Manage Global BIOC Rules - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-05-12
Category
Administrator Guide
Abstract

Update and copy BIOC rules, and add rule exceptions in Cortex XSIAM.

Cortex XSIAM checks for the latest update of global BIOC rules. If there are no new global BIOC rules, the app displays a content status of Content up to date next to the BIOC rules table heading. A dot to the left of the rule name indicates a global BIOC rule.

You can also view the optional Source field to see which rules are pushed by Palo Alto Networks.

  1. Get the latest global BIOC rules.

    1. Navigate to Detection & Threat IntelDetection RulesBIOC.

    2. To view the content details, hover over the status Content up to date, to show the global rules version number and last check date.

      The content status displays the date when the content was last updated, either automatically or manually by an administrator.

    3. If the status displays Could not check update, click the status to check for updates manually.

      The last updated date changes when the download is successful.

  2. Copy a global BIOC rule.

    You cannot directly modify a global rule, but you can copy global rules as a template to create new rules.

    1. Locate a Palo Alto Networks Source type rule, right-click and select Save as New.

    2. Review and modify the BIOC properties as needed.

    3. Select OK to save the rule.

      The rule appears in the BIOC Rules table as a user-defined Source type rule that you can edit.

  3. Add a rule exception.

    Although you cannot edit global rules, you can add exceptions to the rule, if needed.