From the Cortex® XDR™ management console, you can upload
or configure indicator of compromise (IOC) rules criteria.
There are two options for creating new indicator
of compromise (IOC) rules:
Configure a single IOC.
Upload a file, one IOC per line, that contains up to 20,000
IOCs. For example, you can upload multiple file paths and MD5 hashes
for an IOC rule. To help you format the upload file in the syntax
that Cortex XDR will accept, you can download the example file.
you have a Cortex XDR Pro per Endpoint license, you can upload IOCs
using REST APIs in either CSV or JSON format.
To ensure your IOC rules raise alerts efficiently
and do not overcrowd your Alerts table, Cortex XDR automatically:
Disables any IOC rules that reach 5000 or more hits over
a 24 hour period.
Creates a Rule Exception based on the PROCESS SHA256 field
for IOC rules that hit more than 100 endpoints over a 72 hour period.
From Cortex XDR, select
+ Add IOC
Configure the IOC criteria.
investigating a threat, you identify a malicious artifact, you can
create an alert for the
any expiration criteria for your IOC rules.
If desired, you can also configure additional expiration
criteria per IOC type to apply to all IOC rules. In most cases,
IOC types like Destination IP or Host Name are considered malicious
only for a short period of time since they are soon cleaned and
then used by legitimate services, from which time they only cause
false positives. For these types of IOCs, you can set a defined
expiration period. The expiration criteria you define for an IOC
type will apply to all existing rules and additional rules that
you create in the future. By default, Cortex XDR does not apply
an expiration date set on IOCs.
Default Rule Expiration
Set the expiration for any relevant IOC type. Options