Manage Existing Indicators

Edit, export, copy, disable, and remove rules, and add rule exceptions for the Cortex XDR app.

View Alerts Triggered by a Rule

As your IOC and BIOC rules trigger alerts, Cortex XDR displays the total
# OF HITS
for the rule in the on the BIOC or IOC rules page. To view the associated alerts trigged by a rule:
  1. Select
    RULES
    and the type of rule (
    BIOC
    or
    IOC
    ).
  2. Right-click anywhere in the rule, and then select
    View associated alerts
    .
    Cortex XDR displays a filtered query of alerts associated with the Rule ID.

Edit a Rule

After you create a rule, it may be necessary to tweak or change the rule settings. You can open the rule configuration from the Rules page or from the pivot menu of an alert triggered by the rule. To edit the rule from the Rules page:
  1. Select
    RULES
    and the type of rule (
    BIOC
    or
    IOC
    ).
  2. Locate the rule you want to edit.
  3. Right click anywhere in the rule and select
    Edit
    .
  4. Edit the rule settings as needed, and then click
    OK
    .
    If you make any changes,
    Test
    and then
    Save
    the rule.

Export a Rule (BIOC Only)

  1. Select
    RULES
    BIOC
    .
  2. Select the rules that you want to export.
  3. Right click any of the rows, and select
    Export selected
    .
    The exported file is not editable, however you can use it as a source to import rules at a later date.

Copy a Rule

You can use an existing rule as a template to create a new one. Global BIOC rules cannot be deleted or altered, but you can copy a global rule and edit the copy. See Manage Global BIOC Rules.
  1. Select
    RULES
    and the type of rule (
    BIOC
    or
    IOC
    ).
  2. Locate the rule you want to copy.
  3. Right click anywhere in the rule row and then select
    Copy
    to create a duplicate rule.

Disable or Remove a Rule

If you no longer need a rule you can temporarily disable or permanently remove it.
You cannot delete global BIOCs delivered with content updates.
  1. Select
    RULES
    and the type of rule (
    BIOC
    or
    IOC
    ).
  2. Locate the rule that you want to change.
  3. Right click anywhere in the rule row and then select
    Remove
    to permanently delete the rule, or
    Disable
    to temporarily stop the rule. If you disable a rule you can later return to the rule page to
    Enable
    it.

Add a Rule Exception

If you want to create a rule to take action on specific behaviors but also want to exclude one or more indicators from the rule, you can create a rule exception. An indicator can include the SHA256 hash of a process, process name, process path, vendor name, user name, causality group owner (CGO) full path, or process command-line arguments. For more information about these indicators, see Cortex XDR Indicators. For each exception, you also specify the rule scope to which exception applies.
Cortex XDR only supports exceptions with one attribute. See Add an Alert Exclusion Policy to create advanced exceptions based on your filtered criteria.
  1. From Cortex XDR, select
    Rules
    Rule Exceptions
    .
  2. Select
    + New Exception
    .
  3. Configure the indicators and conditions for which you want to set the exception.
  4. Choose the scope of the exception, whether the exception applies to IOCs, BIOCs, or both.
  5. Save
    the exception.
    By default, activity matching the indicators does not trigger any rule. As an alternative, you can select one or more rules. After you save the exception, the
    Exceptions
    count for the rule increments. If you later edit the rule, you will also see the exception defined in the rule summary.

Recommended For You