topic Re: Correlation rules create incident in Cortex XDR Discussions

Correlation rules create incident

Cyber1985 — Tue, 24 May 2022 06:09:40 GMT

Hey dear sec community!

is there a way to setup an correlation rule, which can block and not only detect?

I couldn't find a way. I tried the XQL queries from the libary.

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/cortex-xdr-indicators/working-with-correlation-rules/create-a-correlation-rule

Rob

Re: Correlation rules create incident

bbarmanroy — Tue, 24 May 2022 09:55:01 GMT

Hi @Cyber1985 I believe what you're looking for is Restrictions Profile. You can create a BIOC and add it to a Restrictions Profile for it to block certain behavior. Please note that this will be a post-execution module.

An example is preventing users from using Google Chrome to visit https://1.1.1.1. You can write that BIOC and add it a Restrictions Profile, and apply that to an endpoint/set of endpoints via Security policies.

Re: Correlation rules create incident

Cyber1985 — Fri, 27 May 2022 22:02:44 GMT

So correlation rules can't trigger a block, am I right?

So I created a BIOC Rule, here you can see it:

Where is the connection missing? I can remember in past I got that connection between BIOC and custom prevention rule which I could find under the restriction profile.

But now I can only enable it, but cannot define only my custom once, I don't want cortex to block all BIOCs. How can I deal with that?

Rob

Re: Correlation rules create incident

bbarmanroy — Fri, 03 Jun 2022 02:57:01 GMT

Hi @Cyber1985 please see the below screenshot where I am able to add it to a Restrictions Profile. I hope this meets your needs.

Re: Correlation rules create incident

Cyber1985 — Mon, 06 Jun 2022 17:59:51 GMT

Hey! Sure this fits somewhere my needs. But when I create a BIOC Rule out of a XQL, it won't work to put it into a restriction profile.

I like XQL and how do I translate it to the "standard input BIOC language"?

Rob

Re: Correlation rules create incident

afurze — Mon, 06 Jun 2022 18:29:37 GMT

Hi Cyber1985,

There are specific restrictions when attempting to use a custom prevention rule through the Restrictions Profile. Link to documentation is here (https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/cortex-xdr-indicators/working-with-biocs/create-a-bioc-rule ), however, I will summarize below:

To be valid as a BIOC rule, the XQL query must at least filter on event_type
To configure a BIOC rule as a prevention rule, the BIOC must not include the following field configurations
- All Eevnts - Host Name
- File Event - Device Type, Device Serial Number
- Process Event - Device Type, Device Serial Number
- Registry Event - Country, Raw Packet
If an OS scope is defined, it must match with the Restrictions profile OS type
When defining the Process criteria for a user-defined BIOC rule event type, you can select to run only on actor, causality, and OS actor on Windows, and causality and OS actor on Linux and Mac

Please review your BIOC rule and ensure that it meets these guidelines, if possible, post the BIOC rule here for further troubleshooting.

Re: Correlation rules create incident

Cyber1985 — Mon, 06 Jun 2022 19:52:51 GMT

I found out, you should not take the fields and timeframe to your XQL Query, when a BIOC-Rule + Restriction Input should be created out of it.

So I was able to get my goal 🙂

Thank you very much @afurze @bbarmanroy !

Rob

Re: Correlation rules create incident

E.Jafarov — Tue, 19 Nov 2024 10:06:43 GMT

Hi Cyber1985,

Correlation rules only shows actions as an alert. they do not any capability to block the action