IOC rule details - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-13
Category
Administrator Guide
Abstract

Manage all indicators of compromise (IOCs) configured from or uploaded to Cortex XSIAM.

In the RulesIOC page, you can view all indicators of compromise (IOCs) configured from or uploaded to Cortex XSIAM. To view the number of IOC rules, filter by one or more fields in the IOC rules table. You can also manage or clone existing rules.

The following table describes the fields that are available for each IOC rule in alphabetical order.

Field

Description

# OF ALERTS

The number of alerts triggered by this indicator.

CLASS

The IOC's class. For example, 'Malware'.

Note

Field cannot exceed 36 characters.

COMMENT

Free-form comments specified when the IOC was created or modified.

EXPIRATION DATE

The date and time at which the IOC will be removed automatically.

INDICATOR

The indicator value itself. For example, if the indicator type is a destination IP address, this could be an IP address such as 1.1.1.1.

INSERTION DATE

Date and time when the IOC was created.

MODIFICATION DATE

Date and time when the IOC was last modified.

RELIABILITY

Indicator's reliability level:

  • A - Completely Reliable

  • B - Usually Reliable

  • C - Fairly Reliable

  • D - Not Usually Reliable

  • E - Unreliable

REPUTATION

Indicator's reputation level. One of Unknown, Good, Bad, or Suspicious.

RULE ID

Unique identification number for the rule.

SEVERITY

IOC severity that was defined when the IOC was created.

SOURCE

User who created this IOC, or the file name from which it was created, or one of the following keywords:

  • Public API—the indicator was uploaded using the Insert Simple Indicators, CSV or Insert Simple Indicators, JSON REST APIs.

  • XSOAR TIM—the indicator was retrieved from XSOAR.

STATUS

Enabled or Disabled.

TYPE

Type of indicator: Full path, File name, Host name, Destination IP, MD5 hash.

VENDORS

A list of threat intelligence vendors from which this IOC was obtained.