IOC Rule Details
From the RulesIOC page, you can view all indicators of compromise (IOCs) configured from or uploaded to XDR app. To filter the number of IOC rules you see, you can create filter by one or more fields in the IOC rules table. From the IOC page, you can also manage or clone existing rules.
The following table describes the fields that are available for each IOC rule in alphabetical order.
|# OF HITS||The number of hits (matches) on this indicator.|
|COMMENT||Free-form comments specified when the IOC was created or modified.|
|EXPIRATION DATE||The date and time at which the IOC will be removed automatically.|
|INDICATOR||The indicator value itself. For example, if the indicator type is a destination IP address, this could be an IP address such as 22.214.171.124.|
|INSERTION DATE||Date and time when the IOC was created.|
|MODIFICATION DATE||Date and time when the IOC was last modified.|
|RULE ID||Unique identification number for the rule.|
|SEVERITY||IOC severity that was defined when the IOC was created.|
|SOURCE||User who created this IOC or the file name from which it was created.|
|STATUS||Rule status: Enabled or Disabled.|
|TYPE||Type of indicator: Full path, File name, Host name, Destination IP, MD5 hash.|
Create an IOC Rule
Create an IOC Rule There are two options for creating new IOC rules: Configure a single IOC. Upload a file in comma separated value (CSV) ...
Working with IOCs
Working with IOCs IOCs provide the ability to alert on known malicious objects on endpoints across the organization. You can load IOC lists from various ...
Manage Existing Rules
Manage Existing Rules After you create a BIOC or IOC rule, you can take the following actions: Edit a Rule Export a Rule (BIOC Only) ...
BIOC Rule Details
BIOC Rule Details From Rules BIOC , you can view all user-defined and preconfigured behavioral indicator of compromise (BIOC) rules. To search for a specific ...
Cortex XDR – Investigation and Response Alerts
Cortex XDR – Investigation and Response Alerts The Alerts page shows a table of all alerts in Cortex XDR – Investigation and Response. The Alerts page consolidates ...
XDR App Rules
Cortex XDR – Investigation and Response Rules Rules enable you to generate alerts and take other actions on threats that you define. Cortex XDR – Investigation and ...
Manage Cortex XDR – Investigation and Response Rules
Manage Cortex XDR – Investigation and Response Rules Cortex XDR – Investigation and Response Rules Working with BIOCs Working with IOCs Manage Existing Rules ...
Cortex XDR – Investigation and Response Detection Sources
Alert Sources To provide a complete picture of threats across your network and endpoints, Cortex XDR – Investigation and Response aggregates alerts from your detection sources. ...
AutoFocus Known Issues
AutoFocus Known Issues The following list includes known issues found in the current AutoFocus release. Issue ID Description ATF-5635 In some instances, an AutoFocus search ...