Cortex XDR uses rules to detect threats and raise alerts.
Danger
Adding threat detection rules requires a Cortex XDR Pro license.
Cortex XDR uses rules to detect the threats in your network and to raise alerts. You can add specific detection rules for which you want Cortex XDR to raise alerts. The following are the different types of rules available:
Indicators of compromise (IOCs): IOCs are used to alert for known artifacts that are considered malicious or suspicious. IOCs are static, simple, and based on the detection of criteria such as SHA256 hashes, IP addresses and domains, file names, and paths. You create IOC rules based on information you gather from various threat-intelligence feeds or as a result of an investigation within Cortex XDR. For example, if you find out that a certain ransomware uses a certain file hash, you can add the file hash as an IOC and get an alert if it is detected.
Behavioral indicators of compromise (BIOCs): BIOCs detect suspicious behavior. As you identify specific activities (network, process, file, registry, etc) that indicate a threat, you create BIOCs that can alert you when the behavior is detected. If you enable Cortex XDR Analytics, Cortex XDR can use Analytics BIOCs (ABIOCs) to establish baseline behavior and detect any deviation from this behavior.
Correlation Rules: Correlation rules help you analyze the relationship between multiple events from multiple sources by using the Cortex Query Language (XQL) based engine.