Working with IOCs - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Indicators of compromise (IOCs) alert you about known malicious objects on your endpoints.

IOCs provide the ability to alert known malicious objects on endpoints across the organization. You can load IOC lists from various threat-intelligence sources into the Cortex XSIAM app or define them individually.


Cortex XSIAM supports a maximum of 4,000,000 IOCs.

You can define the following types of IOCs:

  • Full path

  • File name

  • Domain

  • Destination IP address

  • MD5 hash

  • SHA256 hash

After you define or load IOCs, the tenant checks for matches in the endpoint data collected from agents. Checks are both retroactive and ongoing: The app looks for IOC matches in all data collected in the past and continues to evaluate new any new data it receives in the future.

Alerts for IOCs are identified by a source type of IOC.