In the → page, you can view all indicators of compromise (IOCs) configured from or uploaded to Cortex XDR. To filter the number of IOC rules you filter by one or more fields in the IOC rules table. You can also manage or clone existing rules.
The following table describes the fields that are available for each IOC rule in alphabetical order.
Field | Description |
|---|---|
# OF HITS | The number of hits (matches) on this indicator. |
CLASS | The IOC's class. For example, 'Malware'. NoteField cannot exceed 36 characters. |
COMMENT | Free-form comments specified when the IOC was created or modified. |
EXPIRATION DATE | The date and time at which the IOC will be removed automatically. |
INDICATOR | The indicator value itself. For example, if the indicator type is a destination IP address, this could be an IP address such as 1.1.1.1. |
INSERTION DATE | Date and time when the IOC was created. |
MODIFICATION DATE | Date and time when the IOC was last modified. |
RELIABILITY | Indicator's reliability level:
|
REPUTATION | Indicator's reputation level. One of Unknown, Good, Bad, or Suspicious. |
RULE ID | Unique identification number for the rule. |
SEVERITY | IOC severity that was defined when the IOC was created. |
SOURCE | User who created this IOC, or the file name from which it was created, or one of the following keywords:
|
STATUS | Rule status: Enabled or Disabled. |
TYPE | Type of indicator: Full path, File name, Host name, Destination IP, MD5 hash. |
VENDORS | A list of threat intelligence vendors from which this IOC was obtained. |