and Action

Security analysts today are beset with a singular focus on incidents. A drawback of this focus is that common patterns and links between underlying indicators that define incidents get ignored. A wide variety of attacks might be defined by the same set of malicious indicators, but a lack of indicator visibility results in repetitive response actions for each attack that could otherwise have been avoided.

Indicator Visibility with Demisto

Central Repository

The central indicator repository automatically records and captures all indicators present in Demisto incidents.

Search and Query

Powerful search and query operations across time, frequency, indicator type, and malice for quick retrieval of indicator data cross-sections.

Correlations and Trends

Demisto automatically cross-correlates indicators across incidents, enabling quick identification of persistent IOCs across user environments.


Demisto allows for creation of custom indicator types with matched Regex entries, custom indicator fields and labels, and custom indicator field layouts for tailored user needs.


UI-based deletion and whitelisting for quick identification of and action on indicators from a single console.

Third-Party Ingestion

Consume indicators through manual creation, STIX/CSV file uploads, and mail listener integrations for enriched indicator database.