What's an IOC? - Indicators of compromise (IOCs) alert you about known malicious objects on your endpoints. - Administrator Guide - Cortex CLOUD

Cortex Cloud Runtime Security Documentation
Product
Cortex Cloud Application Security > Cortex CLOUD
License
Cloud Runtime Security
Creation date
2024-12-24
Last date published
2026-06-10
Category
Administrator Guide
Abstract

Indicators of compromise (IOCs) alert you about known malicious objects on your endpoints.

Indicators of compromise (IOCs) enable Cortex Cloud to generate issues about known malicious objects on endpoints across the organization. You can load collections of IOCs from threat-intelligence sources into Cortex Cloud or define them individually.

Note

Cortex Cloud supports a maximum of 4,000,000 IOCs.

You can define the following types of IOCs:

  • Full path

  • File name

  • Domain

  • Destination IP address

  • MD5 hash

  • SHA256 hash

After you load or define IOCs, the tenant checks for matches in the xdr_data dataset that contains all the information collected about the endpoints and the network. Cortex Cloud looks for IOC matches in all data collected in the past and continues to evaluate any new data it receives in the future.

Issues for IOCs are identified by the source type of the IOC.