https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/analytic-bioc-rules-right-click-open-in-query-builder/m-p/486111#M1953 <P>We have a support ticket open for "informational" analytic BIOC rules that are not alerting.</P><P>These do not show up in the incidents or alert table, but the number of alerts in that column has more than 0</P><P>Support has indicated there is not a way to view the hits of the rule</P><P>Does anyone know a way to view these analytic bioc rule alerts</P><P>&nbsp;</P><P>When viewing normal bioc rules, you can right click and open in query builder.</P><P>This option isn't available when looking at analytic bioc rules.</P><P>Is there a place or way to view how the rule is structured...what the xql query is?&nbsp;</P><P>&nbsp;</P> Tue, 10 May 2022 14:04:57 GMT NathanBradley 2022-05-10T14:04:57Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/analytic-bioc-rules-right-click-open-in-query-builder/m-p/486111#M1953 <P>We have a support ticket open for "informational" analytic BIOC rules that are not alerting.</P><P>These do not show up in the incidents or alert table, but the number of alerts in that column has more than 0</P><P>Support has indicated there is not a way to view the hits of the rule</P><P>Does anyone know a way to view these analytic bioc rule alerts</P><P>&nbsp;</P><P>When viewing normal bioc rules, you can right click and open in query builder.</P><P>This option isn't available when looking at analytic bioc rules.</P><P>Is there a place or way to view how the rule is structured...what the xql query is?&nbsp;</P><P>&nbsp;</P> Tue, 10 May 2022 14:04:57 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/analytic-bioc-rules-right-click-open-in-query-builder/m-p/486111#M1953 NathanBradley 2022-05-10T14:04:57Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/analytic-bioc-rules-right-click-open-in-query-builder/m-p/486602#M1974 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/24508">@NathanBradley</a>&nbsp;</P><P>The below article can best explain you the logic behind all the ABIOC rules setup in Cortex.</P><P><A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference</A></P><P>In general, informational alerts will only show up when an incident is triggered and get stitched with other alerts as part of insights in an incident to help better understand the incident.</P><P>&nbsp;</P><P>Speaking for myself, if we start investigating into informational alerts then we will end up chasing false positives but there might be cases where your investigation might lead to a possible suspicious activity.</P><P>&nbsp;</P><P>In order to find the suspicious activity you will first need to know some start point. For example:</P><P>In this cases we are looking for a command called "net user" (we created a BIOC rule to detect this command as informational). So lets say the query returned a result from there on we dig into the causality chain and then click on the process itself and then see the activity for alert as informational. (Not the best way to look for informational alert but does the trick.) You can use a similar logic to find ABIOC informational alerts.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="KanwarSingh01_1-1652330651374.png" style="width: 789px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/40961i6E5EBCD90BBCFC97/image-dimensions/789x500/is-moderation-mode/true?v=v2" width="789" height="500" role="button" title="KanwarSingh01_1-1652330651374.png" alt="KanwarSingh01_1-1652330651374.png" /></span></P><P>&nbsp;</P><P>Thank You.</P> Thu, 12 May 2022 04:46:59 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/analytic-bioc-rules-right-click-open-in-query-builder/m-p/486602#M1974 KanwarSingh01 2022-05-12T04:46:59Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/analytic-bioc-rules-right-click-open-in-query-builder/m-p/486795#M1981 <P>Im looking for a way to either see the events that caused the analytic bioc to fire</P><P>or a way to view the query behind the rule</P><P>&nbsp;</P><P>For example the rule below has 7 alerts</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="NathanBradley_0-1652364269918.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/40977i1C2E4A7336791B5D/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="NathanBradley_0-1652364269918.png" alt="NathanBradley_0-1652364269918.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 12 May 2022 14:05:45 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/analytic-bioc-rules-right-click-open-in-query-builder/m-p/486795#M1981 NathanBradley 2022-05-12T14:05:45Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/analytic-bioc-rules-right-click-open-in-query-builder/m-p/527282#M3400 <P>Wondering how I can hunt for BIOC "elevation of privilege" events, for example pertinent to "<SPAN>CVE-2023-21674&nbsp;</SPAN>"</P> Mon, 16 Jan 2023 22:05:26 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/analytic-bioc-rules-right-click-open-in-query-builder/m-p/527282#M3400 SamuelSt 2023-01-16T22:05:26Z