Skip to content
Mimir

Add an indicator

Add an indicator

The Indicators page is where every IOC (indicator of compromise) Mimir tracks comes to live. Most indicators arrive automatically from the threat feeds you’ve enabled, but you can also add your own by hand: a hash from an incident response ticket, a registry key from a malware analyst’s write-up, a filename your team has decided is suspect in your environment. This page is for the by-hand path.

What you get

Two affordances at the top of the page do the work:

Add Indicator opens an inline form for a single IOC:

  • Type picker — pick from the nine supported types (see Indicator types). Defaults to SHA256.
  • Value — the actual hash, filename, path, registry key, IP, domain, or URL.
  • Severitycritical, high, medium, low, or info. Mimir uses this to rank alerts later; default is medium.
  • Description (optional) — free-text context. Shows up on the alert when this indicator matches.
  • Tags (optional, comma-separated) — searchable labels. Useful for grouping a batch (“ransomware-ioc”, “ir-ticket-4192”) so you can filter the indicators table later.

Bulk Import opens a textarea where you paste one IOC per line. The type is auto-detected per line using the same sniffer the Quick Hunt input uses:

  • 64 lowercase hex chars → SHA256
  • 40 lowercase hex chars → SHA1
  • 32 lowercase hex chars → MD5
  • A line starting with HKEY_ → Registry key
  • A line containing / or \ → Filepath
  • Everything else → Filename

The button label updates live as you type — “Import 14 lines” — so you can confirm the line count before you commit. After import Mimir returns three counts: how many indicators were created, how many were duplicates that already existed, and how many failed validation. Duplicates are not an error; they just mean the IOC was already in your database (manually added earlier, or imported by a feed).

Why use it

Three patterns:

  1. Incident response. A vendor’s IR report lists ten hashes; you paste them into Bulk Import, click the button, and the next watchlist tick (within 15 minutes) sweeps your fleet for matches.
  2. Hand-curated allowlist-by-deactivation. An imported feed indicator is producing false positives in your environment. Rather than removing it, you toggle it inactive in the indicators table — Mimir keeps the row but stops matching on it. A new feed poll that re-imports the same value will not reactivate it. See Matching modes for details on the deactivation flow.
  3. Test-the-pipeline. Add a known-safe SHA256 with severity info, then run a quick hunt against it (Hunts) to confirm the agents are dispatching and reporting correctly.

How to use it

Adding one indicator

  1. Open Indicators from the left nav.
  2. Click Add Indicator (top right).
  3. Pick the type. If you’re not sure, paste the value first and let Bulk Import auto-detect, then come back.
  4. Fill in the value. The form validates server-side on submit — ValidateIOCValue rejects private and loopback IPs, malformed hashes, and domain syntax that doesn’t parse.
  5. Pick a severity. Default medium is a safe middle ground.
  6. Optional: add a description and tags. Both are searchable in the indicators table later.
  7. Click Add Indicator. On success the new row appears at the top of the table and the N active counter in the page header ticks up by one.

Bulk importing

  1. Click Bulk Import (top right).
  2. Paste your IOCs into the textarea, one per line. Trailing or leading whitespace is trimmed.
  3. Watch the button label confirm the line count.
  4. Click the import button. Mimir reports N created, M duplicates, K errors in a toast.

Bulk import always submits with severity medium and no description or tags. If you need richer metadata, add those rows through the single-add form, or do a quick post-import edit pass.

What happens after you add

Every newly-created IOC triggers two pieces of work:

  1. A 90-day retroactive scan. The matcher walks the last 90 days of query results looking for any host that’s already seen the indicator. If it finds anything, you get a “late match” alert tagged historical_match — even though the indicator wasn’t known at the time the activity happened. This is one of Mimir’s most useful features: a hash you add today catches a host that ran the binary three weeks ago.
  2. A real-time watchlist registration. From the moment the row exists, the next watchlist tick (every 15 minutes) compiles your active indicators into osquery SQL and dispatches it to every connected agent. New matches arrive as watchlist_pack alerts.

See Matching modes for a deeper look at each of these paths.

Troubleshooting

“Failed to add indicator” with a 400 response. The value didn’t pass server-side validation. The toast carries the reason. Common cases: a domain with invalid syntax, an IPv4 in a reserved range (loopback, private, multicast, broadcast — these are intentionally rejected because they generate noise), or a hash that’s the wrong length for its declared type.

“Bulk import: 0 created, N duplicates, 0 errors.” Every line you pasted was already in the database. Open the indicators table and search for one of the values to confirm. If your intent was to re-activate them, toggle them active individually — the importer deliberately doesn’t flip inactive IOCs back on.

The IOC I added isn’t matching even though I know the host has it. Two likely causes. First, the host hasn’t checked in since the watchlist tick that would carry your IOC — watchlist queries go out every 15 minutes to currently-connected agents, so an offline host won’t see them. Second, the IOC type doesn’t apply to the kind of evidence the host has: a SHA256 only matches files osquery has hashed, not in-memory-only artifacts. See Indicator types for the full match-source matrix.

Permissions

Adding indicators (POST /api/v1/iocs, POST /api/v1/iocs/bulk) is gated by withAnyAuth — every signed-in user can add, edit, and deactivate indicators. There’s no separate “threat analyst” role in v1; the boundary is the deployment.

Where to next

  • Indicator types — what the type taxonomy means and where each type matches against agent activity.
  • Matching modes — how the watchlist, the historical scan, and hunts use the indicators you add.
  • Launch a hunt — drive a one-shot fleet sweep against a single indicator from the Hunt → shortcut on each indicator row.