Which term refers to rules created to identify potential security threats?

The main idea is signals or patterns used to detect suspicious activity that could indicate an attacker is present or about to act. Indicators of Attack are specifically the rules or patterns security tools watch for to flag potential threats in real time. These signals focus on attacker behavior and techniques—things like unusual process creation, sudden privilege escalations, or rapid changes to critical system files—that suggests an attack is underway or imminent. In contrast, indicators of compromise are artifacts left behind after an incident (like known malicious hashes, IPs, or file names) used to confirm that something has already happened. The other options describe services or features not about the detection signals themselves: a threat hunting service is a proactive activity to look for threats; endpoint security trials are product trial programs; license activation is a licensing step.