Create an IOC rule - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-07
Category
Administrator Guide
Abstract

From the Cortex XSIAM management console, you can upload or configure indicator of compromise (IOC) rules criteria.

Create new indicator of compromise (IOC) rules and optionally define rule expiration for all IOC rules. You can create an IOC ruke either by configuring a single one or by uploading a file that contains multiple IOCs.

Note

To ensure your IOC rules raise alerts efficiently and do not overcrowd your Alerts table, Cortex XSIAM automatically does the following:

  • Disables any IOC rules that reach 5000 or more hits over a 24 hour period.

  • Creates a rule exception based on the PROCESS SHA256 field for IOC rules that hit more than 100 endpoints over a 72 hour period.

  1. In Detection RulesIOC, select + Add IOC.

  2. Configure the IOC criteria.

  3. (Optional) Define any expiration criteria for your IOC rules.

    You can also configure additional expiration criteria per IOC type to apply to all IOC rules of that type. In most cases, IOC types like Destination IP or Host Name are considered malicious only for a short period of time since they are soon cleaned and then used by legitimate services, from which time they only cause false positives. For these types of IOCs, you can set a defined expiration period. The expiration criteria you define for an IOC type will apply to all existing rules and additional rules that you create in the future. By default, Cortex XSIAM does not apply an expiration date set on IOCs.

    1. Select Default Rule Expiration.

    2. Set the expiration for any relevant IOC type. Options are Never, 7 Days, 30 days, 90 days, or 180 days.

    3. Click Save.