BIOC Rule Details - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2023-10-31
Last date published
2024-03-27
Category
Administrator Guide
Abstract

From the Cortex XDR management console, you can define your own rules based on behavior with the behavioral indicator of compromise (BIOC) rules.

If you are assigned a role that enables InvestigationRules privileges, you can view all user-defined and preconfigured rules for behavioral indicators of compromise (BIOCs) from Detection & Threat IntelDetection RulesBIOC.

If you have Cortex XDR - Analytics enabled, Cortex XDR also provides a separate page from which you can view Analytics BIOCs (ABIOCs). To access this page, use the link next to the refresh icon at the top of the page.

Each page displays fields that are relevant to the specific rule type.

BIOC Rule Fields

By default, the BIOC Rules page displays all enabled rules. To search for a specific rule, use the filters above the results table to narrow the results. From the BIOC Rules page, you can also manage existing rules using the right-click pivot menu.

The following table describes the fields that are available for each BIOC rule in alphabetical order.

Field

Description

# OF HITS

The number of hits (matches) on this rule.

BACKWARDS SCAN STATUS

Status of the Cortex XDR search for the first 10,000 matches when the BIOC rule was created or edited. Status can be:

  • Done

  • Failed

  • Pending

  • Queued

BACKWARDS SCAN TIMESTAMP

Timestamp of the Cortex XDR search for the first 10,000 matches in your Cortex XDR when the BIOC rule was created or edited.

BACKWARDS SCAN RETRIES

Number of times Cortex XDR searched for the first 10,000 matches in your Cortex XDR when the BIOC rule was created or edited.

BEHAVIOR

A schematic of the behavior of the rule.

COMMENT

Free-form comments specified when the BIOC was created or modified.

EXCEPTIONS

Exceptions to the BIOC rule. When there's a match on the exception, the event will not trigger an alert.

GLOBAL RULE ID

Unique identification number assigned to rules created by Palo Alto Networks.

INSERTION DATE

Date and time when the BIOC rule was created.

MITRE ATT&CK TACTIC

Displays the type of MITRE ATT&CK tactic the BIOC rule is attempting to trigger on.

MITRE ATT&CK TECHNIQUE

Displays the type of MITRE ATT&CK technique and sub-technique the BIOC rule is attempting to trigger on.

MODIFICATION DATE

Date and time when the BIOC was last modified.

NAME

Unique name that describes the rule. Global BIOC rules defined by Palo Alto Networks are indicated with a blue dot and cannot be modified or deleted.

RULE ID

Unique identification number for the rule.

TYPE

Type of BIOC rule:

  • Collection

  • Credential Access

  • Dropper

  • Evasion

  • Execution

  • Evasive

  • Exfiltration

  • File Privilege Manipulation

  • File Type Obfuscation

  • Infiltration

  • Lateral Movement

  • Other

  • Persistence

  • Privilege Escalation

  • Reconnaissance

  • Tampering

SEVERITY

BIOC severity that was defined when the BIOC was created.

SOURCE

User who created this BIOC, the file name from which it was created, or Palo Alto Networks if delivered through content updates.

STATUS

  • Enabled

  • Partially Enabled (Agent Disabled)

  • Partially Enabled (Server Disabled)

  • Disabled

When you hover over a rule that's disabled, a pop-up message appears to provide more information about the Disable action.

USED IN PROFILES

Displays if the BIOC rule is associated with a Restriction profile.

Analytics BIOC Fields

By default, the Analytics BIOC Rules page displays all enabled rules. To search for a specific rule, use the filters above the results table to narrow the results. From the Analytics BIOC Rules page, you can also disable and enable rules using the right-click pivot menu.

The following table describes the fields that are available for each Analytics BIOC rule in alphabetical order.

Field

Description

Activation Prerequisites

Displays a description of the prerequisites Cortex XDR requires in order to activate the rule.

Description

Description of the behavior that will raise the alert.

# OF HITS

The number of hits (matches) on this rule.

NAME

Unique name that describes the rule. New rules are identified with a blue badge icon.

Rules associated with Identity Analytics are displayed with an Identity Analytics tag.

SEVERITY

BIOC severity that was defined when the BIOC rule was created. Severity levels can be Low, Medium, High, Critical, and Multiple.

Multiple severity BIOC rules can raise alerts with different severity levels. Hover over the flag to see the severities defined for the rule.

STATUS

Displays whether the rule is Enabled, Disabled, or Pending Activation.

Rules that are Pending Activation are in the process of collecting the data required to enable the rule. Hover over the field to view how much data within a certain period of time has already been collected.

TAGS

Filter the results according to Detector Tags. This tag enables you to filter for specific detectors such as Identity Threat, Identity Analytics, and others.