Create detection and prevention rules using threat intelligence as a source.
Indicator rules allow you to use utilize indicators in the system for detection and prevention. Indicators can be used for real-time prevention on the agent and server-side detection.
With the indicator rules, you can create rules based on filters that are applied as either SHA256 and MD5 prevention rules in specific Agent Prevention Profiles or as file, IP address, and domain detection rules.
Indicator rules marked for detection and prevention will generate alerts that you can then track and investigate.
The Indicator Rules page displays the following fields for each rule:
Field | Description |
|---|---|
Rule ID | Unique identifier for the rule. |
Creation Date | Timestamp of when the rule was created. |
Modification Date | Timestamp when the rule was edited. |
Name | Name of the rule. |
Type | Whether the rule is a Prevention or Detection type rule. |
Target | Hash, IP address, File, or domain value associated with the rule. |
Severity | Level of severity associated with the rule. |
# of alerts | Number of alerts generated by the rule. |
Created by | Email address of the user who created the rule. |
Description | Optional description associated with the rule. |
Status | Whether the rule is Enabled or Disabled. |
Used in profiles | Cortex XDR agent Restriction Profile associated with the rule. |
Create an indicator rule.
Navigate to → → → .
Select whether to create a Prevention or Detection Rule.
A Prevention Rule can be created based on SHA256 and MD5 types.
In the Create New Prevention Rule wizard, enter the mandatory Rule Name, Select Profiles For Prevention, and define the level of Severity for the rule.
Filter and select one or more SHA256 and MD5 indicators to which to apply the rule to.
Review and Save your rule.
A Detection Rule can be created based on a file, IP address, and domain.
In the Create New Detection Rule wizard, enter the mandatory Rule Name and define the level of Severity for the rule.
Filter and select one or more files, IP addresses, and domain indicators to which to apply the rule to.
Review and Save your rule.
Manage your indicator rules.
In the Indicator Rules table, right-click a rule to perform the following actions:
Action
Description
View related alerts
View alerts generated by the rule.
Disable/Enable
Depending on the current status, Disable or Enable the rule.
Edit Rule
Modify the rule configurations.
Save as new
Create a new rule using the current rule configurations.
Delete
Delete the rule.