From the Cortex XDR management console, you can define your own rules based on behavior with the behavioral indicator of compromise (BIOC) rules.
If you are assigned a role that enables
→ privileges, you can view all user-defined and preconfigured rules for behavioral indicators of compromise (BIOCs) from → → .If you have Cortex XDR - Analytics enabled, Cortex XDR also provides a separate page from which you can view Analytics BIOCs (ABIOCs). To access this page, use the link next to the refresh icon at the top of the page.
Each page displays fields that are relevant to the specific rule type.
BIOC Rule Fields
By default, the BIOC Rules page displays all enabled rules. To search for a specific rule, use the filters above the results table to narrow the results. From the BIOC Rules page, you can also manage existing rules using the right-click pivot menu.
The following table describes the fields that are available for each BIOC rule in alphabetical order.
Field | Description |
---|---|
# OF HITS | The number of hits (matches) on this rule. |
BACKWARDS SCAN STATUS | Status of the Cortex XDR search for the first 10,000 matches when the BIOC rule was created or edited. Status can be:
|
BACKWARDS SCAN TIMESTAMP | Timestamp of the Cortex XDR search for the first 10,000 matches in your Cortex XDR when the BIOC rule was created or edited. |
BACKWARDS SCAN RETRIES | Number of times Cortex XDR searched for the first 10,000 matches in your Cortex XDR when the BIOC rule was created or edited. |
BEHAVIOR | A schematic of the behavior of the rule. |
COMMENT | Free-form comments specified when the BIOC was created or modified. |
EXCEPTIONS | Exceptions to the BIOC rule. When there's a match on the exception, the event will not trigger an alert. |
GLOBAL RULE ID | Unique identification number assigned to rules created by Palo Alto Networks. |
INSERTION DATE | Date and time when the BIOC rule was created. |
MITRE ATT&CK TACTIC | Displays the type of MITRE ATT&CK tactic the BIOC rule is attempting to trigger on. |
MITRE ATT&CK TECHNIQUE | Displays the type of MITRE ATT&CK technique and sub-technique the BIOC rule is attempting to trigger on. |
MODIFICATION DATE | Date and time when the BIOC was last modified. |
NAME | Unique name that describes the rule. Global BIOC rules defined by Palo Alto Networks are indicated with a blue dot and cannot be modified or deleted. |
RULE ID | Unique identification number for the rule. |
TYPE | Type of BIOC rule:
|
SEVERITY | BIOC severity that was defined when the BIOC was created. |
SOURCE | User who created this BIOC, the file name from which it was created, or Palo Alto Networks if delivered through content updates. |
STATUS |
When you hover over a rule that's disabled, a pop-up message appears to provide more information about the Disable action. |
USED IN PROFILES | Displays if the BIOC rule is associated with a Restriction profile. |
Analytics BIOC Fields
By default, the Analytics BIOC Rules page displays all enabled rules. To search for a specific rule, use the filters above the results table to narrow the results. From the Analytics BIOC Rules page, you can also disable and enable rules using the right-click pivot menu.
The following table describes the fields that are available for each Analytics BIOC rule in alphabetical order.
Field | Description |
---|---|
Activation Prerequisites | Displays a description of the prerequisites Cortex XDR requires in order to activate the rule. |
Description | Description of the behavior that will raise the alert. |
# OF HITS | The number of hits (matches) on this rule. |
NAME | Unique name that describes the rule. New rules are identified with a blue badge icon. Rules associated with Identity Analytics are displayed with an Identity Analytics tag. |
SEVERITY | BIOC severity that was defined when the BIOC rule was created. Severity levels can be Low, Medium, High, Critical, and Multiple. Multiple severity BIOC rules can raise alerts with different severity levels. Hover over the flag to see the severities defined for the rule. |
STATUS | Displays whether the rule is Enabled, Disabled, or Pending Activation. Rules that are Pending Activation are in the process of collecting the data required to enable the rule. Hover over the field to view how much data within a certain period of time has already been collected. |
TAGS | Filter the results according to Detector Tags. This tag enables you to filter for specific detectors such as Identity Threat, Identity Analytics, and others. |