Verify default policy and custom on Cortex XDR

CChan50 — Sat, 02 Aug 2025 06:14:54 GMT

Dear Support,

I would like to open case for verify and confirm on these tasks below:

+ Currently we use this default rule on Cortex Prevention Policy Rules for customer that just enable it as protection mode but customer concern it’s not best practice recommendation and requested us to review all those settings again.

+ IOC Rules – Ensure indicators of compromise are correctly configured, triggered and IOC rule can be integrate with third party or not?
+ BIOC – Validate behavioral indicators of compromise for accuracy and relevance.
+ Host Firewall – Check host-based firewall configurations and policies. (we got this point)
+ Dashboard Customization – Review and confirm that dashboards are tailored to operational needs.

So I need to open case and arrange session to confirm with customer together

Re: Verify default policy and custom on Cortex XDR

Mudhireddy — Sun, 03 Aug 2025 17:10:47 GMT

The default ruleset is a starting point, but it's often not the most optimized for their specific environment. You should review the following with your customer:

Customization: The default rules are broad. The goal is to create more granular policies for specific groups of endpoints. For example, a development server might have different security needs than an employee's laptop.
You can work with your customer to create custom profiles that apply to specific endpoint groups, ensuring a balance between strong security and business functionality.
Continuous Improvement: Prevention policies are not a one-time setup. They should be reviewed and fine-tuned regularly based on new threats and changes in the customer's environment.

IOC and BIOC Rules

This is a critical area for both detection and integration. You should cover these points with your customer:

IOCs (Indicators of Compromise): You can confirm that IOCs are correctly configured and triggered by showing them how to view and manage IOC rules within the Cortex XDR console. You can also show how IOCs are automatically created from threat intelligence feeds. Cortex XDR can integrate with third-party threat intelligence platforms like Cortex XSOAR to ingest IOCs, which allows for a more comprehensive defense.
BIOCs (Behavioral Indicators of Compromise): These are custom detection rules that use the Cortex Query Language (XQL). You should validate with the customer that their BIOCs are accurate and relevant by reviewing the queries. BIOCs are powerful because they detect behaviors rather than just static indicators, which is crucial for catching sophisticated attacks.

Host Firewall and Dashboard Customization

Host Firewall: Cortex XDR's host firewall allows you to control inbound and outbound communications on Windows and macOS endpoints. You can demonstrate how to create and manage host firewall policies and apply them to different endpoint groups. This centralizes control and ensures consistent security across all managed devices.

Dashboard: Customization: You can show the customer how to tailor dashboards to their operational needs. Cortex XDR allows users to create custom dashboards and widgets to display the most relevant information for their security team. This helps them prioritize and investigate incidents more efficiently by providing a clear, focused view of their environment.

Next Steps

I recommend you create a case with the customer and schedule a follow-up session. In this session, you can walk through the Cortex XDR console together and address each of their concerns point by point. This hands-on approach will build confidence and ensure the customer's environment is configured for maximum protection.

topic Verify default policy and custom on Cortex XDR in Cortex XDR Discussions

Verify default policy and custom on Cortex XDR

Re: Verify default policy and custom on Cortex XDR

IOC and BIOC Rules

Host Firewall and Dashboard Customization

Next Steps