Create an IOC Rule

Upload or configure IOC rules criteria.
There are two options for creating new IOC rules:
  • Configure a single IOC.
  • Upload a file, one IOC per line, that contains up to 20,000 IOCs. For example, you can upload multiple file paths and MD5 hashes for an IOC rule. To help you format the upload file in the syntax that Cortex XDR will accept, you can download the example file.
If you have a Cortex XDR Pro per Endpoint license, you can upload IOCs using REST APIs in either CSV or JSON format.
  1. From Cortex XDR, select
    Rules
    IOC
    .
  2. Select
    + Add IOC
    .
  3. Configure the IOC criteria.
    ioc-create-rule.png
    If after investigating a threat, you identify a malicious artifact, you can create an alert for the
    Single IOC
    right away.
    1. Configure the
      INDICATOR
      value on which you want to match.
    2. Configure the IOC
      TYPE
      . Options are
      Full Path
      ,
      File Name
      ,
      Domain
      ,
      Destination IP
      , and MD5 or SHA256
      Hash
      .
    3. Configure the
      SEVERITY
      you want to associate with an alert for the IOC:
      Informational
      ,
      Low
      ,
      Medium
      , or
      High
      .
    4. (
      Optional
      ) Enter a comment that describes the IOC.
    5. (
      Optional
      ) Enter the IOC's
      REPUTATION
      .
    6. (
      Optional
      ) Enter the IOC's
      RELIABILITY
      .
    7. (
      Optional
      ) Enter an
      EXPIRATION
      for the IOC.
    8. Click
      Create
      .
    If you want to match on multiple indicators, you can upload the criteria in a CSV file.
    1. Select
      Upload File
      .
    2. Drag and drop the CSV file containing the IOC criteria in the drop area of the
      Upload File
      dialog or
      browse
      to the file.
      Cortex XDR supports a file with multiple IOCs in a pre-configured format. For help determining the format syntax, Cortex XDR provides an example text file that you can download.
    3. Configure the
      SEVERITY
      you want to associate with an alert for the IOCs:
      Informational
      ,
      Low
      ,
      Medium
      , or
      High
      .
    4. Define the
      DATA FORMAT
      of the IOCs in the CSV file. Options are
      Mixed
      ,
      Full Path
      ,
      File Name
      ,
      Domain
      ,
      Destination IP
      , and MD5 or SHA256
      Hash
      .
    5. Click
      Upload
      .
  4. (
    Optional
    ) Define any expiration criteria for your IOC rules.
    If desired, you can also configure additional expiration criteria per IOC type to apply to all IOC rules. In most cases, IOC types like Destination IP or Host Name are considered malicious only for a short period of time since they are soon cleaned and then used by legitimate services, from which time they only cause false positives. For these types of IOCs, you can set a short expiration period. The expiration criteria you define for an IOC type will apply to all existing rules and additional rules that you create in the future.
    1. Select
      Settings
      .
    2. Set the expiration for any relevant IOC type. Options are
      Never
      ,
      1 week
      ,
      1 month
      ,
      3 months
      , or
      6 months
      .
    3. Click
      Save
      .

Recommended For You