Indicator Rules - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-07-16
Last date published
2024-12-04
Category
Administrator Guide
Abstract

Create detection and prevention rules using threat intelligence as a source.

Indicator rules allow you to use utilize indicators in the system for detection and prevention. Indicators can be used for real-time prevention on the agent and server-side detection.

With the indicator rules, you can create rules based on filters that are applied as either SHA256 and MD5 prevention rules in specific Agent Prevention Profiles or as file, IP address, and domain detection rules.

Indicator rules marked for detection and prevention will generate alerts that you can then track and investigate.

The Indicator Rules page displays the following fields for each rule:

Field

Description

Rule ID

Unique identifier for the rule.

Creation Date

Timestamp of when the rule was created.

Modification Date

Timestamp when the rule was edited.

Name

Name of the rule.

Type

Whether the rule is a Prevention or Detection type rule.

Target

Hash, IP address, File, or domain value associated with the rule.

Severity

Level of severity associated with the rule.

# of alerts

Number of alerts generated by the rule.

Created by

Email address of the user who created the rule.

Description

Optional description associated with the rule.

Status

Whether the rule is Enabled or Disabled.

Used in profiles

Cortex XDR agent Restriction Profile associated with the rule.

  1. Create an indicator rule.

    Navigate to Detection & Threat IntelThreat Intel ManagementIndicator Rules+ Add Rule.

  2. Select whether to create a Prevention or Detection Rule.

    A Prevention Rule can be created based on SHA256 and MD5 types.

    1. In the Create New Prevention Rule wizard, enter the mandatory Rule Name, Select Profiles For Prevention, and define the level of Severity for the rule.

    2. Filter and select one or more SHA256 and MD5 indicators to which to apply the rule to.

    3. Review and Save your rule.

    A Detection Rule can be created based on a file, IP address, and domain.

    1. In the Create New Detection Rule wizard, enter the mandatory Rule Name and define the level of Severity for the rule.

    2. Filter and select one or more files, IP addresses, and domain indicators to which to apply the rule to.

    3. Review and Save your rule.

  3. Manage your indicator rules.

    In the Indicator Rules table, right-click a rule to perform the following actions:

    Action

    Description

    View related alerts

    View alerts generated by the rule.

    Disable/Enable

    Depending on the current status, Disable or Enable the rule.

    Edit Rule

    Modify the rule configurations.

    Save as new

    Create a new rule using the current rule configurations.

    Delete

    Delete the rule.