Rules - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2024-07-16
Last date published
2024-12-04
Category
Administrator Guide
Retire_Doc
Retiring
Link_to_new_Doc
/r/Cortex-XDR/Cortex-XDR-Documentation
Abstract

When you identify a threat, you can define specific rules for which you want Cortex XDR to raise alerts.

When you identify a threat, you can define specific rules for which you want Cortex XDR to raise alerts. You can define the following rules:

  • Behavioral indicators of compromise (BIOCs)—Identifying threats based on their behaviors can be quite complex. As you identify specific activities (network, process, file, registry, etc) that indicate a threat, you create BIOCs that can alert you when the behavior is detected. If you enable Cortex XDR - Analytics, Cortex XDR can also raise Analytics BIOCs (ABIOCs). Whenever you create or enable a BIOC rule, the rule begins to monitor the stream of incoming data for any new matches in real-time and analyzes the historical data collected in the Cortex XDR tenant. BIOCs can also be used for prevention in real-time at the agent level using a Restriction Profile. See Working with BIOCs.

  • Indicators of compromise (IOCs)—Known artifacts that are considered malicious or suspicious. IOCs are static and based on criteria, such as SHA256 hashes, IP addresses and domains, file names, and paths. You create IOC rules based on information that you gather from various threat-intelligence feeds or that you gather as a result of an investigation within Cortex XDR . As soon as you create or enable an IOC rule, the rule begins to monitor the stream of incoming data for any new matches in real-time and analyzes the historical data collected in the Cortex XDR tenant. See Working with IOCs.

  • Correlation Rules—Help you analyze correlations of multi-events from multiple sources by using the Cortex Query Language (XQL) based engine for creating scheduled rules called Correlations Rules. When created, Correlation Rules run based on a time interval, as these rules are configured to run every X min/hours, and on data already in Cortex XDR . See Working with Correlation Rules.

After you create an indicator rule, you can Manage Existing Indicators.