Manage Existing Rules

Edit, export, copy, disable, and remove rules, and add rule exceptions for the Cortex XDR app.
After you create a BIOC or IOC rule, you can take the following actions:

Edit a Rule

After you create a rule, it may be necessary to tweak or change the rule settings.
  1. Select
    RULES
    and the type of rule (
    BIOC
    ).
  2. Locate the rule you want to edit.
  3. Right click anywhere in the rule and then select
    Edit
    .
  4. Edit the rule settings as needed.
    For BIOCs, you can edit the rule settings which include the name, severity, and BIOC type. You can also click the pencil icon next to the BIOC summary to edit the behavioral characteristics. If you make any changes,
    Test
    and then
    Save
    the rule.
  5. Adjust the schedule settings as needed, and then click
    OK
    .

Export a Rule (BIOC Only)

  1. Select
    RULES
    BIOC
    .
  2. Select the rules that you want to export.
  3. Right click any of the rows, and select
    Export selected
    .
    The exported file is not editable, however you can use it as a source to import rules at a later date.

Copy a Rule

You can use an existing rule as a template to create a new one. Global BIOC rules cannot be deleted or altered, but you can copy a global rule and edit the copy. See Manage Global BIOC Rules.
  1. Select
    RULES
    and the type of rule (
    BIOC
    or
    IOC
    ).
  2. Locate the rule you want to copy.
  3. Right click anywhere in the rule row and then select
    Copy
    to create a duplicate rule.

Disable or Remove a Rule

If you no longer need a rule you can temporarily disable or permanently remove it.
You cannot delete global BIOCs delivered with content updates.
  1. Select
    RULES
    and the type of rule (
    BIOC
    or
    IOC
    ).
  2. Locate the rule that you want to change.
  3. Right click anywhere in the rule row and then select
    Remove
    to permanently delete the rule, or
    Disable
    to temporarily stop the rule. If you disable a rule you can later return to the rule page to
    Enable
    it.

Add a Rule Exception

If you want to create a rule to take action on specific behaviors but also want to exclude one or more indicators from the rule, you can create a rule exception. An indicator can include the SHA256 hash of a process, process name, process path, vendor name, user name, causality group owner (CGO) full path, or process command-line arguments. For more information about these indicators, see Cortex XDR Rules. For each exception, you also specify the rule scope to which exception applies.
Cortex XDR only supports exceptions with one attribute. See Add an Alert Exclusion Policy to create advanced exceptions based on your filtered criteria.
  1. From Cortex XDR, select
    Rules
    Rule Exceptions
    .
  2. Select
    + New Exception
    .
  3. Configure the indicators and conditions for which you want to set the exception.
  4. Choose the scope of the exception, whether the exception applies to IOCs, BIOCs, or both.
  5. Save
    the exception.
    By default, activity matching the indicators does not trigger any rule. As an alternative, you can select one or more rules. After you save the exception, the
    Exceptions
    count for the rule increments. If you later edit the rule, you will also see the exception defined in the rule summary.

Related Documentation