Cortex XDR Rules

When you identify a threat, you can define specific rules for which you want Cortex® XDR™ to raise alerts.
When you identify a threat, you can define specific rules for which you want Cortex® XDR™ to raise alerts. You can define the following rules:
  • Behavioral indicators of compromise (BIOCs)
    —Identifying threats based on their behaviors can be quite complex. As you identify specific network, process, file, or registry activity that indicates a threat, you create BIOCs that can alert you when the behavior is detected. See Working with BIOCs. If you enable
    Cortex XDR - Analytics
    enabled, Cortex XDR can also raise Analytics BIOCs (ABIOCs).
  • Indicators of compromise (IOCs)
    —Known artifacts that are considered malicious or suspicious. IOCs are static and based on criteria such as SHA256 hashes, IP addresses and domains, file names, and paths. You create IOC rules based on information that you gather from various threat-intelligence feeds or that you gather as a result of an investigation within Cortex XDR. See Working with IOCs.
  • Correlations Rules
    —Help you analyze correlations of multi-events from multiple sources by using the Cortex XDR XQL-based engine for creating scheduled rules called Correlations Rules. See Working with Correlation Rules.
After you create an indicator rule, you can Manage Existing Indicators from Cortex XDR.

Recommended For You