Rules - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-04-16
Category
Administrator Guide
Abstract

When you identify a threat, you can define specific rules for which you want Cortex XSIAM to raise alerts.

When you identify a threat, you can define specific rules for which you want Cortex XSIAM to raise alerts. You can define the following rules:

  • Behavioral indicators of compromise (BIOCs)—Identifying threats based on their behaviors can be quite complex. As you identify specific activities (network, process, file, registry, etc) that indicate a threat, you create BIOCs that can alert you when the behavior is detected. If you enable Cortex XSIAM - Analytics, Cortex XSIAM can also raise Analytics BIOCs (ABIOCs). Whenever you create or enable a BIOC rule, the rule begins to monitor the stream of incoming data for any new matches in real-time and analyzes the historical data collected in the Cortex XSIAM tenant. BIOCs can also be used for prevention in real-time at the agent level using a Restriction Profile. See Working with BIOCs.

  • Indicators of compromise (IOCs)—Known artifacts that are considered malicious or suspicious. IOCs are static and based on criteria, such as SHA256 hashes, IP addresses and domains, file names, and paths. You create IOC rules based on information that you gather from various threat-intelligence feeds or that you gather as a result of an investigation within Cortex XSIAM . As soon as you create or enable an IOC rule, the rule begins to monitor the stream of incoming data for any new matches in real-time and analyzes the historical data collected in the Cortex XSIAM tenant. See Working with IOCs.

  • Correlation Rules—Help you analyze correlations of multi-events from multiple sources by using the Cortex Query Language (XQL) based engine for creating scheduled rules called Correlations Rules. When created, Correlation Rules run based on a time interval, as these rules are configured to run every X min/hours, and on data already in Cortex XSIAM . See Working with Correlation Rules.

After you create an indicator rule, you can Manage Existing Indicators.