Manage Existing Indicators - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2024-07-16
Last date published
2024-10-14
Category
Administrator Guide
Retire_Doc
Retiring
Link_to_new_Doc
/r/Cortex-XDR/Cortex-XDR-Documentation
Abstract

Edit, export, copy, disable, or remove rules, and add rule exceptions for existing indicators in Cortex XDR.

After you create an indicator rule, you can take the following actions:

Note

For Analytics BIOC rules, you can only disable and enable rules.

View Alerts Triggered by a Rule

As your IOC and BIOC rules trigger alerts, Cortex XDR displays the total # OF HITS for the rule in the the BIOC or IOC rules page. For rules with a high, medium, or low severity that have raised one or more alerts, you can quickly pivot to a filtered view of those alerts raised by the indicator:

  1. Select Detection & Threat IntelDetection Rules and the type of rule (BIOC or IOC).

  2. Right-click anywhere in a rule, and then select View associated alerts.

    You can see a filtered query of alerts associated with the Rule ID.

Use a BIOC Rule as the Basis of a Query
  1. Select Detection & Threat IntelDetection Rules and the type of rule (BIOC or IOC).

  2. Right-click anywhere in the rule, and then select Open in query builder.

    populates a query using the criteria of the BIOC rule.

  3. If desired, add or change the query criteria.

  4. (Optional) Test your query to see the sample results.

  5. If you are satisfied with query, Save the query.

    For more information, see Manage Your Queries.Manage Your Queries

Edit a Rule

After you create a rule, it may be necessary to tweak or change the rule settings. You can open the rule configuration from the Rules page or from the pivot menu of an alert triggered by the rule. To edit the rule from the Rules page:

  1. Select Detection & Threat IntelDetection Rules and the type of rule (BIOC or IOC).

  2. Locate the rule you want to edit.

  3. Right-click anywhere in the rule and select Edit.

  4. Edit the rule settings as needed, and then click OK.

    If you make any changes, Test and then Save the rule.

Export a Rule (BIOC Only)
  1. Select Detection & Threat IntelDetection RulesBIOC.

  2. Select the rules that you want to export.

  3. Right-click any of the rows, and select Export selected.

    The exported file is not editable, however, you can use it as a source to import rules at a later date.

Copy a BIOC Rule

You can use an existing rule as a template to create a new one. Global BIOC rules cannot be deleted or altered, but you can copy a global rule and edit the copy.

  1. From Cortex XDR, select Detection & Threat IntelDetection Rules and then BIOC.

  2. Locate the rule you want to copy.

  3. Right-click anywhere in the rule row and then select Save as New to create a duplicate rule.

Disable or Remove a Rule

If you no longer need a rule you can temporarily disable or permanently remove it.

Note

You cannot delete global BIOCs delivered with content updates.

  1. Select Detection & Threat IntelDetection Rules and the type of rule (BIOC or IOC).

  2. Locate the rule that you want to change.

  3. Right-click anywhere in the rule row and then select Remove to permanently delete the rule, or Disable to temporarily stop the rule. If you disable a rule you can later return to the rule page to Enable it.

Partially Disable or Re-enable a BIOC Rule

You can disable one or more BIOC rules on the agent, on the server, or on both. This provides you more granularity for managing the prevention actions triggered by the BIOC Rules.

  1. From Cortex XDR, select Detection RulesBIOC.

  2. Select the rules you want to disable.

  3. Right-click any of the rules and select to disable the rules on the agent, on the server, or on both.

    Note

    For BIOC rules that are applied to prevention profiles:

    • If you disable a rule only on the agent, detection on the server works as usual.

      If you disable a rule only on the server, prevention on the agent works as usual.

  4. We recommend you supply a reason for disabling the rule.

Note

When a BIOC rule is disabled automatically by Cortex XDR, for example due to the server anti flooding mechanism, prevention on the agent works as before.

You can re-enable a rule granularly for detection, prevention, or both in the same way.