Create a BIOC Rule
You can configure rules for behavioral indicators of compromise (BIOCs) to raise an alert on an identified threat.
After identifying a threat and its characteristics, you can configure rules for behavioral indicators of compromise (BIOCs). After you create a BIOC rule, Cortex XDR searches for the first 10,000 matches in your Cortex Data Lake and raise an alert if a match is detected. Going forward, the app alerts when a new match is detected.
To ensure your BIOC rules raise alerts efficiently and do not overcrowd your Alerts table, Cortex XDR automatically disables BIOC rules that reach 5000 or more hits over a 24 hour period.
Create a Rule from Scratch
Creating a new BIOC rule is similar to the way you create a search with Query Builder. You use XQL to define the rule. The XQL query must at a minimum filter on the
event_typefield in order for it to be a valid BIOC rule. For example:
dataset = xdr_data | filter event_type = PROCESS and event_sub_type = PROCESS_START and action_process_image_name ~= ".*?\.(?:pdf|docx)\.exe"
filterstage is supported for XQL queries that define a BIOC.
The following describes the
event_typevalues for which you can create a BIOC rule:
- FILE—Events relating to file create, write, read, and rename according to the file name and path.
- INJECTION—Events related to process injections.
- LOAD_IMAGE—Events relating to module IDs of processes.
- NETWORK—Events relating to incoming and outgoing network, filed IP addresses, port, host name, and protocol.
- PROCESS—Events relating to execution and injection of a process name, hash, path, and CMD.
- REGISTRY—Events relating to registry write, rename and delete according to registry path.
- STORY—Events relating to a combination of firewall and endpoint logs over the network.
- EVENT_LOG—Events relating to Windows event logs and Linux system authentication logs.
To create a BIOC rule:
- From Cortex XDR, select.RulesBIOC
- Select+ Add Rule.
- Configure the BIOC criteria.
- Testyour BIOC rule.Rules that you do not refine enough can create thousands of alerts. As a result, it is highly recommended that you test the behavior of a new or edited BIOC rule before you save it. For example, if a rule will return thousands of hits because you negated a single parameter, it is a good idea to test the rule before you save it and make it active.When you test the rule, Cortex XDR immediately searches for rule matches across all your Cortex Data Lake data. If there are surprises, now is the time to see them and adjust the rule definition.For the purpose of showing you the expected behavior of the rule before you save it, Cortex XDR tests the BIOC on historical logs. After you save a BIOC rule, it will operate on both historical logs (up to 10,000 hits) and new data received from your log sensors.
- Saveyour BIOC rule.
- Define your BIOC properties.
- Enter a descriptiveNameto identify the BIOC rule.
- Select a ruleTYPEwhich describes the activity.
- Specify theSEVERITYyou want to associate with the alert.
- (Optional) Select theMITRE TacticandMITRE Techniqueyou want to associate with the alert. You can select up to 3 MITRE Tactics and MITRE Techniques/Sub-Techniques.
- Enter any additional comments such as why you created the BIOC.
- Saveyour BIOC rule.
Configure a Custom Prevention Rule
Custom prevention rules are supported on Cortex XDR agent 7.2 and later versions and enable you to configure and apply user-defined BIOC rules to Restriction profiles deployed on your Windows, Mac, and Linux endpoints.
By using the BIOC rules, you can configure custom prevention rules to terminate the causality chain of a malicious process according to the Action Mode defined in the associated Restrictions Security Profile and trigger Cortex XDR Agent behavioral prevention type alerts in addition to the BIOC rule detection alerts.
For example, if you configure a custom prevention rule for a BIOC Process event, apply it to Restrictions profile with an action mode set to Block, the Cortex XDR agent:
- Blocks a process at the endpoint level according to the defined rule properties.
- Raises a behavioral prevention alert you can monitor and investigate in theAlertstable.
Before you configure a BIOC rule as a custom prevention rule, create a Restriction Profile for each type of operating system (OS) that you want to deploy your prevention rules.
To configure a BIOC rule as a prevention rule:
- The user-defined BIOC rule event does not include the following field configurations:
- All Events—Host Name
- File Event—Device Type, Device Serial Number
- Process Event—Device Type, Device Serial Number
- Registry Event—Country, Raw Packet
- BIOC rules with OS scope definitions must align with the Restrictions profile OS.
- When defining the Process criteria for a user-defined BIOC rule event type, you can select to run only on actor, causality, and OS actor on Windows, and causality and OS actor on Linux and Mac.
- Testyour BIOC rule.Rules that you do not refine enough can create thousands of alerts. As a result, it is highly recommended that you test the behavior of a new or edited BIOC rule before you save it. Cortex XDR automatically disables BIOC rules that reach 5000 or more hits over a 24 hour period.
- Right-click and selectAdd to restrictions profile.If the rule is already referenced by one or more profiles, selectSee profilesto view the profile names.
- In theAdd to Restrictions Profilepop-up:
- Ensure the rule you selected is compatible with the type of endpoint operating system.
- Addthe BIOC rule to the selected profiles.The BIOC rule is now configured as a custom prevention rule and applied to your Restriction profiles. After the Restriction profile is pushed to your endpoints, the custom prevention rule can start triggering behavioral prevention type alerts.
- Review and edit your custom prevention rules.
- Navigate to.EndpointsPolicy ManagementProfiles
- Locate the Restrictions Profile to which you applied the BIOC rule. In theSummaryfield,Custom Prevention Rulesappears asEnabled.
- Right-click and selectEdit.
- In theCustom Prevention Rulessection, you can review and modify the following:
- Action Mode—Select toEnableorDisablethe BIOC prevention rules.
- Auto-disable—Select if to auto-disable a BIOC prevention rule if it triggers after a defined number of times during a defined duration.Auto-disable will turn off both the BIOC rule detection and the BIOC prevention rule.
- Prevention BIOC Rulestable—Filterand maintain the BIOC rules applied to this specific Restriction Profile. Right-click toDeletea rule orGo to BIOC Rulestable.
- Saveyour changes if necessary.
- Investigate the BIOC prevention rules alerts.
- Select.Settings ( )InvestigationIncidentsAlerts Table
- Filter the fields as follows:
- Alert Source:XDR Agent
- Action:Prevention (<profile action mode>)
- Alert Name:Behavioral Threat
- In theDescriptionfield you can see the rule name that raised the prevention alert.
You can use the import feature of Cortex XDR to import BIOCs from external feeds or that you previously exported. The export/import capability is useful for rapid copying of BIOCs across different Cortex XDR instances.
You can only import files that were exported from Cortex XDR. You can not edit an exported file.
- From Cortex XDR, select.RulesBIOC
- SelectImport Rules.
- Drag and drop the file on the import rules dialog orbrowseto a file.
- ClickImport.Cortex XDR loads any BIOC rules. This process may take a few minutes depending on the size of the file.
- Refresh the BIOC Rules page to view matches (# of Hits) in your historical data.
- To investigate any matches, view theAlertspage and filter theAlert Nameby the name of the BIOC rule.
Recommended For You
Recommended videos not found.