What is the most widely used indicator of compromise format?

YARA rules provide a flexible rule language tailored to malware identification, making them the most practical and widely used format for expressing indicators of compromise. A rule describes patterns—strings, byte sequences, regular expressions, and file metadata—and a condition that determines when those patterns indicate a match. This lets analysts concisely capture how a piece of malware or a family looks across files, memory, and artifacts, enabling speedy detection with portable rules that can be shared and applied across tools, endpoints, sandboxes, and scanners. The ecosystem thrives on community-contributed rules and straightforward readability, which sustains its broad adoption in incident response and threat hunting. By comparison, threat-intelligence formats like STIX focus on sharing comprehensive data and relationships rather than a lightweight, executable pattern format; OpenIOC was an earlier format with limited momentum; CRITS is a platform for managing IOCs rather than a universal rule language.