New Features
Magnet Axiom Cyber 9.0

IOC Insights Dashboard: A faster, smarter way to identify threats in Magnet Axiom Cyber 

It’s no surprise the growing complexity of cyberattacks is the top challenge for DFIR professionals. As cyberattacks evolve, DFIR analysts and incident responders must analyze increasingly diverse datasets and artifacts to fully understand the full scope of an incident during investigations and reduce the risk of repeat attacks.

Cyberattacks aren’t just growing more complex—they’re also more costly than ever. In fact, the global average cost of a data breach reached $4.88 million in 2024, marking a 10% increase from the previous year—the largest annual spike since the pandemic. The stakes are high and failing to scope and remediate threats quickly can result in significant financial loss and operational disruption.
So, when the pressure’s on (and let’s be honest, when isn’t it?), you need to cut through the noise fast. Without a clear starting point for data exfiltration, ransomware, malware, and other cyberattacks, it’s tough to know where to focus first.

So, when the pressure’s on (and let’s be honest, when isn’t it?), you need to cut through the noise fast. Without a clear starting point for data exfiltration, ransomware, malware, and other cyberattacks, it’s tough to know where to focus first.

Identify critical threat intel at a glance with IOC Insights Dashboard

The IOC Insights Dashboard in Magnet Axiom Cyber gives you an investigative edge with a unified view of critical threat data, making it an efficient starting point for any incident response investigation. It eliminates the need to comb through several artifacts by consolidating key indicators of compromise (IOCs), including:

Now, instead of manually piecing together the scope of an incident across multiple artifacts, you can immediately identify suspicious activity, visually gauge risk levels, and pivot into deep dive analysis—all from a single dashboard.

Key benefits

1. A unified view of critical threat data

Gain an aggregated snapshot of high-risk indicators across your dataset, eliminating time-consuming searches and reducing the risk of missing key details. The dashboard acts as a dedicated home for artifacts that highlight potentially malicious activity.

2. Instantly gauge threat severity

With visual risk indicators, you can quickly assess severity to prioritize next steps at a glance. This not only accelerates the investigation process, but also makes it easier to communicate clear, actionable updates to leadership and stakeholders.

3. Seamless pivoting to deep analysis

With interactive, clickable entries, you can dive directly into high-risk flagged IOCs—whether it’s a malicious IP address, file, YARA rule hit, or MITRE ATT&CK tactic—without navigating through the artifacts list. This helps to streamline your workflow, reduces manual effort, and ensures faster access to critical evidence.

Key IOC insights explained


Let’s look at each of the Insights cards in the IOC Insights Dashboard in more detail:

  • MITRE ATT&CK mapping: MITRE ATT&CK provides an extensive and detailed catalog of adversary behaviors, tactics, techniques, and procedures (TTPs). In Axiom Cyber, run SIGMA rules to identify TTPs which are highlighted in the dashboard. Click a tactic to bring you right to it in the MITRE ATT&CK artifact list, or a date to go right to the automated visual Timeline view and see what happened before and after the tactic.
  • YARA rule hits: Run YARA rules (either custom or predefined in Axiom Cyber) to identify specific patterns and signatures in your dataset. Click the name of the YARA rule and you’ll jump right to the YARA rule artifact list and if you’re analyzing multiple data sources in one case, you’ll be able to see which endpoint the artifact came from.
  • Known malicious files with hash set matching: You can enter your own hash sets directly into Axiom Cyber (or use our Hash Sets Manager) to scan the dataset for known malicious files. You can grab publicly available hash lists from: bazaar.abuse.ch/browse/, github.com/aaryanrlondhe/Malware-Hash-Database, github.com/hslatman/awesome-threat-intelligence, virusshare.com/hashes, or hashsets.com (paid). If you work on a variety of different case types, you can select which hash sets should be used for IOC matching so that only relevant results are pulled into this card.
  • Active known connections and IP reputation lookup integration with AbuseIPDB: IP addresses (pulled from artifacts such as RDP, active network connections and sockets, and cloud events and audit logs) are reviewed and scanned to identify IPs associated with malicious activity. This capability is made possible with an in-product integration of AbuseIPDB.

