Add an IOC or BIOC rule exception - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation

Product
Cortex XDR
Creation date
2024-03-06
Last date published
2024-10-01
Category
Administrator Guide
Abstract

Learn how to add an IOC or BIOC rule exception.

If you want to create a rule to take action on specific behaviors but also want to exclude one or more indicators from the rule, you can create an IOC or BIOC rule exception. An indicator can include the SHA256 hash of a process, process name, process path, vendor name, user name, causality group owner (CGO) full path, or process command-line arguments. For more information about these indicators, see Detection rules. For each exception, you also specify the rule scope to which the exception applies.

In case you need to map fields returned in an XQL process query to your exception configuration, the following table provides a matrix for the criteria mentioned in this procedure to the fields returned in a process query.

IOC/BIOC suppression rule conditions

Process query result fields

Process Sha256

actor_process_image_sha256

Process Name

actor_process_image_name

Process Path

actor_process_image_path

Signed By Vendor

actor_process_signature_vendor

User Name

actor_effective_username

Cgo Full Path

actor_process_command_line

Process Cmd  

causality_actor_process_image_path

Note

Cortex XDR only supports exceptions with one attribute. See Add an alert exclusion rule to create advanced exceptions based on your filtered criteria.

  1. Select SettingsException ConfigurationIOC/BIOC Suppression Rules.

  2. Click + New Exception.

  3. Specify a rule name and an optional description.

  4. Configure the indicators and conditions that define the exception.

    You can use wildcards to match the command line.

  5. Select the scope of the exception, whether the exception applies to IOCs, BIOCs, or both.

    By default, all BIOC rules that match the criteria are excluded. To exclude only specific BIOC rules, select them from the provided rule list. You can add multiple rules.

  6. Save the exception rule.

    By default, activity matching the indicators does not trigger any rule. As an alternative, you can select one or more rules. After you save the exception, the Exceptions count for the rule increments. If you later edit the rule, you will also see the exception defined in the rule summary.

Export a rule exception

You can choose to export a BIOC rule exception.

  1. Select SettingsException ConfigurationIOC/BIOC Suppression Rules.

  2. In the Exceptions table, locate the exception rule you want to export. You can select multiple rules.

  3. Right-click and select Export.

    If one or more of the selected exceptions are applied to a specific BIOC rule, select one of the following options:

    • Export anyway

    • Export only non-specific Exceptions: Only export exceptions are applied on all BIOC rules

    • Export all Exceptions as non-specific: Export and apply specific Exceptions to BIOC rules