IOC Function

Showing results for 
Show  only  | Search instead for 
Did you mean: 

IOC Function

L1 Bithead

Hi Everyone,


Until now, I cant understood a function from IOC in Cortex XDR.

Could please share to me what's a main function IOC XDR?

Because I have tried to create new rules, for block link m.facebook , like a picture.




But, after that I have tried to access again, and the result I keep can access the URL.


L3 Networker

Hi @Muhammad-Rusli,  XDR Indicator rules (E.g. BIOC and IOC) are detection rules; therefore, they do not include prevention functionality. These rules will create a detection alert once the criteria has been met. You could also create a BIOC rule based on specific behavior and add that BIOC to a Restriction profile. The situation that you described sounds like a use-case to manage external dynamic lists.  Please note, there are some requirements that need to be met in order to leverage this feature: 


To maintain an EDL in Cortex XDR, you must meet the following requirements:
  • Cortex XDR Pro per TB or Cortex Pro per Endpoint license
  • An App Administrator, Privileged Investigator, or Privileged Security Admin role which include EDL permissions
  • Palo Alto Networks firewall running PAN-OS 9.0 or a later release
  • Access to your Palo Alto Networks firewall configuration
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!