    AbuseIPDB IP intelligence is generated primarily from user contributed data (including automatic reports from Intrusion Detection Devices,) which makes it possible for new attacks to be included in the database in minutes. With this approach, both targeted attacks and large-scale attacks are reported and included in their database. In the dashboard, click the IP address to drill down into a filtered view of all the relevant artifact hits where that IP address was found or click the date to see the Timeline view.

Visual risk indicators explained

The visual risk indicators help you quickly see where you need to focus your attention, with each color meaning:

  • Red – Critical risk: A highly relevant event that requires immediate analysis. It is used only in the MITRE ATT&CK risk indicator and for events that almost certainly indicate an incident, for example Active Directory replication from a non-machine account.
  • Orange – High risk: A relevant event that requires immediate review, for example credential access by Mimikatz.
  • Yellow – Medium risk: A potentially relevant event that should be reviewed, for example a high abuse IP score, coming from a datacenter in a country with a high cyber risk level.
  • Blue – Low/Informational risk: A notable event but highlight unlikely to be an incident. A large volume of low-risk events, or in combination with other events, could indicate an incident.
  • Gray – Unknown risk: No threat level or risk intelligence exists for the artifact hit.

How are the scores generated?

The MITRE ATT&CK risk scores are directly referenced from the risk rating associated with the SIGMA rule when it was published. The author of the SIGMA rule determines the risk score. While SIGMA rules can be rated medium or low risk, we are only pulling in critical and high-risk SIGMA rules to help you focus on what requires more immediate attention.

For active known connections risk scoring, we created a proprietary scoring system. The scoring system is based on four key pieces of data: usage type (residential, datacenter, or other), known Tor nodes, country of origin, and the Confidence of Abuse Rating from AbuseIPDB. The rating from AbuseIPDB is generated based on a carefully considered approach to avoid false positives, such as:

  1. User reports: Volume and frequency of reports against the IP address and the number of distinct users who have submitted a report
  2. Type of malicious activity: Details about the type of activity are considered, such as DDoS attacks, phishing, and hacking attempts.
  3. Timing: Newer reports carry more weight than older reports.
  4. Whitelist/allowlist of common IPs to exclude IP addresses that should not be reported

We’ve assigned points each of these four key data components. When added up, the combined total corresponds to one of the risk levels defined above.

Gain an Investigative Edge: Try Axiom Cyber for free

The IOC Insights Dashboard cuts through the noise, surfaces the most relevant data, and accelerates time to resolution when investigating complex cyberthreats. You can try Axiom Cyber—including all the capabilities noted above, and more—by requesting a free trial.

Related Resources

Blog

Blog

Magnet Axiom 9.0: Event Snapshots, Express Extraction of Graykey images, AI tools, and more! 

The latest major release of Magnet Axiom, version 9.0, is now available!    We’ve added many great features and capabilities in this release of Axiom, including:   To learn more about each

March 18, 2025 • About a 6 minute view
Blog

Blog

Unlock faster mobile forensics with Magnet Axiom Express Extraction

As mobile evidence continues to grow in both data size and importance as a source of information in investigations, streamlining the investigative process is more critical than ever. To help

March 18, 2025 • About a 4 minute view
Blog

Blog

Focus your investigations with Event Snapshots in Magnet Axiom

With the overwhelming volume of data in a case, knowing where to start your investigation can be a persistent challenge for both forensic examiners and investigators. To help you and

March 18, 2025 • About a 4 minute view
Resource Center Home

Subscribe today to hear directly from Magnet Forensics on the latest product updates, industry trends, and company news.

Start modernizing your digital investigations today.

Top