Manage all indicators of compromise (IOCs) configured from or uploaded to Cortex XDR.
In the Cortex XDR. To filter the number of IOC rules you filter by one or more fields in the IOC rules table. You can also manage or clone existing rules.→ page, you can view all indicators of compromise (IOCs) configured from or uploaded to
The following table describes the fields that are available for each IOC rule in alphabetical order.
# OF HITS
The number of hits (matches) on this indicator.
The IOC's class. For example, 'Malware'.
Field cannot exceed 36 characters.
Free-form comments specified when the IOC was created or modified.
The date and time at which the IOC will be removed automatically.
The indicator value itself. For example, if the indicator type is a destination IP address, this could be an IP address such as 188.8.131.52.
Date and time when the IOC was created.
Date and time when the IOC was last modified.
Indicator's reliability level:
Indicator's reputation level. One of Unknown, Good, Bad, or Suspicious.
Unique identification number for the rule.
IOC severity that was defined when the IOC was created.
User who created this IOC, or the file name from which it was created, or one of the following keywords:
Rule status: Enabled or Disabled.
Type of indicator: Full path, File name, Host name, Destination IP, MD5 hash.
A list of threat intelligence vendors from which this IOC was obtained.