Create an IOC Rule - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2024-07-16
Last date published
2024-10-14
Category
Administrator Guide
Retire_Doc
Retiring
Link_to_new_Doc
/r/Cortex-XDR/Cortex-XDR-Documentation
Abstract

From the Cortex XDR management console, you can upload or configure indicator of compromise (IOC) rules criteria.

There are two options for creating new indicator of compromise (IOC) rules:

  • Configure a single IOC.

  • Upload a file, one IOC per line, that contains up to 20,000 IOCs. For example, you can upload multiple file paths and MD5 hashes for an IOC rule. To help you format the upload file in the syntax that Cortex XDR will accept, you can download the example file.

    If you have a Cortex XDR Pro per Endpoint license, you can upload IOCs using REST APIs in either CSV or JSON format.

Note

To ensure your IOC rules raise alerts efficiently and do not overcrowd your Alerts table, Cortex XDR automatically:

  • Disables any IOC rules that reach 5000 or more hits over a 24 hour period.

  • Creates a Rule Exception based on the PROCESS SHA256 field for IOC rules that hit more than 100 endpoints over a 72 hour period.

  1. From Cortex XDR , select Detection & Threat IntelDetection RulesIOC.

  2. Select + Add IOC.

  3. Configure the IOC criteria.

    If after investigating a threat, you identify a malicious artifact, you can create an alert for the Single IOC right away.

    1. Configure the INDICATOR value on which you want to match.

    2. Configure the IOC TYPE. Options are Full Path, File Name, Domain, Destination IP, and MD5 or SHA256 Hash.

    3. Configure the SEVERITY you want to associate with an alert for the IOC.

    4. (Optional) Enter a comment that describes the IOC.

    5. (Optional) Configure the IOC's REPUTATION.

    6. (Optional) Configure the IOC's RELIABILITY.

    7. (Optional) Enter an EXPIRATION for the IOC. Default, Specific Expiration Date, No Expiration.

    8. Click Create.

    If you want to match multiple indicators, you can upload the criteria in a CSV file.

    1. Select Upload File.

    2. Drag and drop the CSV file containing the IOC criteria in the drop area of the Upload File dialog or browse the file.

      Cortex XDR supports a file with multiple IOCs in a pre-configured format. For help determining the format syntax, Cortex XDR provides an example text file that you can download.

    3. Configure the SEVERITY you want to associate with an alert for the IOCs.

    4. Define the DATA FORMAT of the IOCs in the CSV file. Options are Mixed, Full Path, File Name, Domain, Destination IP, and MD5 or SHA256 Hash.

    5. (Optional) Configure the IOC's REPUTATION.

    6. (Optional) Configure the IOC's RELIABILITY.

    7. (Optional) Enter an EXPIRATION for the IOC. Default, Specific Expiration Date, No Expiration.

    8. Click Upload.

  4. (Optional) Define any expiration criteria for your IOC rules.

    If desired, you can also configure additional expiration criteria per IOC type to apply to all IOC rules. In most cases, IOC types like Destination IP or Host Name are considered malicious only for a short period of time since they are soon cleaned and then used by legitimate services, from which time they only cause false positives. For these types of IOCs, you can set a defined expiration period. The expiration criteria you define for an IOC type will apply to all existing rules and additional rules that you create in the future. By default, Cortex XDR does not apply an expiration date set on IOCs.

    1. Select Default Rule Expiration.

    2. Set the expiration for any relevant IOC type. Options are Never, 7 Days, 30 days, 90 days, or 180 days.

    3. Click Save.