What is the best way to store a newly-found IOC during an investigation?

The best way to store a newly-found Indicator of Compromise (IOC) during an investigation is to click the "Add Artifact" button. This action directly associates the IOC with the specific case or investigation context, ensuring that it is properly tracked and utilized throughout the investigation process. By adding it as an artifact, security professionals can make the IOC easily accessible for further analysis and correlation with other data sources within the platform.

Utilizing the appropriate functionality within the case management system not only enhances the ability to manage and reference IOCs but also streamlines the process of sharing this information with team members who may be involved in the investigation. This method is also aligned with best practices for incident response, where capturing and categorizing relevant data points is crucial for reaching accurate conclusions and taking appropriate remedial actions.

While documenting it in the case file, adding it to the threat feed, or logging it in an incident report are all important parts of the overall investigation process, they do not offer the same immediate integration and operational efficiency that comes from using the "Add Artifact" function. This feature is specifically designed for IOCs and helps maintain a structured approach to investigations.