Create a BIOC Rule

You can configure rules for behavioral indicators of compromise (BIOCs) to raise an alert on an identified threat.
After identifying a threat and its characteristics, you can configure rules for behavioral indicators of compromise (BIOCs). After you create a BIOC rule, Cortex XDR searches for the first 10,000 matches in your Cortex Data Lake and raise an alert if a match is detected. Going forward, the app alerts when a new match is detected.

Create a Rule from Scratch

To define a BIOC, you configure the entity and any related activity or characteristics. An entity can be a specific process, registry, file, network host. An entity activity can describe the various actions that are relevant to that type of entity.
For example, for a Registry entity, the actions are: Write, Rename, and Delete. If you can identify a threat by additional attributes, you can also specify those characteristics as additional entity information in the BIOC. For example, for a Process, you can add a process name, command-line argument used to call the process, or a user name.
The following describes the type of process and actions you can create a BIOC rule for:
  • Event Log—Events relating to Windows Event Log.
  • File—Events relating to file create, write, read, and rename according to the file name and path.
  • Image Load—Events relating to module IDs of processes.
  • Network—Events relating to incoming and outgoing network, filed IP addresses, port, host name, and protocol.
  • New Generation (NG) Network—Events relating to a combination of firewall and endpoint logs over the network.
  • Process—Events relating to execution and injection of a process name, hash, path, and CMD
  • Registry— Events relating to registry write, rename and delete according to registry path.
To create a BIOC rule:
  1. From Cortex XDR, select
    Rules
    BIOC
    .
  2. Select
    + Add Rule
    .
  3. Configure the BIOC criteria.
    Define any relevant activity or characteristics for the entity type. Creating a new BIOC rule is similar to the way that you create a search with Query Builder.
  4. Test
    your BIOC rule.
    Rules that you do not refine enough can create thousands of alerts. As a result, it is highly recommended that you test the behavior of a new or edited BIOC rule before you save it. For example, if a rule will return thousands of hits because you negated a single parameter, it is a good idea to test the rule before you save it and make it active.
    Cortex XDR automatically disables BIOC rules that reach 5000 or more hits over a 24 hour period.
    When you test the rule, Cortex XDR immediately searches for rule matches across all your Cortex Data Lake data. If there are surprises, now is the time to see them and adjust the rule definition.
    For the purpose of showing you the expected behavior of the rule before you save it, Cortex XDR tests the BIOC on historical logs. After you save a BIOC rule, it will operate on both historical logs (up to 10,000 hits) and new data received from your log sensors.
  5. Save
    your BIOC rule.
  6. Define your BIOC properties.
    1. Enter a descriptive
      Name
      to identify the BIOC rule.
    2. Specify the
      SEVERITY
      you want to associate with the alert.
    3. Select a rule
      TYPE
      which describes the activity.
    4. (
      Optional
      ) Select the
      MITRE Tactic
      and
      MITRE Technique
      you want to associate with the alert. You can select up to 3 MITRE Tactics and MITRE Techniques/Sub-Techniques.
    5. Enter any additional comments such as why you created the BIOC.
    6. Click
      OK
      .
  7. Save
    your BIOC rule.

