Create a BIOC Rule

After identifying a threat and its characteristics, you can configure rules for behavioral indicators of compromise (BIOCs). After you enable a BIOC rule, Cortex XDR – Investigation and Response searches for matches in your Cortex Data Lake and raise an alert if a match is detected. Going forward, the app also alerts you when any new match is detected.

Create a Rule from Scratch

To define a BIOC, you configure the entity and any related activity or characteristics. An entity can be a specific process, registry, file, or network host. An entity activity can describe the various actions that are relevant to that type of entity. For example, for a Registry entity, the actions are: Write, Rename, and Delete. If you can identify a threat by additional attributes, you can also specify those characteristics as additional entity information in the BIOC. For example, for a Process, you can add a process name, command-line argument used to call the process, or a user name.
  1. From Cortex XDR – Investigation and Response, select RulesBIOC.
  2. Select + Add Rule.
  3. Configure the BIOC criteria.
    Define any relevant activity or characteristics for the entity type. Creating a new BIOC rule is similar to the way that you create a search with Query Builder.
  4. Test your BIOC rule.
    Rules that you do not refine enough can create thousands of alerts. As a result, it is highly recommended that you test the behavior of a new or edited BIOC rule before you save it. For example, if a rule will return thousands of hits because you negated a single parameter, it is a good idea to test the rule before you save it and make it active.
    When you test the rule, Cortex XDR – Investigation and Response immediately searches for rule matches across all your Cortex Data Lake data. If there are surprises, now is the time to see them and adjust the rule definition.
    For the purpose of showing you the expected behavior of the rule before you save it, Cortex XDR – Investigation and Response tests the BIOC on historical logs. After you save a BIOC rule, it will operate on both historical logs and new data received from your log sensors (for example, Traps).
  5. Save your BIOC rule.
  6. Enter a descriptive name to identify the BIOC rule.
  7. Specify the SEVERITY you want to associate with the alert.
  8. Select a rule TYPE which describes the activity.
  9. Enter any additional comments such as why you created the BIOC.
  10. Click OK.

Import Rules

You can use the import feature of Cortex XDR – Investigation and Response to import BIOCs from external feeds or that you previously exported. The export/import capability is useful for rapid copying of BIOCs across different Cortex XDR – Investigation and Response instances.
You can only import files that were exported from Cortex XDR – Investigation and Response. You can not edit an exported file.
  1. From Cortex XDR – Investigation and Response, select RulesBIOC.
  2. Select Import Rules.
  3. Drag and drop the file on the import rules dialog or browse to a file.
  4. Click Import.
    Cortex XDR – Investigation and Response loads any BIOC rules. This process may take a few minutes depending on the size of the file.
  5. Refresh the BIOC Rules page to view matches (# of Hits) in your historical data.
  6. To investigate any matches, view the Alerts page and filter the Alert Name by the name of the BIOC rule.

Related Documentation