Add an IOC or BIOC Rule Exception - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-07-16
Last date published
2024-11-07
Category
Administrator Guide
Abstract

How to add an IOC or BIOC rule exception.

If you want to create a rule to take action on specific behaviors but also want to exclude one or more indicators from the rule, you can create an IOC or BIOC rule exception. An indicator can include the SHA256 hash of a process, process name, process path, vendor name, user name, causality group owner (CGO) full path, or process command-line arguments. For more information about these indicators, see Rules. For each exception, you also specify the rule scope to which the exception applies.

In case you need to map fields returned in an XQL process query to your exception configuration, the following table provides a matrix for the conditions mentioned in this procedure to the fields returned in a process query.

IOC/BIOC suppression rule conditions

Process query result fields

Process Sha256

actor_process_image_sha256

Process Name

actor_process_image_name

Process Path

actor_process_image_path

Signed By Vendor

actor_process_signature_vendor

User Name

actor_effective_username

Cgo Full Path

actor_process_command_line

Process Cmd  

causality_actor_process_image_path

Note

Cortex XSIAM only supports exceptions with one attribute. See Add an Alert Exclusion Rule to create advanced exceptions based on your filtered criteria.

  1. Select SettingsException ConfigurationIOC/BIOC Suppression Rules.

  2. Click + New Exception.

  3. Specify a Rule Name and an optional Description.

  4. Configure the indicators and conditions which define the exception.

    You can use wildcards for matching the command line.

  5. Select the scope of the exception, whether the exception applies to IOCs, BIOCs, or both.

    By default all BIOC rules which match the criteria are excluded. To exclude only specific BIOC rules, select them from the provided rule list. You can add multiple rules.

  6. Save the exception rule.

    By default, activity matching the indicators does not trigger any rule. As an alternative, you can select one or more rules. After you save the exception, the Exceptions count for the rule increments. If you later edit the rule, you will also see the exception defined in the rule summary.

Export A Rule Exception

You can choose to export a BIOC rule exception.

  1. Select SettingsException ConfigurationIOC/BIOC Suppression Rules.

  2. In the Exceptions table, locate the exception rule you want to export. You can select multiple rules.

  3. Right-click and select Export.

    If one or more of the selected exceptions are applied to a specific BIOC rule, select one of the following options:

    • Export anyway.

    • Export only non-specific Exceptions—Only export exceptions are applied on all BIOC rules.

    • Export all Exceptions as non-specific—Export and apply specific Exceptions to BIOC rules.