Create an IOC Rule

There are two options for creating new IOC rules:
  • Configure a single IOC.
  • Upload a file in comma separated value (CSV) format that contains up to 20,000 IOCs. For example, you can upload multiple file paths and MD5 hashes for an IOC rule. To help you format the upload file in the syntax that Cortex XDR – Investigation and Response will accept, you can download the example file.
  1. From Cortex XDR – Investigation and Response, select RulesIOC.
  2. Select + Add IOC.
  3. Configure the IOC criteria.
    ioc-create-rule.png
    If after investigating a threat, you identify a malicious artifact, you can create an alert for the Single IOC right away.
    1. Configure the INDICATOR value on which you want to match.
    2. Configure the IOC TYPE. Options are Full Path, File Name, Domain, Destination IP, and MD5 or SHA256 Hash.
    3. Configure the SEVERITY you want to associate with an alert for the IOC: Informational, Low, Medium, or High.
    4. (Optional) Enter a comment that describes the IOC.
    5. Click Create.
    If you want to match on multiple indicators, you can upload the criteria in a CSV file.
    1. Select Upload File.
    2. Drag and drop the CSV file containing the IOC criteria in the drop area of the Upload File dialog or browse to the file.
      Cortex XDR – Investigation and Response supports a file with multiple IOCs in a pre-configured format. For help determining the format syntax, Cortex XDR – Investigation and Response provides an example text file that you can download.
    3. Configure the SEVERITY you want to associate with an alert for the IOCs: Informational, Low, Medium, or High.
    4. Define the DATA FORMAT of the IOCs in the CSV file. Options are Mixed, Full Path, File Name, Domain, Destination IP, and MD5 or SHA256 Hash.
    5. Click Upload.
  4. (Optional) Define any expiration criteria for your IOC rules.
    If desired, you can also configure additional expiration criteria per IOC type to apply to all IOC rules. In most cases, IOC types like Destination IP or Host Name are considered malicious only for a short period of time since they are soon cleaned and then used by legitimate services, from which time they only cause false positives. For these types of IOCs, you can set a short expiration period. The expiration criteria you define for an IOC type will apply to all existing rules and additional rules that you create in the future.
    1. Select Settings.
    2. Set the expiration for any relevant IOC type. Options are Never, 1 week, 1 month, 3 months, or 6 months.
    3. Click Save.

Related Documentation