Not intelligence. It’s a source of information about a threat that can serves as data points for intelligence.
They need to be checked not only at host level but also at network level.
Unauthorized Software and Files
Software that are not authorized to run on your network. This is why an inventory of software is important to have.
Often used to send malicious data to a target. Email sender’s email address, joint files and headers can be good IoC.
Suspicious Registry and File System Changes
Specially look for auto-starting at boot.
Unknown Ports and Protocol Usage
Ports normally not used in normal operation is a good IoC. Seeing excessive bandwidth usage on a system or network itself is also a good indicator.
To recognize all of that, we need to know our current “baseline”, i.e. what ports are normally used, how much bandwidth usage is “normal use”.
An hardware that shouldn’t be in the network.
Service Disruption and Defacement
The later is obvious, the former, not so, as we need to recognize malicious from non-malicious disruption.
Suspicious or Unauthorized Account Usage
Account of applications such as Sharepoint, Exchange, IIS, SQL etc. used for other things that their primary function.