Custom indicators of compromise in SaaS Alerts

At SaaS Alerts, our mission is to redefine SaaS security by delivering world-class solutions that enable businesses to work securely and confidently in their collaborative cloud environments. We’re driven by continuous innovation, market responsiveness and an unwavering commitment to empowering businesses worldwide.

As the threat landscape continues to evolve at an unprecedented pace, the tools and intelligence we offer must also evolve just as quickly. This latest product enhancement represents a strategic leap in that evolution.

Organizations today face a new breed of cyberthreats with more persistent and coordinated attack patterns. To stay ahead of threat actors and protect their business and clients effectively, MSPs and SMBs alike must level up their capabilities to not only detect anomalies or suspicious behavior but also identify meaningful patterns, correlate signals across SaaS environments and act decisively in real time.

That’s why we’re thrilled to introduce custom indicators of compromise (IOCs), a powerful new feature designed to put the power of threat-pattern recognition directly into your hands. Read on to discover how this innovative feature can help you better protect your business and proactively respond to threats before they escalate.

What are indicators of compromise in SaaS Alerts?

IOCs harness the power of the “Respond” functionality in SaaS Alerts, enabling criteria-based customization using Product(s), Organization(s), Account(s) and Event(s) to create tailored security events. IOCs allow you to craft fully customized Event Descriptions and Details. This flexibility ensures each IOC communicates the exact context and urgency your IT team needs when incidents occur.

IOCs enable organizations to tailor threat response based on the following:

Product(s): Target specific SaaS platforms like Microsoft 365, Salesforce and others, ensuring that detection is tightly aligned with the services you monitor.

Organization(s): Customize IOCs at the client level, supporting individual tenants or groups of customers with unique security needs.

Account(s): Drill down to specific user profiles, enabling precise detection based on user behavior or risk posture.

Event(s): Define the exact behavior patterns, threat signals or incident types that trigger a response, from unusual login patterns to risky file-sharing activity.

The new IOC capability is available in the “Respond” module for rule creation and can be accessed in “Analyze” for gathering and analyzing data and reporting.

Figure 1: IOC Rule List, where you can view all of your IOCs and see, at a glance, which are in draft mode versus active.

Event Description and Description Details Builder allow you to use short codes and free text to compile the exact message you want displayed in the system when IOCs are logged.

Tip: IOCs you create by themselves will not trigger automated responses. This lets you monitor how they interact with the environments you manage and refine your threat detection capabilities before you add them into a Respond rule.

Figure 2: Final sample preview of IOC Event output after configuration of the Event Description and Event Description Details.

Why IOCs matter for businesses

With the cyberthreat landscape changing rapidly, MSPs and SMBs need innovative solutions that not only detect threats in real-time but also provide clarity and context. SaaS Alerts’ custom IOCs are designed to give IT professionals complete control and visibility across SaaS environments.

Tailored event descriptions

IOCs allow you to write clear, contextual and custom event descriptions, eliminating vague or generic alerts. You can define exactly what each threat signal represents. This will help your technicians know exactly what they’re dealing with at a glance, eliminating guesswork and streamlining incident triage and resolution. Instead of wasting time deciphering ambiguous messages, your team can take action faster.

Precision through aggregation

Modern threats usually appear as a series of subtle behaviors or actions that form or reveal a pattern over time. SaaS Alerts’ IOC framework lets you aggregate those patterns into high-fidelity, rule-based detections that are both specific and actionable.

You can build rules for high-fidelity incidents like:

• Multiple IAM failures within 15 minutes
• Login attempts from three distinct geographies within one hour
• A potential supply chain attack involving multiple external file shares within 30 minutes combined with a file upload or download event

With IOCs, you can also customize thresholds and time frames to align with each organization’s risk tolerance.

Real-time threat hunting capabilities

Timing is everything when dealing with threats or cyber incidents. IOCs give MSPs and SMBs the speed and visibility they need to act before any damage is done. IOCs in SaaS Alerts are not just alerts — they’re tools for pattern recognition. They allow you to detect early warning signs of an attack by correlating behaviors that might seem harmless individually but together paint a clear picture of malicious activity.

