Create an IOC Rule
Upload or configure IOC rules criteria.
There are two options for creating new IOC rules:
- Configure a single IOC.
- Upload a file, one IOC per line, that contains up to 20,000 IOCs. For example, you can upload multiple file paths and MD5 hashes for an IOC rule. To help you format the upload file in the syntax that Cortex XDR will accept, you can download the example file.
- From Cortex XDR, select.RulesIOC
- Select+ Add IOC.
- Configure the IOC criteria.If after investigating a threat, you identify a malicious artifact, you can create an alert for theSingle IOCright away.
If you want to match on multiple indicators, you can upload the criteria in a CSV file.
- Configure theINDICATORvalue on which you want to match.
- Configure the IOCTYPE. Options areFull Path,File Name,Domain,Destination IP, and MD5 or SHA256Hash.
- Configure theSEVERITYyou want to associate with an alert for the IOC:Informational,Low,Medium, orHigh.
- (Optional) Enter a comment that describes the IOC.
- (Optional) Enter the IOC'sREPUTATION.
- (Optional) Enter the IOC'sRELIABILITY.
- (Optional) Enter anEXPIRATIONfor the IOC.
- SelectUpload File.
- Drag and drop the CSV file containing the IOC criteria in the drop area of theUpload Filedialog orbrowseto the file.Cortex XDR supports a file with multiple IOCs in a pre-configured format. For help determining the format syntax, Cortex XDR provides an example text file that you can download.
- Configure theSEVERITYyou want to associate with an alert for the IOCs:Informational,Low,Medium, orHigh.
- Define theDATA FORMATof the IOCs in the CSV file. Options areMixed,Full Path,File Name,Domain,Destination IP, and MD5 or SHA256Hash.
- (Optional) Define any expiration criteria for your IOC rules.If desired, you can also configure additional expiration criteria per IOC type to apply to all IOC rules. In most cases, IOC types like Destination IP or Host Name are considered malicious only for a short period of time since they are soon cleaned and then used by legitimate services, from which time they only cause false positives. For these types of IOCs, you can set a short expiration period. The expiration criteria you define for an IOC type will apply to all existing rules and additional rules that you create in the future.
- Set the expiration for any relevant IOC type. Options areNever,1 week,1 month,3 months, or6 months.
Recommended For You
Recommended videos not found.