Which term identifies signals that an attack is likely occurring?

Indicators of Attack are signals that an attacker is in progress or very likely to begin, based on observed behaviors and patterns rather than just known bad files. They focus on how the attacker operates—techniques like unusual process creation, privilege escalation, lateral movement, or anomalous network activity—so they can flag real-time or near-future threats. This makes IOAs useful for proactive detection and threat hunting, catching attacks as they unfold or are about to unfold. They differ from Indicators of Compromise, which are artifacts tied to past breaches (like specific file hashes or known bad IPs) and don’t necessarily reveal ongoing activity. The other terms describe interface elements or general event data, not the specific behavioral signals that indicate an active or imminent attack.