BIOC Rule Details
Define your own rules based on behavior with behavioral indicator of compromise (BIOC) rules.
, you can view all user-defined and preconfigured behavioral indicator of compromise (BIOC) rules. To search for a specific BIOC rule, you can filter by one or more fields in the BIOC rules table. From the
BIOCpage, you can also manage or clone existing rules.
The following table describes the fields that are available for each BIOC rule in alphabetical order.
# OF HITS
The number of hits (matches) on this behavior.
BACKWARDS SCAN STATUS
BACKWARDS SCAN TIMETAMP
BACKWARDS SCAN RETRIES
A schematic of the behavior of the rule.
Free-form comments specified when the BIOC was created or modified.
Exceptions to the BIOC rule. When there's a match on the exception, the event will not trigger an alert.
GLOBAL RULE ID
Date and time when the BIOC rule was created.
MITRE ATT&CK TACTIC
Displays the type of MITRE ATT&CK tactic the BIOC rule is attempting to trigger on.
MITRE ATT&CK TECHNIQUE
Displays the type of MITRE ATT&CK technique and sub-technique the BIOC rule is attempting to trigger on.
Date and time when the BIOC was last modified.
Unique name that describes the rule. Global BIOC rules defined by Palo Alto Networks are indicated with a blue dot and cannot be modified or deleted.
Unique identification number for the rule.
Type of BIOC rule:
BIOC severity that was defined when the BIOC was created.
User who created this BIOC, the file name from which it was created, or Palo Alto Networks if delivered through content updates.
Rule status: Enabled or Disabled.
USED IN PROFILES
Displays if the BIOC rule is associated with a Restriction profile.
Recommended For You
Recommended videos not found.