Manage Existing Indicators
From the Cortex XDR management console, you can edit,
export, copy, disable, or remove rules, and add rule exceptions
for existing indicators.
After you
create an indicator rule, you can take the following actions:
For
Analytics BIOC rules, you can only disable and enable rules.
View Alerts Triggered by a Rule
As
your IOC and BIOC rules trigger alerts,
Cortex
XDR
displays the total # OF
HITS
for the rule in the on the BIOC or IOC rules page.
For rules with a high, medium, or low severity that have raised
one or more alerts, you can quickly pivot to a filtered view of
those alerts raised by the indicator:- FromCortexXDR, selectand the type of rule (Detection & Threat IntelDetection RulesBIOCorIOC).
- Right-click anywhere in a rule, and then selectView associated alerts.CortexXDRdisplays a filtered query of alerts associated with the Rule ID.
Use a BIOC Rule as the Basis of a Query
- FromCortexXDR, selectand the type of rule (Detection & Threat IntelDetection RulesBIOCorIOC).
- Right-click anywhere in the rule, and then selectOpen in query builder.Cortex®XDR™populates a query using the criteria of the BIOC rule.
- If desired, add or change the query criteria.
- (Optional)Testyour query to see the sample results.
- If you are satisfied with query,Savethe query.For more information, see Manage Your Queries.
Edit a Rule
After
you create a rule, it may be necessary to tweak or change the rule
settings. You can open the rule configuration from the Rules page
or from the pivot menu of an alert triggered by the rule. To edit
the rule from the Rules page:
- FromCortexXDR, selectand the type of rule (Detection & Threat IntelDetection RulesBIOCorIOC).
- Locate the rule you want to edit.
- Right click anywhere in the rule and selectEdit.
- Edit the rule settings as needed, and then clickOK.If you make any changes,Testand thenSavethe rule.
Export a Rule (BIOC Only)
- FromCortexXDR, select.Detection & Threat IntelDetection RulesBIOC
- Select the rules that you want to export.
- Right click any of the rows, and selectExport selected.The exported file is not editable, however you can use it as a source to import rules at a later date.
Copy a BIOC
Rule
You
can use an existing rule as a template to create a new one. Global
BIOC rules cannot be deleted or altered, but you can copy a global
rule and edit the copy. See Manage Global BIOC Rules.
- FromCortexXDR, selectand thenDetection & Threat IntelDetection RulesBIOC.
- Locate the rule you want to copy.
- Right click anywhere in the rule row and then selectSave as Newto create a duplicate rule.
Disable or
Remove a Rule
If
you no longer need a rule you can temporarily disable or permanently
remove it.
You cannot delete global BIOCs delivered
with content updates.
- FromCortexXDR, selectand the type of rule (Detection & Threat IntelDetection RulesBIOCorIOC).
- Locate the rule that you want to change.
- Right click anywhere in the rule row and then selectRemoveto permanently delete the rule, orDisableto temporarily stop the rule. If you disable a rule you can later return to the rule page toEnableit.
Add a Rule Exception
If
you want to create a rule to take action on specific behaviors but
also want to exclude one or more indicators from the rule, you can
create a rule exception. An indicator can include the SHA256 hash
of a process, process name, process path, vendor name, user name,
causality group owner (CGO) full path, or process command-line arguments. For
more information about these indicators, see Rules. For each exception,
you also specify the rule scope to which exception applies.
Cortex
XDR
only supports exceptions
with one attribute. See Add an Alert Exclusion Policy to
create advanced exceptions based on your filtered criteria. - FromCortexXDR, select.Detection & Threat IntelDetection RulesExceptions
- Select+ New Exception.
- Configure the indicators and conditions for which you want to set the exception.
- Choose the scope of the exception, whether the exception applies to IOCs, BIOCs, or both.
- Savethe exception.By default, activity matching the indicators does not trigger any rule. As an alternative, you can select one or more rules. After you save the exception, theExceptionscount for the rule increments. If you later edit the rule, you will also see the exception defined in the rule summary.
Export A Rule Exception
You
can choose to export a BIOC rule exception.
- FromCortexXDR, select.Detection & Threat IntelDetection RulesExceptions
- In theExceptionstable, locate the exception rule you want to export. You can select multiple rules.
- Right-click and selectExport.If one or more of the selected exceptions are applied to a specific BIOC rule, select one of the following options:
- Export anyway
- Export only non-specific Exceptions—Only export exceptions applied on all BIOC rules.
- Export all Exceptions as non-specific—Export and apply specific Exceptions to BIOC rules.
Recommended For You
Recommended Videos
Recommended videos not found.
