Create a BIOC rule - You can configure rules for behavioral indicators of compromise (BIOCs) to generate an issue on an identified threat. - Administrator Guide

Create a BIOC rule - You can configure rules for behavioral indicators of compromise (BIOCs) to generate an issue on an identified threat. - Administrator Guide - Cortex CLOUD

Cortex Cloud Runtime Security Documentation

Product

Cortex Cloud Application Security > Cortex CLOUD

License

Cloud Runtime Security

Creation date

2024-12-24

Last date published

2026-06-10

Note

To ensure your BIOC rules generate issues efficiently and do not overcrowd your Issues table, Cortex Cloud automatically does the following:

Disables BIOC rules that reach 5000 or more hits over a 24-hour period.
Creates a rule exception based on the PROCESS SHA256 field for BIOC rules that hit more than 100 endpoints over a 72 hour period.

Create a BIOC rule from scratch

You can create a new BIOC rule in a similar way as you create a search with Query Builder or by building the rule query with XQL Search. In both methods, use Cortex Query Language (XQL) to define the rule using XQL syntax. The XQL query must at a minimum filter on the event_type field in order for it to be a valid BIOC rule. In addition, you can create BIOC rules using the xdr_data and cloud_audit_log datasets and presets for these datasets.

Note

A cloud_audit_log dataset requires a Cortex XDR Pro per GB license.
Currently, you cannot create a BIOC rule on customized datasets and only the filter stage, alter stage, and functions without any aggregations are supported for XQL queries that define a BIOC.
For BIOC rules, the field values in XQL are evaluated as case insensitive (config case_sensitive = false).

The following is an example of creating a BIOC rule in XQL.

dataset = xdr_data 
| filter event_type = PROCESS and 
         event_sub_type = PROCESS_START and 
         action_process_image_name ~= ".*?\.(?:pdf|docx)\.exe"

The following describes the event_type values for which you can create a BIOC rule.

FILE—Events relating to file create, write, read, and rename according to the file name and path.
INJECTION—Events related to process injections.
LOAD_IMAGE—Events relating to module IDs of processes.
NETWORK—Events relating to incoming and outgoing network, filed IP addresses, port, host name, and protocol.
PROCESS—Events relating to execution and injection of a process name, hash, path, and CMD.
REGISTRY—Events relating to registry write, rename and delete according to registry path.
STORY—Events relating to a combination of firewall and endpoint logs over the network.
EVENT_LOG—Events relating to Windows event logs and Linux system authentication logs.

To create a BIOC rule:

Select Threat Management → Detection Rules → BIOC.
Select + Add BIOC.
Configure your BIOC criteria using one of the following methods.
Build the BIOC rule query with XQL Search.
Click XQL Search.
The XQL query field is where you define the parameters of your query for the BIOC rule. To help you create an effective XQL query, the search field provides suggestions as you type. The XQL query must at a minimum filter on the event_type field in order for it to be a valid BIOC rule. In addition, you can create BIOC rules using the xdr_data and cloud_audit_log datasets and presets for these datasets. Currently, you cannot create a BIOC rule on customized datasets and only the filter stage, alter stage, and functions without any aggregations are supported for XQL queries that define a BIOC. For BIOC rules, the field values in XQL are evaluated as case insensitive (config case_sensitive = false). After configuring the XQL query for your BIOC rule and the syntax is valid, a indication is displayed, and it is possible to add the BIOC rule.
Click Test BIOC. Rules that you do not refine enough can generate thousands of issues. It is highly recommended that you test the behavior of a new or edited BIOC rule before you save it.
When you test the rule, Cortex Cloud immediately searches for rule matches across all your Cortex Cloud tenant data. The results are displayed in the Query Results tab underneath the XQL query field. Adjust any rule definition as needed.
Note
To demonstrate the expected behavior of the rule before you save it, Cortex Cloud tests the BIOC on historical logs. After you save a BIOC rule, it will operate both on historical logs (up to 10,000 hits) and on new data received from your log sensors.
(Optional) Use the Schema tab to view schema information for every field found in the result set. This information includes the field name, data type, descriptive text (if available), and the dataset that contains the field. In order for a field to appear in the Schema tab, it must contain a non-NULL value at least once in the result set.
Add as BIOC the new query rule configured.
Build the BIOC rule query through a specific entity.
Select an entity icon. Define any relevant activity or characteristics for the entity type. Create a new BIOC rule in the same way that you create a search with the Query Builder. You use XQL to define the rule. The XQL query must filter on an event_type in order for it to be a valid BIOC rule.
Test your BIOC rule. Rules that you do not refine enough can generate thousands of issues. It is highly recommended that you test the behavior of a new or edited BIOC rule before you save it.
When you test the rule, Cortex Cloud immediately searches for rule matches across all your Cortex Cloud Cortex Cloud tenant data. Adjust any rule definition as needed.
Note
To demonstrate the expected behavior of the rule before you save it, Cortex Cloud tests the BIOC on historical logs. After you save a BIOC rule, it will operate on both historical logs (up to 10,000 hits) and new data received from your log sensors.
Save the BIOC rule.
Define the following parameters.
1. Name—Specify a description or leave the default name which is automatically populated using the format XQL-BIOC-<rule number>.
2. Type—Select a rule TYPE that describes the activity.
3. Severity—Specify the Severity you want to associate with an issue generated based on this rule.
4. (Optional) Select the MITRE Technique and MITRE Tactic you want to associate with the issue. You can select up to 3 MITRE Techniques/Sub-Techniques and MITRE Tactics.
5. (Optional) Select the +<number> more global exceptions to view the EXCEPTIONS associated with this BIOC rule.
6. (Optional) Comment—Specify any additional comments, such as why you created the BIOC.
7. Click OK.

