An Indicator of Compromise (IOC) is any behaviour that appears suspicious. They could be unexpected actions performed by programs or unusual end user activity. They work well when you have completed some baselining and find anomalies. They become the basis for which security analysts will begin their investigations with.