BIOC Rule Details
Define your own rules based on behavior with behavioral
indicator of compromise (BIOC) rules.
From , you can view all user-defined
and preconfigured behavioral indicator of compromise (BIOC) rules.
To search for a specific BIOC rule, you can filter by one or more
fields in the BIOC rules table. From the
BIOC
page,
you can also manage or clone existing rules. 
The following table describes the fields that
are available for each BIOC rule in alphabetical order.
Field | Description |
|---|---|
# OF HITS | The number of hits (matches) on this behavior. |
BACKWARDS SCAN STATUS | |
BACKWARDS SCAN TIMETAMP | |
BACKWARDS SCAN RETRIES | |
BEHAVIOR | A schematic of the behavior of the rule. |
COMMENT | Free-form comments specified when the BIOC
was created or modified. |
EXCEPTIONS | Exceptions to the BIOC rule. When there's a
match on the exception, the event will not trigger an alert. |
GLOBAL RULE ID | |
INSERTION DATE | Date and time when the BIOC rule was created. |
MITRE ATT&CK TACTIC | Displays the type of MITRE ATT&CK tactic
the BIOC rule is attempting to trigger on. |
MITRE ATT&CK TECHNIQUE | Displays the type of MITRE ATT&CK technique
and sub-technique the BIOC rule is attempting to trigger on. |
MODIFICATION DATE | Date and time when the BIOC was last modified. |
NAME | Unique name that describes the rule. Global
BIOC rules defined by Palo Alto Networks are indicated with a blue
dot and cannot be modified or deleted. |
RULE ID | Unique identification number for the rule. |
TYPE | Type of BIOC rule:
|
SEVERITY | BIOC severity that was defined when the BIOC
was created. |
SOURCE | User who created this BIOC, the file name from
which it was created, or Palo Alto Networks if delivered through
content updates. |
STATUS | Rule status: Enabled or Disabled. |
USED IN PROFILES | Displays if the BIOC rule is associated with
a Restriction profile. |
