06-14-2023 01:02 AM
Dear Palo Alto Community,
I hope this message finds you well. As an active member of the community, I would like to reach out and seek your expertise regarding the capabilities of Cortex XDR, specifically in relation to the integration of URL Indicators of Compromise (IOCs).
Recently, our organization has been exploring ways to enhance our threat detection and response capabilities, and we are particularly interested in incorporating URL IOCs into our security framework. We believe that such integration can significantly bolster our defenses against malicious online activities.
To this end, we would greatly appreciate insights from the community regarding the following:
Your valuable knowledge and experience will assist us in making informed decisions and optimizing the effectiveness of our security infrastructure. We are eager to leverage the collective wisdom of the Palo Alto Community and tap into your diverse perspectives.
Please feel free to share any relevant information, tips, or insights based on your experiences with Cortex XDR and URL IOC integration. We are open to suggestions, recommendations, or even success stories that highlight the value of this capability.
We extend our sincerest gratitude in advance for your contributions to this discussion. Together, let's continue to foster a strong and secure community.
Best regards,
06-14-2023 09:38 AM
Hi AyedAbukhass,
Unfortunately, IOCs only support domains, not complete URIs for detection.
06-14-2023 02:00 AM
Hello @AyedAbukhass ,
Thanks for reaching out on LiveCommunity.
Please find below answers to your questions.
1. Yes, XDR allows you to create IOCs of different types like domain, destination ip, file path, file name, hash etc.
2. Please follow below guide to create IOCs.
3. Cortex XDR supports a maximum of 4,000,000 IOCs. Additional important information can also be found in above reference guide.
06-14-2023 02:39 AM
Hello @nsinghvirk
Thank you for providing the answers and the reference guide on IOC creation in Cortex XDR. I appreciate your assistance.
To clarify, the desired URL IOC format would be: https://(IP or Domain)/URI, where the IP or Domain represents the specific IP address or domain associated with the URL, and the URI represents the specific path or resource within the URL.
If there are any additional resources or specific guidance available on how to add URL IOCs in Cortex XDR, I would greatly appreciate it. I believe that incorporating URL-based indicators will provide valuable insights and further fortify our security measures.
Thank you once again for your prompt response and for any further information you can provide on integrating URL IOCs within Cortex XDR.
Best Regards.
06-14-2023 09:38 AM
Hi AyedAbukhass,
Unfortunately, IOCs only support domains, not complete URIs for detection.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
