BIOC Rule Details
Define your own rules based on behavior with behavioral
indicator of compromise (BIOC) rules.
If you are assigned a role that enables privileges,
you can view all user-defined and preconfigured rules for behavioral
indicators of compromise (BIOCs) from .
If you have
Cortex XDR - Analytics
enabled,
Cortex XDR also provides a separate page from which you can view Analytics BIOCs (ABIOCs).
To access this page, use the link next to the refresh icon at the
top of the page.Each page displays fields that are relevant for the specific
rule type. For more information, see:
BIOC Rules Fields
By default, the
BIOC Rules
page
displays all enabled rules. To search for a specific rule, use the
filters above the results table to narrow the results. From the BIOC
Rules
page, you can also manage existing rules using
the right-click pivot menu.The following table describes the fields that
are available for each BIOC rule in alphabetical order.
Field | Description |
|---|---|
# OF HITS | The number of hits (matches) on this rule. |
BACKWARDS SCAN STATUS | Status of the Cortex XDR search for the first
10,000 matches when the BIOC rule was created or edited. Status
can be:
|
BACKWARDS SCAN TIMETAMP | Timestamp of the Cortex XDR search for the
first 10,000 matches in your Cortex XDR when the BIOC rule was created
or edited. |
BACKWARDS SCAN RETRIES | Number of times Cortex XDR searched for the
first 10,000 matches in your Cortex XDR when the BIOC rule was created
or edited. |
BEHAVIOR | A schematic of the behavior of the rule. |
COMMENT | Free-form comments specified when the BIOC
was created or modified. |
EXCEPTIONS | Exceptions to the BIOC rule. When there's a
match on the exception, the event will not trigger an alert. |
GLOBAL RULE ID | Unique identification number assigned to rules
created by Palo Alto Networks. |
INSERTION DATE | Date and time when the BIOC rule was created. |
MITRE ATT&CK TACTIC | Displays the type of MITRE ATT&CK tactic
the BIOC rule is attempting to trigger on. |
MITRE ATT&CK TECHNIQUE | Displays the type of MITRE ATT&CK technique
and sub-technique the BIOC rule is attempting to trigger on. |
MODIFICATION DATE | Date and time when the BIOC was last modified. |
NAME | Unique name that describes the rule. Global
BIOC rules defined by Palo Alto Networks are indicated with a blue
dot and cannot be modified or deleted. |
RULE ID | Unique identification number for the rule. |
TYPE | Type of BIOC rule:
|
SEVERITY | BIOC severity that was defined when the BIOC
was created. |
SOURCE | User who created this BIOC, the file name from
which it was created, or Palo Alto Networks if delivered through
content updates. |
STATUS | Rule status: Enabled or Disabled. |
USED IN PROFILES | Displays if the BIOC rule is associated with
a Restriction profile. |
Analytics BIOC Fields
By default, the
Analytics BIOC Rules
page
displays all enabled rules. To search for a specific rule, use the
filters above the results table to narrow the results. From the Analytics
BIOC Rules
page, you can also disable and enable rules
using the right-click pivot menu.The following table describes the fields that are available for
each Analytics BIOC rule in alphabetical order.
Field | Description |
|---|---|
Description | Description of the behavior that will raise
the alert. |
GLOBAL RULE ID | Unique identification number assigned to rules
created by Palo Alto Networks. |
INSERTION DATE | Date and time when the BIOC rule was created. |
MITRE ATT&CK TACTIC | Displays the type of MITRE ATT&CK tactic
the BIOC rule is attempting to trigger on. |
MITRE ATT&CK TECHNIQUE | Displays the type of MITRE ATT&CK technique
and sub-technique the BIOC rule is attempting to trigger on. |
MODIFICATION DATE | Date and time when the BIOC was last modified. |
NAME | Unique name that describes the rule. New rules
are identified with a blue badge icon. |
SEVERITY | BIOC severity that was defined when the BIOC
was created. |
STATUS | Rule status: Enabled or Disabled. |
