What indicators of compromise (IOCs) do you look for when investigating a potential network intrusion?