With custom IOCs, you can:

Identify sequences that precede breaches, such as access attempts followed by privilege escalation or data export.

Flag recurring behavior across user accounts, which may indicate coordinated attacks or compromised insiders.

Take action earlier in the threat timeline, which helps minimize dwell time and reduce the risk of escalation.

Use case scenarios

Custom IOCs in SaaS Alerts allow you to create custom events, including specific actions your IT team should take. They can be tailored to adapt to unique environments, which enables more intelligent security outcomes. Here are three practical scenarios that illustrate how you can leverage IOCs to enhance protection, optimize workflows and tailor your approach to your organization’s unique operational needs.

1. Proactive defense

Imagine an MSP or an organization that has noticed a pattern: Several brute-force login attempts, which typically precede phishing attacks.

The team creates an IOC that flags brute-force behaviors, such as multiple failed login attempts from suspicious IPs within a short time frame. With this rule in place, the security team can stop threats before a user clicks a malicious link. This kind of proactive threat hunting turns patterns into actionable insights that keep client environments safe.

2. Customized risk responses based on risk profile

Every organization has a unique risk profile. For example, a high-security organization like a financial services provider may require aggressive detection thresholds. In contrast, a smaller business or less sensitive operation that has broader tolerance levels might need wider thresholds to reduce alert fatigue.

SaaS Alerts’ custom IOCs allow you to configure threat detection based on an organization’s risk tolerance. This ensures every organization, whether highly regulated or more flexible, gets the right level of protection while reducing unnecessary alerts.

3. Streamlined SOC operations

SOC analysts often face an overwhelming number of alerts — many of them false positives, low-priority or poorly contextualized — resulting in inefficiency and wasted time. SaaS Alerts’ IOCs help solve that by enabling well-defined, high-fidelity alerts with custom Event Descriptions and relevant context.

Why partners should be excited

With IOCs, partners gain unmatched control and precision. You can define custom, aggregated events, such as “multiple IAM failures,” triggered by thresholds like frequency within a set time frame and tailored uniquely per the organization’s risk tolerance. From unique login behaviors to sensitive data movement, you’re in control of what gets flagged, how it’s interpreted and what response is triggered.

More than just alerts, IOCs empower threat hunting: If technicians identify a recurring pattern that precedes a breach, IOCs can be configured to flag that exact sequence. This proactive approach alerts your team to potential threats before damage is done.

IOCs in SaaS Alerts bridge the gap between automation and intelligence. With custom event descriptions and contextual alerting, your security team understands exactly what they’re dealing with. This helps them respond to threats with confidence and speed.

For MSPs in a highly competitive market, differentiation is key. With IOCs, you can now offer tailored detection rulesets per client, showcasing your ability to provide highly personalized and strategic security services.

IOCs put the power back in your hands, enabling you to define and act on what truly matters to your business and your clients.

Meanwhile, for SMBs, you can tailor detection rulesets based on location, personnel or other factors that best fit your business.

The future of custom SaaS threat detection starts with SaaS Alerts

Reactive defense strategies are no longer enough for today’s complex cybersecurity challenges. Your business needs adaptable, intelligent solutions to effectively protect and manage your SaaS environments.

With custom IOCs, SaaS Alerts empowers organizations to strengthen protection, streamline threat detection and optimize security operations. This innovation marks a significant step forward in our ongoing mission to support businesses with tools that evolve alongside tomorrow’s threats and business needs.

Get started today

We’re excited to share that SaaS Alerts’ custom IOCs are now available to all partners. If you haven’t already, log in to your SaaS Alerts console today and start building your first custom IOC. Take control, enhance your service offerings and transform your security operations with the flexibility and power only SaaS Alerts provides.

Ready to try IOCs?

Log in now and create your first custom IOC.

New to SaaS Alerts?

Schedule a demo or learn more about how SaaS Alerts can help you protect smarter, respond faster and grow stronger.