BIOC Rule Details

From RulesBIOC, you can view all user-defined and preconfigured behavioral indicator of compromise (BIOC) rules. To search for a specific BIOC rule, you can filter by one or more fields in the BIOC rules table. From the BIOC page, you can also manage or clone existing rules.
bioc-main-labeled.png
The following table describes the fields that are available for each BIOC rule in alphabetical order.
FieldDescription
# OF HITSThe number of hits (matches) on this behavior.
BEHAVIORA schematic of the behavior of the rule.
COMMENTFree-form comments specified when the BIOC was created or modified.
EXCEPTIONSExceptions to the BIOC rule. When there's a match on the exception, the event will not trigger an alert.
INSERTION DATEDate and time when the BIOC rule was created.
MODIFICATION DATEDate and time when the BIOC was last modified.
NAMEUnique name that describes the rule. Global BIOC rules defined by Palo Alto Networks are indicated with a blue dot and cannot be modified or deleted.
RULE IDUnique identification number for the rule.
TYPEType of BIOC rule:
  • Collection
  • Credential Access
  • Dropper
  • Evasion
  • Execution
  • Evasive
  • Exfiltration
  • File Privilege Manipulation
  • File Type Obfuscation
  • Infiltration
  • Lateral Movement
  • Other
  • Persistence
  • Privilege Escalation
  • Reconnaissance
  • Tampering
SEVERITYBIOC severity that was defined when the BIOC was created.
SOURCEUser who created this BIOC, the file name from which it was created, or Palo Alto Networks if delivered through content updates.
STATUSRule status: Enabled or Disabled.

Related Documentation