Working with BIOCs

Behavioral indicators of compromise (BIOCs) enable you to alert and respond to behaviors—tactics, techniques, and procedures. Instead of hashes and other traditional indicators of compromise, BIOC rules detect the behavior of processes, registry, files, and network activity.
To enable you to take advantage of the latest threat research, Cortex XDR – Investigation and Response automatically receives preconfigured rules from Palo Alto Networks. These global rules are delivered to all tenants with content updates. In cases where you need to override a global BIOC rule, you can disable it or set a rule exception. You can also configure additional BIOC rules as you investigate threats on your network and endpoints. BIOC rules are highly customizable: you can create a BIOC rule that is simple or quite complex.
As soon as you create or enable a BIOC rule, the app begins to monitor input feeds for matches. Cortex XDR – Investigation and Response also analyzes historical data collected in the Cortex Data Lake. Whenever there is a match, or hit, on a BIOC rule, Cortex XDR – Investigation and Response logs an alert.

Related Documentation