IOC Rule Details

Manage all indicators of compromise (IOCs) configured from or uploaded to the Cortex XDR app.
From the
Rules
IOC
page, you can view all indicators of compromise (IOCs) configured from or uploaded to the Cortex XDR app. To filter the number of IOC rules you see, you can create filter by one or more fields in the IOC rules table. From the
IOC
page, you can also manage or clone existing rules.
ioc-main-labeled.png
The following table describes the fields that are available for each IOC rule in alphabetical order.
Field
Description
# OF HITS
The number of hits (matches) on this indicator.
CLASS
The IOC's class. For example, 'Malware'.
COMMENT
Free-form comments specified when the IOC was created or modified.
EXPIRATION DATE
The date and time at which the IOC will be removed automatically.
INDICATOR
The indicator value itself. For example, if the indicator type is a destination IP address, this could be an IP address such as 1.1.1.1.
INSERTION DATE
Date and time when the IOC was created.
MODIFICATION DATE
Date and time when the IOC was last modified.
RELIABILITY
Indicator's reliability level:
  • A - Completely Reliable
  • B - Usually Reliable
  • C - Fairly Reliable
  • D - Not Usually Reliable
  • E - Unreliable
REPUTATION
Indicator's reputation level. One of Unknown, Good, Bad, or Suspicious.
RULE ID
Unique identification number for the rule.
SEVERITY
IOC severity that was defined when the IOC was created.
SOURCE
User who created this IOC, or the file name from which it was created, or one of the following keywords:
STATUS
Rule status: Enabled or Disabled.
TYPE
Type of indicator: Full path, File name, Host name, Destination IP, MD5 hash.
VENDORS
A list of threat intelligence vendors from which this IOC was obtained.

Recommended For You