Indicators of compromise (IOCs) alert you about known malicious objects on your endpoints.
Indicators of compromise (IOCs) enable Cortex XSIAM to trigger alerts about known malicious objects on endpoints across the organization. You can load collections of IOCs from threat-intelligence sources into the Cortex XSIAM app or define them individually.
Note
Cortex XSIAM supports a maximum of 4,000,000 IOCs.
You can define the following types of IOCs:
Full path
File name
Domain
Destination IP address
MD5 hash
SHA256 hash
After you load or define IOCs, the tenant checks for matches in the xdr_data dataset that contains all the information collected about the endpoints and the network. The app looks for IOC matches in all data collected in the past and continues to evaluate any new data it receives in the future.
Alerts for IOCs are identified by the source type of the IOC.