Cortex

XDR

Rules

Behavioral indicators of compromise (BIOCs)
—Identifying threats based on their behaviors can be quite complex. As you identify specific activities (network, process, file, registry, etc) that indicate a threat, you create BIOCs that can alert you when the behavior is detected. If you enable
Cortex
XDR
- Analytics
,
Cortex
XDR
can also raise Analytics BIOCs (ABIOCs). Whenever you create or enable a BIOC rule, the rule begins to monitor the stream of incoming data for any new matches in real-time and analyzes the historical data collected in the
Cortex
XDR
tenant. BIOCs can also be used for prevention in real-time at the
Cortex
XDR
Agent level using a Restriction Profile. See Working with BIOCs.
Indicators of compromise (IOCs)
—Known artifacts that are considered malicious or suspicious. IOCs are static and based on criteria, such as SHA256 hashes, IP addresses and domains, file names, and paths. You create IOC rules based on information that you gather from various threat-intelligence feeds or that you gather as a result of an investigation within
Cortex
XDR
. As soon as you create or enable an IOC rule, the rule begins to monitor the stream of incoming data for any new matches in real-time and analyzes the historical data collected in the
Cortex
XDR
tenant. See Working with IOCs.
Correlations Rules
—Help you analyze correlations of multi-events from multiple sources by using the
Cortex
XDR
XQL-based engine for creating scheduled rules called Correlations Rules. When created, Correlation Rules run based on a time interval, as these rules are configured to run every X min/hours, and on data already in
Cortex
XDR
. See Working with Correlation Rules.