From the Cortex XDR management console, you can upload or configure indicator of compromise (IOC) rules criteria.
Notice
Adding IOC rules requires a Cortex XDR Pro license.
Create new indicator of compromise (IOC) rules and optionally define rule expiration for all IOC rules. You can create an IOC ruke either by configuring a single one or by uploading a file that contains multiple IOCs.
Note
To ensure your IOC rules raise alerts efficiently and do not overcrowd your Alerts table, Cortex XDR automatically does the following:
Disables any IOC rules that reach 5000 or more hits over a 24 hour period.
Creates a rule exception based on the PROCESS SHA256 field for IOC rules that hit more than 100 endpoints over a 72 hour period.
In + Add IOC.
→ , selectConfigure the IOC criteria.
(Optional) Define any expiration criteria for your IOC rules.
You can also configure additional expiration criteria per IOC type to apply to all IOC rules of that type. In most cases, IOC types like Destination IP or Host Name are considered malicious only for a short period of time since they are soon cleaned and then used by legitimate services, from which time they only cause false positives. For these types of IOCs, you can set a defined expiration period. The expiration criteria you define for an IOC type will apply to all existing rules and additional rules that you create in the future. By default, Cortex XDR does not apply an expiration date set on IOCs.
Select Default Rule Expiration.
Set the expiration for any relevant IOC type. Options are Never, 7 Days, 30 days, 90 days, or 180 days.
Click Save.