BIOC Rule Details
From RulesBIOC, you can view all user-defined and preconfigured behavioral indicator of compromise (BIOC) rules. To search for a specific BIOC rule, you can filter by one or more fields in the BIOC rules table. From the BIOC page, you can also manage or clone existing rules.
The following table describes the fields that are available for each BIOC rule in alphabetical order.
|# OF HITS||The number of hits (matches) on this behavior.|
|BEHAVIOR||A schematic of the behavior of the rule.|
|COMMENT||Free-form comments specified when the BIOC was created or modified.|
|EXCEPTIONS||Exceptions to the BIOC rule. When there's a match on the exception, the event will not trigger an alert.|
|INSERTION DATE||Date and time when the BIOC rule was created.|
|MODIFICATION DATE||Date and time when the BIOC was last modified.|
|NAME||Unique name that describes the rule. Global BIOC rules defined by Palo Alto Networks are indicated with a blue dot and cannot be modified or deleted.|
|RULE ID||Unique identification number for the rule.|
|TYPE||Type of BIOC rule:|
|SEVERITY||BIOC severity that was defined when the BIOC was created.|
|SOURCE||User who created this BIOC, the file name from which it was created, or Palo Alto Networks if delivered through content updates.|
|STATUS||Rule status: Enabled or Disabled.|
Create a BIOC Rule
Create a BIOC Rule After identifying a threat and its characteristics, you can configure rules for behavioral indicators of compromise (BIOCs). After you enable a ...
Manage Global BIOC Rules
Manage Global BIOC Rules Cortex XDR – Investigation and Response checks for the latest update of global BIOC rules. If there are no new global ...
Working with BIOCs
Working with BIOCs Behavioral indicators of compromise (BIOCs) enable you to alert and respond to behaviors—tactics, techniques, and procedures. Instead of hashes and other traditional ...
Manage Existing Rules
Manage Existing Rules After you create a BIOC or IOC rule, you can take the following actions: Edit a Rule Export a Rule (BIOC Only) ...
Add a BIOC Rule Exception
Add a BIOC Rule Exception If you want to create a BIOC rule to take action on specific behaviors but also want to exclude one ...
Features Introduced in 2019
Introducing new features in the Cortex XDR – Investigation and Response by month during 2019. ...
IOC Rule Details
IOC Rule Details From the Rules IOC page, you can view all indicators of compromise (IOCs) configured from or uploaded to XDR app. To filter ...
Cortex XDR – Investigation and Response Alerts
Cortex XDR – Investigation and Response Alerts The Alerts page shows a table of all alerts in Cortex XDR – Investigation and Response. The Alerts page consolidates ...
Research a Known Threat
Research a Known Threat This topic describes what steps you can take to investigate a lead. A lead can be: An alert from a non-Palo ...