How to add an IOC or BIOC rule exception.
If you want to create a rule to take action on specific behaviors but also want to exclude one or more indicators from the rule, you can create an IOC or BIOC rule exception. An indicator can include the SHA256 hash of a process, process name, process path, vendor name, user name, causality group owner (CGO) full path, or process command-line arguments. For more information about these indicators, see Rules. For each exception, you also specify the rule scope to which the exception applies.
In case you need to map fields returned in an XQL process query to your exception configuration, the following table provides a matrix for the conditions mentioned in this procedure to the fields returned in a process query.
IOC/BIOC suppression rule conditions | Process query result fields |
---|---|
Process Sha256 | actor_process_image_sha256 |
Process Name | actor_process_image_name |
Process Path | actor_process_image_path |
Signed By Vendor | actor_process_signature_vendor |
User Name | actor_effective_username |
Cgo Full Path | actor_process_command_line |
Process Cmd | causality_actor_process_image_path |
Note
Cortex XSIAM only supports exceptions with one attribute. See Add an Alert Exclusion Rule to create advanced exceptions based on your filtered criteria.
Select
→ → .Click + New Exception.
Specify a Rule Name and an optional Description.
Configure the indicators and conditions which define the exception.
You can use wildcards for matching the command line.
Select the scope of the exception, whether the exception applies to IOCs, BIOCs, or both.
By default all BIOC rules which match the criteria are excluded. To exclude only specific BIOC rules, select them from the provided rule list. You can add multiple rules.
Save the exception rule.
By default, activity matching the indicators does not trigger any rule. As an alternative, you can select one or more rules. After you save the exception, the Exceptions count for the rule increments. If you later edit the rule, you will also see the exception defined in the rule summary.
Export A Rule Exception
You can choose to export a BIOC rule exception.
Select
→ → .In the Exceptions table, locate the exception rule you want to export. You can select multiple rules.
Right-click and select Export.
If one or more of the selected exceptions are applied to a specific BIOC rule, select one of the following options:
Export anyway.
Export only non-specific Exceptions—Only export exceptions are applied on all BIOC rules.
Export all Exceptions as non-specific—Export and apply specific Exceptions to BIOC rules.