Generate alerts from indicators using indicator rules for prevention and detection - Threat Intel Management Guide - Cortex XSIAM - Cortex - Security Operations

Threat intel management

Product
Cortex XSIAM
Creation date
2023-07-30
Last date published
2024-04-15
Category
Threat Intel Management Guide
Abstract

Create detection and prevention rules using threat intelligence as a source.

Indicator rules allow you to utilize indicators in the system for detection and prevention. These rules allow you to select indicators or indicator traits to be detected by the server and prevented by the endpoint. Indicator rules marked for detection and prevention generate alerts that you can then track and investigate.

Note

Indicators should be present in the TIM database (Detection & Threat IntelThreat Intel ManagementIndicators) before creating detection and prevention rules.

Indicator rules can be used for the following:

  • Real-time prevention on the agent

    Create an indicator rule for a Restrictions profile on the Agent using filters applied on file (SHA256 and MD5) indicators. A Restrictions profile limits the locations from which executables can run on an endpoint. When the Cortex XDR agent detects behavior that matches a rule defined in your profile, the Cortex XDR agent applies the security profile that is attached to the rule for further inspection. An alert is then generated in Cortex XSIAM (source is XDR Agent). For more information about the Restrictions profile, see Set up Restrictions Security Profiles.

  • Server-side detection

    Create rules based on filters that are applied to a file (SHA256, MD5) an IP address, and a domain. If an indicator rule applies, an alert is generated in Cortex XSIAM (source is Threat Intelligence).

Prevention Rules are created based on the file (SHA256 and MD5) indicator type.

  1. Create a Restrictions Profile.

    1. Select EndpointsPolicy ManagementPreventionProfilesAdd ProfileCreate New.

    2. Select one of the following Platforms.

      • Windows

      • MacOS

      • Linx

    3. Select Restrictions.

    4. From the Custom Indicator Prevention Rules section, in the Action Mode field, select Enabled.

      You will see that there are no custom prevention rules defined. After you create an indicator rule you will need to edit this profile and select the indicator rule.

    5. Add the parameters as required. For more information, see Set up Restrictions Security Profiles.

    6. Create the Profile.

  2. Create the Indicator Rule.

    1. Select Detection & Threat IntelThreat Intel ManagementIndicator RulesAdd RulePrevention Rule.

    2. From the Create New Prevention Rule wizard, in the General section, add the following parameters:

    3. Click Next.

    4. In the Target section, use the filters and/or select the file indicators to which to apply the rule.

      Note

      You can't change the Preventable = True, Status = Active and Type = File filters, which comply with the requirements of the supported indicator type for Prevention on the Agent.

    5. Click Next and then save the rule.

  3. Add the indicator rule to the Restrictions Profile.

    1. Go to EndpointsPolicy ManagementPreventionProfiles.

    2. Edit the Restrictions Profile you created in step 1.

    3. In the Custom Indicator Prevention Rules tab, select the indicator rule you created in step 2.

    4. Save the Profile.

Example 1. Create a prevention rule blocking indicators from a feed

In this example, create an Indicator Prevention rule, which blocks file indicators using the Unit 42 Intel Feed and then generates an alert.

Before you begin create a Restrictions Profile called JC-Win-R-O1, with the Custom Indicator Prevention Rules section set to Enabled.

  1. Create a Prevention Indicator Rule and in the General section, add the following parameters.

    Field

    Value

    Rule Name

    JC-IR-Prevent-02

    Select Profiles For Prevention (To Block Their Files)

    JC-WIN-R-01

    Severity

    Medium

    Description

    To raise prevention on IOCs from Unit 42 Intel Feed

  2. In the Target Section, select the Feed=Unit 42 Intel filter.

    prevention-rule.png
  3. In the Restrictions Profile, add the indicator rule.

When a File indicator from Unilt 42 Intel is found, the XDR Agent blocks the indicator.

indicator-rule-blocked.png

An alert is generated in Cortex XSIAM. The Alert Source is XDR Agent, severity is medium and the Action is Prevented (Blocked).

indicator-rule-alert.png

Note

The Indicator Rule shows the number of alerts generated by the rule, You can view the alerts that were generated using the Indicator rule, by right-clicking the rule and select View related alerts.


After you create a detection rule, Cortex XSIAM searches indicators in your tenant and raises an alert if a match is detected. Detection rules apply for File, Domain, and IP Address indicator types.

  1. Select Detection & Threat IntelThreat Intel ManagementIndicator RulesAdd RuleDetection Rule.

  2. From the Create New Prevention Rule wizard, in the General section, add the following parameters:

  3. Click Next.

  4. In the Target section, use the filters and/or select the file indicators to which to apply the rule.

    Note

    You can't change the Detectable = True and Status = Active filters which comply with the requirements of the supported indicator type for detection.

  5. Click Next and then save the rule.

  6. If the indicator rule has generated alerts, right-click the rule and select View related alerts.

Example 2. Create a detection rule from feeds

In this example, create a detection rule from many feeds, such as Unit 42 Intel, AzureRiskyUsers, and Mail-Sender that returns a malicious verdict.

  1. In the General section, add the following parameters.

    Field

    Value

    Rule Name

    JC-IR-Prevent-01

    Severity

    Medium

    Description

    To raise detection on all indicators uploaded from feeds with a malicious verdict.

  2. In the Target Section, select Feed (Select All) and Verdict = Malicious.

    indicator-rule-detection.png
  3. In the Restrictions Profile, add the indicator rule.

When a malicious verdict is found from the feed, an alert is generated. The Alert Source is Threat Intelligence, severity is medium and the Action is Detected.

indicator-rule-detection-alert.png

Note

The Alert source is Threat Intelligence.


The Indicator Rules page displays the following fields for each rule:

Field

Description

Rule ID

Unique identifier for the rule.

Creation Date

Timestamp of when the rule was created.

Modification Date

Timestamp when the rule was edited.

Name

Name of the rule.

Type

Whether the rule is a Prevention or Detection type rule.

Target

Hash, IP address, File, or domain value associated with the rule.

Severity

Level of severity associated with the rule.

# of alerts

Number of alerts generated by the rule.

Created by

Email address of the user who created the rule.

Description

Optional description associated with the rule.

Status

Whether the rule is Enabled or Disabled.

Used in profiles

Cortex XDR agent Restriction Profile associated with the rule.

Note

if an indicator matches multiple indicator rules, the highest severity rule is used. If all have the same severity, the rules are used by first created.

In the Indicator Rules table, right-click a rule to perform actions, including the following:

Action

Description

View related alerts

View alerts generated by the rule.

Disable/Enable

Depending on the current status, Disable or Enable the rule.

Edit Rule

Modify the rule.

Save as new

Create a new rule using the current rule configurations.

Delete

Delete the rule.