Generate alerts from indicators using indicator rules for prevention and detection - Administrator Guide - Threat Intel Management Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-09-11
Category
Administrator Guide
Abstract

Create detection and prevention rules using threat intelligence as a source.

Indicator rules allow you to utilize indicators in the system for detection and prevention. These rules allow you to select indicators or indicator traits to be detected by the server and prevented by the endpoint. Indicator rules marked for detection and prevention generate alerts that you can then track and investigate.

Note

Indicators should be present in the TIM database (Detection & Threat Intel → Threat Intel Management → Indicators) before creating detection and prevention rules.

Indicator rules can be used for the following:

  • Real-time prevention on the agent

    Create an indicator rule for a Restrictions profile on the Agent using filters applied on file (SHA256 and MD5) indicators. A Restrictions profile limits the locations from which executables can run on an endpoint. When the Cortex XDR agent detects behavior that matches a rule defined in your profile, the Cortex XDR agent applies the security profile that is attached to the rule for further inspection. An alert is then generated in Cortex XSIAM (source is XDR Agent). For more information about the Restrictions profile, see Set up restrictions prevention profiles.

  • Server-side detection

    Create rules based on filters that are applied to a file (SHA256, MD5) an IP address, and a domain. If an indicator rule applies, an alert is generated in Cortex XSIAM (source is Threat Intelligence).

Prevention Rules are created based on the file (SHA256 and MD5) indicator type.

  1. Create a Restrictions Profile.

    1. Select Endpoints → Policy Management → Prevention → Profiles → Add Profile → Create New.

    2. Select one of the following Platforms.

      • Windows

      • MacOS

      • Linx

    3. Select Restrictions.

    4. From the Custom Indicator Prevention Rules section, in the Action Mode field, select Enabled.

      You will see that there are no custom prevention rules defined. After you create an indicator rule you will need to edit this profile and select the indicator rule.

    5. Add the parameters as required. For more information, see Set up restrictions prevention profiles.

    6. Create the Profile.

  2. Create the Indicator Rule.

    1. Select Detection & Threat Intel → Threat Intel Management → Indicator Rules → Add Rule → Prevention Rule.

    2. From the Create New Prevention Rule wizard, in the General section, add the following parameters:

    3. Click Next.

    4. In the Target section, use the filters and/or select the file indicators to which to apply the rule.

      Note

      You can't change the Preventable = True, Status = Active and Type = File filters, which comply with the requirements of the supported indicator type for Prevention on the Agent.

    5. Click Next and then save the rule.

  3. Add the indicator rule to the Restrictions Profile.

    1. Go to Endpoints → Policy Management → Prevention → Profiles.

    2. Edit the Restrictions Profile you created in step 1.

    3. In the Custom Indicator Prevention Rules tab, select the indicator rule you created in step 2.

    4. Save the Profile.

Example 14. Create a prevention rule blocking indicators from a feed

In this example, create an Indicator Prevention rule, which blocks file indicators using the Unit 42 Intel Feed and then generates an alert.

Before you begin create a Restrictions Profile called JC-Win-R-O1, with the Custom Indicator Prevention Rules section set to Enabled.

  1. Create a Prevention Indicator Rule and in the General section, add the following parameters.

    Field

    Value

    Rule Name

    JC-IR-Prevent-02

    Select Profiles For Prevention (To Block Their Files)

    JC-WIN-R-01

    Severity

    Medium

    Description

    To raise prevention on IOCs from Unit 42 Intel Feed

  2. In the Target Section, select the Feed=Unit 42 Intel filter.

    prevention-rule.png
  3. In the Restrictions Profile, add the indicator rule.

When a File indicator from Unilt 42 Intel is found, the XDR Agent blocks the indicator.

indicator-rule-blocked.png

An alert is generated in Cortex XSIAM. The Alert Source is XDR Agent, severity is medium and the Action is Prevented (Blocked).

indicator-rule-alert.png

Note

The Indicator Rule shows the number of alerts generated by the rule, You can view the alerts that were generated using the Indicator rule, by right-clicking the rule and select View related alerts.


After you create a detection rule, Cortex XSIAM searches indicators in your tenant and raises an alert if a match is detected. Detection rules apply for File, Domain, and IP Address indicator types.

  1. Select Detection & Threat Intel → Threat Intel Management → Indicator Rules → Add Rule → Detection Rule.

  2. From the Create New Prevention Rule wizard, in the General section, add the following parameters:

  3. Click Next.

  4. In the Target section, use the filters and/or select the file indicators to which to apply the rule.

    Note

    You can't change the Detectable = True and Status = Active filters which comply with the requirements of the supported indicator type for detection.

  5. Click Next and then save the rule.

  6. If the indicator rule has generated alerts, right-click the rule and select View related alerts.

Example 15. Create a detection rule from feeds

In this example, create a detection rule from many feeds, such as Unit 42 Intel, AzureRiskyUsers, and Mail-Sender that returns a malicious verdict.

  1. In the General section, add the following parameters.

    Field

    Value

    Rule Name

    JC-IR-Prevent-01

    Severity

    Medium

    Description

    To raise detection on all indicators uploaded from feeds with a malicious verdict.

  2. In the Target Section, select Feed (Select All) and Verdict = Malicious.