Indicator of Attack
An IOA describes attacker behavior, such as a script spawning PowerShell to disable logging, rather than a static artifact like a hash. Detection teams write rules around IOAs to catch attacks in progress even when the specific malware is brand new. They matter because behaviors change far less often than the tools attackers use, making IOA-based detection more durable than IOC matching.