Add an IOC or BIOC Rule Exception - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2023-10-31
Last date published
2024-03-19
Category
Administrator Guide
Abstract

How to add an IOC or BIOC rule exception.

If you want to create a rule to take action on specific behaviors but also want to exclude one or more indicators from the rule, you can create an IOC or BIOC rule exception. An indicator can include the SHA256 hash of a process, process name, process path, vendor name, user name, causality group owner (CGO) full path, or process command-line arguments. For more information about these indicators, see Rules. For each exception, you also specify the rule scope to which the exception applies.

Note

Cortex XDR only supports exceptions with one attribute. See Add an Alert Exclusion Rule to create advanced exceptions based on your filtered criteria.

  1. Select SettingsException ConfigurationIOC/BIOC Suppression Rules.

  2. Click + New Exception.

  3. Specify a Rule Name and an optional Description.

  4. Configure the indicators and conditions which define the exception.

    You can use wildcards for matching the command line.

  5. Select the scope of the exception, whether the exception applies to IOCs, BIOCs, or both.

    By default all BIOC rules which match the criteria are excluded. To exclude only specific BIOC rules, select them from the provided rule list. You can add multiple rules.

  6. Save the exception rule.

    By default, activity matching the indicators does not trigger any rule. As an alternative, you can select one or more rules. After you save the exception, the Exceptions count for the rule increments. If you later edit the rule, you will also see the exception defined in the rule summary.

Export A Rule Exception

You can choose to export a BIOC rule exception.

  1. Select SettingsException ConfigurationIOC/BIOC Suppression Rules.

  2. In the Exceptions table, locate the exception rule you want to export. You can select multiple rules.

  3. Right-click and select Export.

    If one or more of the selected exceptions are applied to a specific BIOC rule, select one of the following options:

    • Export anyway.

    • Export only non-specific Exceptions—Only export exceptions are applied on all BIOC rules.

    • Export all Exceptions as non-specific—Export and apply specific Exceptions to BIOC rules.