Import multiple BIOC rules

To match multiple indicators, you can upload the criteria in a CSV file. You can upload BIOCs using REST APIs in either CSV or JSON format. Your file can be a list of BIOCs from external feeds or a file that you previously exported from Cortex Cloud. The export/import capability is useful for rapid copying of BIOCs across different Cortex Cloud instances.

Upload a file, one BIOC per line, that contains up to 20,000 BIOCs. For example, you can upload multiple file paths and MD5 hashes for a BIOC rule. To help you format the upload file in the syntax that Cortex Cloud accepts, you can download the example file.

Note

You can only import files that were exported from Cortex Cloud. You can not edit an exported file.

Select Threat Management → Detection Rules → BIOC.
Select Import Rules.
Drag and drop the file on the import rules dialog or browse to a file.
Click Import.
Cortex Cloud loads any BIOC rules. This process may take a few minutes depending on the size of the file.
Refresh the BIOC Rules page to view matches (# of Hits) in your historical data.
To investigate any matches, view the Issues page and filter the Issue Name by the name of the BIOC rule.

Configure a custom prevention rule

Notice

Custom prevention rules are supported on Cortex Cloud agent 7.2 and later versions and enable you to configure and apply user-defined BIOC rules to Restriction profiles deployed on your Windows, Mac, and Linux endpoints.

By using the BIOC rules, you can configure custom prevention rules to terminate the causality chain of a malicious process according to the Action Mode defined in the associated Restrictions Security Profile and generate Cortex Cloud Agent behavioral prevention type issues in addition to the BIOC rule detection issues.

For example, if you configure a custom prevention rule for a BIOC Process event, apply it to the Restrictions profile with an action mode set to Block, the Cortex Cloud agent:

Blocks a process at the endpoint level according to the defined rule properties.
Generates a behavioral prevention issue that you can monitor and investigate in the Issues table.

Before you configure a BIOC rule as a custom prevention rule, create a Restriction Profile for each type of operating system (OS) that you want to deploy your prevention rules.

Note the following requirements and restrictions for converting a BIOC rule into a custom prevention rule:

The structure of your XQL query is critical for custom prevention rule compatibility. Adhere to the following guidelines:

Avoid using the alter stage.
Select PANW as the vendor.
If you use action_module_signature_vendor, the investigation type must be module_event.
The NOT IN operator is not supported for custom prevention rule conversion. If you need to exclude certain values, structure your query to use positive matching, for example include IN with AND conditions, or use a regular expression that excludes the desired values.

The following table lists all fields supported for custom prevention rule conversion and specifies their OS compatibility.

