To automatically convert leads into alerts after investigating a lead, you should create IOC rules
based on the set of the collected attribute-value pairs over the affected entities concluded during the
lead hunting. IOC rules are used to detect known threats based on indicators of compromise (IOCs)
such as file hashes, IP addresses, domain names, etc. By creating IOC rules from the leads, you can
prevent future occurrences of the same threats and generate alerts for them. Reference:
PCDRA Study Guide, page 25
Cortex XDR 3: Handling Cortex XDR Alerts, section 3.2
Cortex XDR Documentation, section “Create IOC Rules”
