Create detection and prevention rules using threat intelligence as a source.
Indicator rules allow you to utilize indicators in the system for detection and prevention. These rules allow you to select indicators or indicator traits to be detected by the server and prevented by the endpoint. Indicator rules marked for detection and prevention generate alerts that you can then track and investigate.
Note
Indicators should be present in the TIM database (
→ → ) before creating detection and prevention rules.Indicator rules can be used for the following:
Real-time prevention on the agent
Create an indicator rule for a Restrictions profile on the Agent using filters applied on file (SHA256 and MD5) indicators. A Restrictions profile limits the locations from which executables can run on an endpoint. When the Cortex XDR agent detects behavior that matches a rule defined in your profile, the Cortex XDR agent applies the security profile that is attached to the rule for further inspection. An alert is then generated in Cortex XSIAM (source is XDR Agent). For more information about the Restrictions profile, see Set up Restrictions Security Profiles.
Server-side detection
Create rules based on filters that are applied to a file (SHA256, MD5) an IP address, and a domain. If an indicator rule applies, an alert is generated in Cortex XSIAM (source is Threat Intelligence).