Supply-chain IOC (Manual Indicators)
Operator-supplied indicators (package + version range) cross-referenced against every submitted SBOM. Dry-run before apply, full audit history.
WASViking® Supply-chain IOC lets an operator apply indicators of compromise (IOCs) sourced from threat intel, vendor advisories, internal triage, or anywhere outside the automated OSV + CISA KEV feeds. Each IOC is a package and version range that gets cross-referenced against every SBOM submitted by your Sentinel agents.
This is the page at Inventory → SBOM → Supply-chain IOC in the portal.
When to use it
The automated Supply Chain Intel covers OSV and CISA KEV. Use Manual IOC when:
- A vendor advisory is published before OSV picks it up.
- Your threat intel team has a specific package + version they want validated against your inventory before a public advisory exists.
- You are responding to an incident and need to confirm exposure to a known-bad component in minutes.
- You want to mark an internal package as restricted, with the same Finding lifecycle as a public advisory.
How it works
The operator opens Supply-chain IOC, fills the IOC form, runs a Dry-run to preview matches, then clicks Apply to promote each match to a Finding.
Cross-reference your operator-supplied supply-chain indicators (package + version range) against every SBOM submitted by your Sentinel agents. Matches are promoted into Findings with category
vulnerable_componentandsource = manual_ioc.
The form
| Field | Value |
|---|---|
| Mode | Simple (one IOC) for a single indicator. Bulk mode is available for high-volume operators. |
| Ecosystem | Any matches across ecosystems. Pick a specific one (npm, PyPI, Go, Maven, etc.) to scope. |
| Package name | The package identifier (@tanstack/react-router, requests, github.com/owner/repo). |
| Version range | A version range expression, e.g., >=1.131.0 <1.131.4. Semver or ecosystem-specific syntax accepted. |
| Severity | Critical, High, Medium, Low, or Informational. Drives the resulting Finding severity. |
| Advisory ref | Optional reference identifier (GHSA-xxxx, CVE-…, vendor advisory URL). Carried on the Finding for traceability. |
Dry-run before Apply
The form has two buttons:
- Dry-run: previews what would happen. The system runs the match against every active SBOM and shows the count of matching SBOMs, matching components, and Findings that would be opened or re-opened. No Findings are created, no alerts are sent.
- Apply: commits the IOC. Matches become Findings under the standard workflow; alerts fire according to your Notification Channels configuration.
Always Dry-run first when applying an IOC with a broad version range or
Anyecosystem. Broad IOCs can match more components than intended.
Findings produced
| Field | Value |
|---|---|
| Category | vulnerable_component |
| Source | manual_ioc |
| Severity | From the IOC form |
| Advisory ref | From the IOC form |
| Audit trail | Operator, timestamp, dry-run history, application history |
Findings inherit the standard
Findings workflow, with status
transitions and webhook events. The source = manual_ioc tag
distinguishes them from advisories that came in through automated
Continuous Watch.
Monthly usage and quota
Each plan has a per-month cap on IOC applications. The portal shows the current usage at the top of the page:
MODE MONTHLY USAGE
Simple (one IOC) 0 of 5 used this period
When the quota is exhausted, the Apply button is disabled until the next period or until you upgrade your plan.
Recent applications
The bottom of the page lists the last 50 IOC applications.
| Column | Notes |
|---|---|
| When | Timestamp of the Apply action. |
| IOCs | Number of IOCs in the application (1 in Simple mode). |
| SBOMs | Number of SBOMs the matcher ran against. |
| Matches | Number of component matches found. |
| Findings | Number of Findings opened or re-opened. |
| Reopened | Number of previously closed Findings that came back. |
The history is for operator audit. Every Apply action is also written
to the customer-facing audit log under audit_logs:read scope.
REST API
For automation (importing IOCs from a threat intel platform, for example).
| Method | Path | Scope |
|---|---|---|
POST |
/api/v1/public/supply-chain/iocs/dry-run |
sca:ioc |
POST |
/api/v1/public/supply-chain/iocs/apply |
sca:ioc |
GET |
/api/v1/public/supply-chain/iocs/history |
sca:ioc |
Auth scheme is ApiKey wv_live_*. Encrypted IDs on the wire. See
Authentication.
Plan availability
Manual IOC is available across all plans, with per-plan monthly quotas:
| Plan | Default monthly IOC quota |
|---|---|
| Starter | Limited; see Usage. |
| Pro | Higher cap. |
| Enterprise | Negotiable. |
Tracked in Settings → Usage. Quota can be increased on request.
What it does NOT do
- No real-time feed. This is operator-driven, one IOC at a time (or bulk via API).
- Does not replace Supply Chain Intel. Use it alongside the automated Continuous Watch, not instead of it.
- No automatic remediation. Matches become Findings; the operator decides what to do next.
How this fits with the rest of the supply chain story
| Layer | When to use |
|---|---|
| Supply Chain Intel | The default. Daily OSV + CISA KEV cross-reference, fully automated. |
| Supply-chain IOC (this page) | Operator-supplied indicators outside the automated feeds. |
wasviking-sentinel sbom |
Build-time gate. |
| SBOM Evidence Bundle | Auditable artifact for compliance and customer due diligence. |
The capability summary lives at Software Supply Chain.