XQL Field	Supported Operating System
os_actor_process_image_path	Windows, macOS, Linux
os_actor_process_command_line	Windows, macOS, Linux
os_actor_process_image_md5	Windows, macOS, Linux
os_actor_process_image_sha256	Windows, macOS, Linux
os_actor_process_os_pid	Windows, macOS, Linux
action_evtlog_description	Windows
action_evtlog_message	Windows
action_evtlog_provider_name	Windows
action_evtlog_username	Windows
action_registry_key_name	Windows
action_registry_value_name	Windows
action_registry_data	Windows
action_module_path	Windows
action_module_md5	Windows
action_module_sha256	Windows
action_module_signature_vendor	Windows
actor_process_signature_vendor	Windows
causality_actor_process_signature_vendor	Windows
os_actor_process_signature_vendor	Windows
actor_process_signature_status	Windows
causality_actor_process_signature_status	Windows
os_actor_process_signature_status	Windows
action_remote_process_image_name	Windows
action_remote_process_image_path	Windows
action_remote_process_image_command_line	Windows
action_remote_process_os_pid	Windows

To configure a BIOC rule as a prevention rule:

In Threat Management → Detection Rules → BIOC, from the BIOC Rule table, filter the Source field to locate a user-defined rule you want to apply as a custom prevention rule. You can only apply a BIOC rule that you created either from scratch or a Cortex Cloud global rule template that meets the following criteria.
- The user-defined BIOC rule does not include the following field configurations.
  - All Events—Host Name
  - File Event—Device Type, Device Serial Number
  - Process Event—Device Type, Device Serial Number
  - Network Event—Country, Raw Packet
- BIOC rules with OS scope definitions must align with the Restrictions profile OS.
- When defining the Process criteria for a user-defined BIOC rule event type, you can select to run only on actor, causality, and OS actor on Windows, and causality and OS actor on Linux and Mac.
Test your BIOC rule.
Rules that you do not refine enough can generate thousands of issues. As a result, it is highly recommended that you test the behavior of a new or edited BIOC rule before you save it. Cortex Cloud automatically disables BIOC rules that reach 5000 or more hits over a 24-hour period.
Right-click and select Add to restrictions profile.
If the rule is already referenced by one or more profiles, select See profiles to view the profile names.
In the Add to Restrictions Profile pop-up:
- Ensure the rule you selected is compatible with the type of endpoint operating system.
- Select the Restriction Profile name you want to apply the BIOC rule to for each of the operating systems. BIOC event rules of type Event Log and Registry are only supported by Windows OS.
  Note
  You can only add to existing profiles you created, Cortex Cloud Default profiles will not appear as an option.
  When you want to add to restrictions profile, you can only use fields or options that exist in pre-built process-type BIOCs
Add the BIOC rule to the selected profiles.
The BIOC rule is now configured as a custom prevention rule and applied to your Restriction profiles. After the Restriction profile is pushed to your endpoints, the custom prevention rule can start generating behavioral prevention-type issues.
Review and edit your custom prevention rules.
1. Navigate to Endpoints → Policy Management → Profiles.
2. Locate the Restrictions Profile to which you applied the BIOC rule. In the Summary field, Custom Prevention Rules appears as Enabled.
3. Right-click and select Edit.
4. In the Custom Prevention Rules section, you can review and modify the following:
  - Action Mode—Select to Enable or Disable the BIOC prevention rules.
  - Auto-disable—Select if to auto-disable a BIOC prevention rule if it triggers after a defined number of times during a defined duration.
    Note
    Auto-disable will turn off both the BIOC rule detection and the BIOC prevention rule.
  - Prevention BIOC Rules table—Filter and maintain the BIOC rules applied to this specific Restriction Profile. Right-click to Delete a rule or Go to BIOC Rules table.
5. Save your changes if necessary.
6. Investigate the BIOC prevention rules issues.
  - Select Cases & Issues → Issues.
  - Filter the fields as follows:
    Issue Source: XDR Agent
    Action: Prevention (<profile action mode>)
    Issue Name: Behavioral Threat
  - In the Description field, you can see the rule name that generated the prevention issue.