What do custom IOA rules monitor?

Custom IOA (Indicator of Attack) rules are designed to monitor behaviors that are suspicious or anomalous but may not necessarily be inherently malicious. These rules focus on detecting tactics, techniques, and procedures used by attackers that fall outside typical or expected behavior patterns within a network or system.

By monitoring behaviors rather than specific indicators like file size changes, network speed, or bandwidth usage, custom IOA rules can identify potential threats that may be trying to evade standard security measures. This proactive stance allows organizations to catch subtle signs of compromise before they escalate into more significant incidents.

In contrast, the other options do not align with the purpose of custom IOA rules. Network speed and bandwidth usage primarily focus on resource utilization rather than security threats, while file size changes may not provide enough context to determine if a malicious action is taking place. Thus, the focus on monitoring behavior that is not fundamentally malicious accurately reflects the true function of custom IOA rules.