08-01-2025 11:14 PM
Dear Support,
I would like to open case for verify and confirm on these tasks below:
+ Currently we use this default rule on Cortex Prevention Policy Rules for customer that just enable it as protection mode but customer concern it’s not best practice recommendation and requested us to review all those settings again.
+ IOC Rules – Ensure indicators of compromise are correctly configured, triggered and IOC rule can be integrate with third party or not?
+ BIOC – Validate behavioral indicators of compromise for accuracy and relevance.
+ Host Firewall – Check host-based firewall configurations and policies. (we got this point)
+ Dashboard Customization – Review and confirm that dashboards are tailored to operational needs.
So I need to open case and arrange session to confirm with customer together
08-03-2025 10:10 AM
The default ruleset is a starting point, but it's often not the most optimized for their specific environment. You should review the following with your customer:
Customization: The default rules are broad. The goal is to create more granular policies for specific groups of endpoints. For example, a development server might have different security needs than an employee's laptop.
You can work with your customer to create custom profiles that apply to specific endpoint groups, ensuring a balance between strong security and business functionality.
Continuous Improvement: Prevention policies are not a one-time setup. They should be reviewed and fine-tuned regularly based on new threats and changes in the customer's environment.
This is a critical area for both detection and integration. You should cover these points with your customer:
IOCs (Indicators of Compromise): You can confirm that IOCs are correctly configured and triggered by showing them how to view and manage IOC rules within the Cortex XDR console. You can also show how IOCs are automatically created from threat intelligence feeds. Cortex XDR can integrate with third-party threat intelligence platforms like Cortex XSOAR to ingest IOCs, which allows for a more comprehensive defense.
BIOCs (Behavioral Indicators of Compromise): These are custom detection rules that use the Cortex Query Language (XQL). You should validate with the customer that their BIOCs are accurate and relevant by reviewing the queries. BIOCs are powerful because they detect behaviors rather than just static indicators, which is crucial for catching sophisticated attacks.
Host Firewall: Cortex XDR's host firewall allows you to control inbound and outbound communications on Windows and macOS endpoints. You can demonstrate how to create and manage host firewall policies and apply them to different endpoint groups. This centralizes control and ensures consistent security across all managed devices.
Dashboard: Customization: You can show the customer how to tailor dashboards to their operational needs. Cortex XDR allows users to create custom dashboards and widgets to display the most relevant information for their security team. This helps them prioritize and investigate incidents more efficiently by providing a clear, focused view of their environment.
I recommend you create a case with the customer and schedule a follow-up session. In this session, you can walk through the Cortex XDR console together and address each of their concerns point by point. This hands-on approach will build confidence and ensure the customer's environment is configured for maximum protection.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
