IOC Rule Details - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2024-07-16
Last date published
2024-12-04
Category
Administrator Guide
Retire_Doc
Retiring
Link_to_new_Doc
/r/Cortex-XDR/Cortex-XDR-Documentation
Abstract

Manage all indicators of compromise (IOCs) configured from or uploaded to Cortex XDR.

In the Detection RulesIOC page, you can view all indicators of compromise (IOCs) configured from or uploaded to Cortex XDR. To filter the number of IOC rules you filter by one or more fields in the IOC rules table. You can also manage or clone existing rules.

The following table describes the fields that are available for each IOC rule in alphabetical order.

Field

Description

# OF HITS

The number of hits (matches) on this indicator.

BACKWARDS SCAN STATUS

Status of the Cortex XDR search for the first 10,000 matches when the IOC rule was created or edited. Status can be:

  • Done

  • Failed

  • Pending

  • Queued

BACKWARDS SCAN TIMESTAMP

Timestamp of the Cortex XDR search for the first 10,000 matches in your Cortex XDR when the IOC rule was created or edited.

BACKWARDS SCAN RETRIES

Number of times Cortex XDR searched for the first 10,000 matches in your Cortex XDR when the IOC rule was created or edited.

CLASS

The IOC's class. For example, 'Malware'.

Note

Field cannot exceed 36 characters.

COMMENT

Free-form comments specified when the IOC was created or modified.

EXPIRATION DATE

The date and time at which the IOC will be removed automatically.

INDICATOR

The indicator value itself. For example, if the indicator type is a destination IP address, this could be an IP address such as 1.1.1.1.

INSERTION DATE

Date and time when the IOC was created.

MODIFICATION DATE

Date and time when the IOC was last modified.

RELIABILITY

Indicator's reliability level:

  • A - Completely Reliable

  • B - Usually Reliable

  • C - Fairly Reliable

  • D - Not Usually Reliable

  • E - Unreliable

REPUTATION

Indicator's reputation level. One of Unknown, Good, Bad, or Suspicious.

RULE ID

Unique identification number for the rule.

SEVERITY

IOC severity that was defined when the IOC was created.

SOURCE

User who created this IOC, or the file name from which it was created, or one of the following keywords:

  • Public API—the indicator was uploaded using the Insert Simple Indicators, CSV or Insert Simple Indicators, JSON REST APIs.

  • XSOAR TIM—the indicator was retrieved from XSOAR.

STATUS

Rule status: Enabled or Disabled.

TYPE

Type of indicator: Full path, File name, Host name, Destination IP, MD5 hash.

VENDORS

A list of threat intelligence vendors from which this IOC was obtained.