Cortex
XDR
Rules

When you identify a threat, you can define specific rules for which you want Cortex XDR to raise alerts.
When you identify a threat, you can define specific rules for which you want
Cortex
XDR
to raise alerts. You can define the following rules:
  • Behavioral indicators of compromise (BIOCs)
    —Identifying threats based on their behaviors can be quite complex. As you identify specific activities (network, process, file, registry, etc) that indicate a threat, you create BIOCs that can alert you when the behavior is detected. If you enable
    Cortex
    XDR
    - Analytics
    ,
    Cortex
    XDR
    can also raise Analytics BIOCs (ABIOCs). Whenever you create or enable a BIOC rule, the rule begins to monitor the stream of incoming data for any new matches in real-time and analyzes the historical data collected in the
    Cortex
    XDR
    tenant. BIOCs can also be used for prevention in real-time at the
    Cortex
    XDR
    Agent level using a Restriction Profile. See Working with BIOCs.
  • Indicators of compromise (IOCs)
    —Known artifacts that are considered malicious or suspicious. IOCs are static and based on criteria, such as SHA256 hashes, IP addresses and domains, file names, and paths. You create IOC rules based on information that you gather from various threat-intelligence feeds or that you gather as a result of an investigation within
    Cortex
    XDR
    . As soon as you create or enable an IOC rule, the rule begins to monitor the stream of incoming data for any new matches in real-time and analyzes the historical data collected in the
    Cortex
    XDR
    tenant. See Working with IOCs.
  • Correlations Rules
    —Help you analyze correlations of multi-events from multiple sources by using the
    Cortex
    XDR
    XQL-based engine for creating scheduled rules called Correlations Rules. When created, Correlation Rules run based on a time interval, as these rules are configured to run every X min/hours, and on data already in
    Cortex
    XDR
    . See Working with Correlation Rules.
After you create an indicator rule, you can Manage Existing Indicators from
Cortex
XDR
.

Recommended For You