IOC Rule Details

From the RulesIOC page, you can view all indicators of compromise (IOCs) configured from or uploaded to XDR app. To filter the number of IOC rules you see, you can create filter by one or more fields in the IOC rules table. From the IOC page, you can also manage or clone existing rules.
ioc-main-labeled.png
The following table describes the fields that are available for each IOC rule in alphabetical order.
FieldDescription
# OF HITSThe number of hits (matches) on this indicator.
COMMENTFree-form comments specified when the IOC was created or modified.
EXPIRATION DATEThe date and time at which the IOC will be removed automatically.
INDICATORThe indicator value itself. For example, if the indicator type is a destination IP address, this could be an IP address such as 1.1.1.1.
INSERTION DATEDate and time when the IOC was created.
MODIFICATION DATEDate and time when the IOC was last modified.
RULE IDUnique identification number for the rule.
SEVERITYIOC severity that was defined when the IOC was created.
SOURCEUser who created this IOC or the file name from which it was created.
STATUSRule status: Enabled or Disabled.
TYPEType of indicator: Full path, File name, Host name, Destination IP, MD5 hash.

Related Documentation