Depending on the type of processed object, the indicator of compromise search result window can display the following information:
ARP protocol:
IP address from the ARP table.
Physical address from the ARP table.
DNS record:
Type and name of the DNS record.
IP address of the protected computer.
Windows Log event:
Entry ID in the event log.
Data source name in the log.
Log name.
User account.
Event time.
File:
MD5 hash of the file.
SHA256 hash of the file.
Full name of the file (including path).
File size.
Port:
Remote IP address with which a connection was established at the time of the scan.
Remote port with which a connection was established at the time of the scan.
IP address of the local adapter.
Port open on the local adapter.
Protocol as a number (in accordance with the IANA standard).
Process:
Process name.
Process arguments.
Path to process file.
Windows ID (PID) of the process.
Windows ID (PID) of the parent process.
Name of the user account that started the process.
Date and time when the process started.
Service:
Service name.
Service description.
Path and name of the DLL service (for svchost).
Path and name of the executable file of the service.
Windows ID (PID) of the service.
Service type (for example, kernel driver or adapter).
Service status.
Service run mode.
User:
User account name.
Volume:
Volume name.
Volume letter.
Volume type.
Registry:
Windows registry value.
Registry hive value.
Path to registry key (without hive or value name).
Registry parameter.
Environment variables:
Physical (MAC) address of the protected computer.
System (environment).
OS name with version.
Network name of the protected device.
Domain and group to which the protected computer belongs.
The IOC section displays the structure of the IOC file. If the processed object matches a condition of the IOC rule, that condition is highlighted. If the processed object matches multiple conditions, the text of the whole branch is highlighted.