Add a BIOC Rule Exception

If you want to create a BIOC rule to take action on specific behaviors but also want to exclude one or more indicators from the rule, you can create a BIOC rule exception. An indicator can include the SHA256 hash of a process, process name, process path, vendor name, user name, causality group owner (CGO) full path, or process command-line arguments. For more information about these indicators, see Create a BIOC Rule. For each exception, you also specify the rule scope to which exception applies.
Cortex XDR – Investigation and Response only supports exceptions with one attribute.
  1. From Cortex XDR – Investigation and Response, select RulesBIOC Exceptions.
  2. Select + New Exception.
  3. Configure the indicators and conditions for which you want to set the exception.
  4. Choose the scope of the exception.
    By default, activity matching the behavioral indicators does not trigger any rule. As an alternative, you can select one or more rules.
  5. Save the exception.
    After you save the exception, the EXCEPTIONS count for the rule increments. If you later edit the rule, you will also see the exception defined in the rule summary.

Related Documentation