Cortex XDR – Investigation and Response Rules

Rules enable you to generate alerts and take other actions on threats that you define. Cortex XDR – Investigation and Response supports the following rule types:
  • Behavioral indicators of compromise (BIOCs)—Identifying threats based on their behaviors can be quite complex. As you identify specific network, process, file, or registry activity that indicates a threat, you create BIOCs that can alert you when the behavior is detected.
  • Indicators of compromise (IOCs)—Known artifacts that are considered malicious or suspicious. IOCs are static and based on criteria such as SHA256 hashes, IP addresses and domains, file names, and paths. You create IOC rules based on information that you gather from various threat-intelligence feeds or that you gather as a result of an investigation within Cortex XDR – Investigation and Response.

Related Documentation