In the Cortex XDR. To filter the number of IOC rules you filter by one or more fields in the IOC rules table. You can also manage or clone existing rules.
→ page, you can view all indicators of compromise (IOCs) configured from or uploaded toThe following table describes the fields that are available for each IOC rule in alphabetical order.
Field | Description |
---|---|
# OF HITS | The number of hits (matches) on this indicator. |
CLASS | The IOC's class. For example, 'Malware'. NoteField cannot exceed 36 characters. |
COMMENT | Free-form comments specified when the IOC was created or modified. |
EXPIRATION DATE | The date and time at which the IOC will be removed automatically. |
INDICATOR | The indicator value itself. For example, if the indicator type is a destination IP address, this could be an IP address such as 1.1.1.1. |
INSERTION DATE | Date and time when the IOC was created. |
MODIFICATION DATE | Date and time when the IOC was last modified. |
RELIABILITY | Indicator's reliability level:
|
REPUTATION | Indicator's reputation level. One of Unknown, Good, Bad, or Suspicious. |
RULE ID | Unique identification number for the rule. |
SEVERITY | IOC severity that was defined when the IOC was created. |
SOURCE | User who created this IOC, or the file name from which it was created, or one of the following keywords:
|
STATUS | Rule status: Enabled or Disabled. |
TYPE | Type of indicator: Full path, File name, Host name, Destination IP, MD5 hash. |
VENDORS | A list of threat intelligence vendors from which this IOC was obtained. |