Configure a Custom Prevention Rule

Custom prevention rules allow you to configure and apply user-defined BIOC rules to Restriction profiles deployed on your Windows, Mac, and Linux endpoints.
By using the BIOC rules, you can configure custom prevention rules to terminate the causality chain of a malicious process according to the defined Restrictions Profile Action Mode;
Block
,
Report
,
Prompt
,
Disable
and trigger Cortex XDR Agent behavioral prevention type alerts in addition to the BIOC rule detection alerts.
For example, you configured a BIOC Process event rule as a custom preventions rule and applied it to Restrictions profile
Demo
. The action mode for Restriction profile
Demo
is set to
Block
. After the Restriction profile is deployed on your endpoints, the custom prevention rule can begin to:
  • Block
    a process at the endpoint level according to the defined rule properties.
  • Trigger a behavioral prevention alert you can monitor and investigate in the
    Alerts
    table.
Before you configure a BIOC rule as a custom prevention rule, make sure you created a Restriction Profile for each type of operating system (OS) in your environment that you would like to deploy your prevention rules on.
To configure a BIOC rule as a prevention rule:
  1. In the
    BIOC Rule
    table, from the
    Source
    field, filter and locate a user-defined rule you want to apply as a custom prevention rule. You can only apply a BIOC rule that you created either from scratch or a Cortex XDR Global Rule template that meets the following criteria:
    • The user-defined BIOC rule event does not include the following field configurations:
      • All Events—Host Name
      • File Event—Device Type, Device Serial Number
      • Process Event—Device Type, Device Serial Number
      • Registry Event—Country, Raw Packet
    • BIOC rules with OS scope definitions must align with the Restrictions profile OS.
    • When defining the
      Process
      criteria for a user-defined BIOC rule event type, you can select to run only on actor, causality, and OS actor on Windows, and causality and OS actor on Linux and Mac.
  2. Test
    your BIOC rule.
    Rules that you do not refine enough can create thousands of alerts. As a result, it is highly recommended that you test the behavior of a new or edited BIOC rule before you save it. Cortex XDR automatically disables BIOC rules that reach 5000 or more hits over a 24 hour period.
  3. Right-click and select
    Add to restrictions profile
    .
    If the rule is already referenced by one or more profiles, select
    See profiles
    to view the profile names.
  4. In the
    Add to Restrictions Profile
    pop-up:
    • Ensure the rule you selected is compatible with the type of endpoint operating system.
    • Select the Restriction Profile name you want to apply the BIOC rule to for each of the operating systems. BIOC event rules of type
      Event Log
      and
      Registry
      are only supported by Windows OS.
      You can only add to existing profiles you created,
      Cortex XDR Default
      profiles will not appear as an option.
  5. Add
    the BIOC rule to the selected profiles.
    The BIOC rule is now configured as a custom prevention rule and applied to your Restriction profiles. After the Restriction profile is pushed to your endpoints, the custom prevention rule can start triggering behavioral prevention type alerts.
  6. Review and edit your custom prevention rules.
    1. Navigate to
      Endpoints
      Policy Management
      Profiles
      .
    2. Locate the Restrictions Profile to which you applied the BIOC rule. In the
      Summary
      field,
      Custom Prevention Rules
      appears as
      Enabled
      .
    3. Right-click and select
      Edit
      .
    4. In the
      Custom Prevention Rules
      section, you can review and modify the following:
      • Action Mode
        —Select to
        Enable
        or
        Disable
        the BIOC prevention rules.
      • Auto-disable
        —Select if to auto-disable a BIOC prevention rule if it triggers after a defined number of times during a defined duration.
        Auto-disable will turn off both the BIOC rule detection and the BIOC prevention rule.
      • Prevention BIOC Rules
        table—
        Filter
        and maintain the BIOC rules applied to this specific Restriction Profile. Right-click to
        Delete
        a rule or
        Go to BIOC Rules
        table.
    5. Save
      your changes if necessary.
    6. Investigate the BIOC prevention rules alerts.
      • Navigate to
        gear.png
        Investigation
        Incidents
        Alerts Table
        .
      • Filter the fields as follows:
        • Alert Source
          >
          XDR Agent
        • Action
          >
          Prevention (<profile action mode>)
        • Alert Name
          >
          Behavioral Threat
      • In the
        Description
        field you can see the rule name that triggered the prevention alert.

Import Rules

You can use the import feature of Cortex XDR to import BIOCs from external feeds or that you previously exported. The export/import capability is useful for rapid copying of BIOCs across different Cortex XDR instances.
You can only import files that were exported from Cortex XDR. You can not edit an exported file.
  1. From Cortex XDR, select
    Rules
    BIOC
    .
  2. Select
    Import Rules
    .
  3. Drag and drop the file on the import rules dialog or
    browse
    to a file.
  4. Click
    Import
    .
    Cortex XDR loads any BIOC rules. This process may take a few minutes depending on the size of the file.
  5. Refresh the BIOC Rules page to view matches (# of Hits) in your historical data.
  6. To investigate any matches, view the
    Alerts
    page and filter the
    Alert Name
    by the name of the BIOC rule.

Recommended For You