack is being attempted or is in progress.

Why the Distinction Matters

For the exam, remember: IoAs focus on attacker behavior and intent now; IoCs focus on proof that the attacker already has a foothold or caused damage.

What Are IoCs?

Indicators of Compromise are signs that a system has likely already been breached: malicious files, backdoors, rogue accounts, or data exfiltration evidence.

Examples of IoCs

• Malicious file hashes on endpoints
• Malware binaries on disk
• Unauthorized accounts
• Persistence entries
• Confirmed C2 connections

What Are IoAs?

Indicators of Attack are behavioral clues that an attack is underway: repeated login failures, scanning, odd PowerShell use, or rapid access attempts.

Exam Tip: Wording Clues

If the scenario shows proven malware or data theft, think IoC. If it shows suspicious attempts without confirmed breach, think IoA.

Pieces of the Puzzle

Analysts see small pieces: log lines, alerts, and performance metrics. Your job is to spot which pieces might indicate malicious activity.

Blocked or Flagged Content

Web proxies, email gateways, and firewalls that block malicious domains or attachments generate alerts that can signal attempted phishing or malware delivery.

Auth and Network Anomalies

Watch for unusual logins, failed attempts, odd hours, spikes in outbound traffic, or new lateral connections between hosts that normally never talk.

Endpoint Anomalies and Correlation

New suspicious processes, disabled security tools, and correlated alerts across multiple systems are strong signs of malicious activity.

What Is Impossible Travel?

Impossible travel is when the same account logs in from locations so far apart, in such a short time, that no human could physically move between them.

How It Is Detected

Tools use geo-IP, time between logins, and a user’s normal patterns (home country, work hours, devices) to flag suspicious access.

Other Anomalous Behaviors

Watch for odd data access, privilege misuse, and sudden use of admin tools or PowerShell by users who normally never touch them.

Link to IoAs and IoCs

These patterns usually indicate an attack in progress (IoA). If you also see changed MFA or data theft, those are Indicators of Compromise.

Why Resources Matter

Attackers change how systems use CPU, memory, and bandwidth. Sudden spikes or unusual patterns can be early hints of compromise.

Examples of Resource Anomalies

Cryptomining can peg CPU/GPU; data exfiltration causes long outbound bandwidth spikes; botnets can drive high outbound traffic.

Missing or Tampered Logs

Gaps in logs, disabled logging, or SIEM feed interruptions from key systems are strong signs someone may be hiding their tracks.

Exam Angle

If a scenario shows logging disabled on a critical server after suspicious activity, treat it as likely compromise and escalate.

How to Use These Snippets

Treat each mini log snippet like a SOC alert. Decide whether it shows an Indicator of Attack, an Indicator of Compromise, or both.

Snippet 1: Login Pattern

Multiple failures then success, followed by another success from a new IP, point to password guessing or account misuse: mostly an IoA.

Snippet 2: Cryptominer

A miner.exe process with high CPU and mining pool connections is strong proof of compromise: this is clearly an IoC.

Snippet 3: Impossible Travel

Logins from New York and Berlin within 20 minutes suggest credential misuse: an IoA. Later data theft would add IoCs.

Why Tools Matter for Detection

You interpret indicators through tools: SIEM for centralized logs, EDR/XDR for endpoints and more, and native logs for detailed evidence.

Role of the SIEM

A SIEM collects logs from many systems, applies correlation rules, and raises alerts. It is primarily a detective technical control.

Role of EDR/XDR

EDR/XDR monitors processes, files, and network behavior on endpoints and beyond, spotting IoAs and IoCs and sometimes auto-isolating hosts.

Logs Across a Hybrid Environment

OS, app, and cloud audit logs provide raw evidence. In a hybrid environment, SIEM or XDR helps unify and correlate them.

Why Triage Matters

Not every alert is a breach. Triage is how analysts decide what is noise, what is suspicious, and what is a real incident.

Simple Triage Flow

1) Receive alert, 2) Validate it, 3) Classify as IoA/IoC, 4) Assess impact and scope, 5) Choose an action based on severity.

Impact and CIA

Assess whether confidentiality, integrity, or availability is at risk. High-value assets and clear IoCs justify escalation.

Exam Trap: Overreaction

Security+ often expects you to verify and gather evidence before taking drastic steps like shutting down servers.