BIOC Rule Details

Define your own rules based on behavior with behavioral indicator of compromise (BIOC) rules.
If you are assigned a role that enables
Investigation
Rules
privileges, you can view all user-defined and preconfigured rules for behavioral indicators of compromise (BIOCs) from
Rules
BIOC
.
bioc-main-labeled.png
If you have
Cortex XDR - Analytics
enabled, Cortex XDR also provides a separate page from which you can view Analytics BIOCs (ABIOCs). To access this page, use the link next to the refresh icon at the top of the page.
Each page displays fields that are relevant for the specific rule type. For more information, see:

BIOC Rules Fields

By default, the
BIOC Rules
page displays all enabled rules. To search for a specific rule, use the filters above the results table to narrow the results. From the
BIOC Rules
page, you can also manage existing rules using the right-click pivot menu.
The following table describes the fields that are available for each BIOC rule in alphabetical order.
Field
Description
# OF HITS
The number of hits (matches) on this rule.
BACKWARDS SCAN STATUS
Status of the Cortex XDR search for the first 10,000 matches when the BIOC rule was created or edited. Status can be:
  • Done
  • Failed
  • Pending
  • Queued
BACKWARDS SCAN TIMETAMP
Timestamp of the Cortex XDR search for the first 10,000 matches in your Cortex XDR when the BIOC rule was created or edited.
BACKWARDS SCAN RETRIES
Number of times Cortex XDR searched for the first 10,000 matches in your Cortex XDR when the BIOC rule was created or edited.
BEHAVIOR
A schematic of the behavior of the rule.
COMMENT
Free-form comments specified when the BIOC was created or modified.
EXCEPTIONS
Exceptions to the BIOC rule. When there's a match on the exception, the event will not trigger an alert.
GLOBAL RULE ID
Unique identification number assigned to rules created by Palo Alto Networks.
INSERTION DATE
Date and time when the BIOC rule was created.
MITRE ATT&CK TACTIC
Displays the type of MITRE ATT&CK tactic the BIOC rule is attempting to trigger on.
MITRE ATT&CK TECHNIQUE
Displays the type of MITRE ATT&CK technique and sub-technique the BIOC rule is attempting to trigger on.
MODIFICATION DATE
Date and time when the BIOC was last modified.
NAME
Unique name that describes the rule. Global BIOC rules defined by Palo Alto Networks are indicated with a blue dot and cannot be modified or deleted.
RULE ID
Unique identification number for the rule.
TYPE
Type of BIOC rule:
  • Collection
  • Credential Access
  • Dropper
  • Evasion
  • Execution
  • Evasive
  • Exfiltration
  • File Privilege Manipulation
  • File Type Obfuscation
  • Infiltration
  • Lateral Movement
  • Other
  • Persistence
  • Privilege Escalation
  • Reconnaissance
  • Tampering
SEVERITY
BIOC severity that was defined when the BIOC was created.
SOURCE
User who created this BIOC, the file name from which it was created, or Palo Alto Networks if delivered through content updates.
STATUS
Rule status: Enabled or Disabled.
USED IN PROFILES
Displays if the BIOC rule is associated with a Restriction profile.

Analytics BIOC Fields

By default, the
Analytics BIOC Rules
page displays all enabled rules. To search for a specific rule, use the filters above the results table to narrow the results. From the
Analytics BIOC Rules
page, you can also disable and enable rules using the right-click pivot menu.
The following table describes the fields that are available for each Analytics BIOC rule in alphabetical order.
Field
Description
Description
Description of the behavior that will raise the alert.
GLOBAL RULE ID
Unique identification number assigned to rules created by Palo Alto Networks.
INSERTION DATE
Date and time when the BIOC rule was created.
MITRE ATT&CK TACTIC
Displays the type of MITRE ATT&CK tactic the BIOC rule is attempting to trigger on.
MITRE ATT&CK TECHNIQUE
Displays the type of MITRE ATT&CK technique and sub-technique the BIOC rule is attempting to trigger on.
MODIFICATION DATE
Date and time when the BIOC was last modified.
NAME
Unique name that describes the rule. New rules are identified with a blue badge icon.
SEVERITY
BIOC severity that was defined when the BIOC was created.
STATUS
Rule status: Enabled or Disabled.

Recommended For You