Manage Existing Indicators - Administrator Guide - Cortex XDR - Cortex XSIAM - Cortex - Security Operations

Select Detection & Threat Intel → Detection Rules and the type of rule (BIOC or IOC).

Right-click anywhere in a rule, and then select View associated alerts.

You can see a filtered query of alerts associated with the Rule ID.

Select Detection & Threat Intel → Detection Rules and the type of rule (BIOC or IOC).

Right-click anywhere in the rule, and then select Open in query builder.

populates a query using the criteria of the BIOC rule.

If desired, add or change the query criteria.

(Optional) Test your query to see the sample results.

If you are satisfied with query, Save the query.

For more information, see Manage Your Queries.

Select Detection & Threat Intel → Detection Rules and the type of rule (BIOC or IOC).

Locate the rule you want to edit.

Right-click anywhere in the rule and select Edit.

Edit the rule settings as needed, and then click OK.

If you make any changes, Test and then Save the rule.

Select Detection & Threat Intel → Detection Rules → BIOC.

Select the rules that you want to export.

Right-click any of the rows, and select Export selected.

The exported file is not editable, however, you can use it as a source to import rules at a later date.

From Cortex XDR, select Detection & Threat Intel → Detection Rules and then BIOC.

Locate the rule you want to copy.

Right-click anywhere in the rule row and then select Save as New to create a duplicate rule.

Select Detection & Threat Intel → Detection Rules and the type of rule (BIOC or IOC).

Locate the rule that you want to change.

Right-click anywhere in the rule row and then select Remove to permanently delete the rule, or Disable to temporarily stop the rule. If you disable a rule you can later return to the rule page to Enable it.