https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/palo-alto-bioc-rule-content-error-specific-rule/m-p/532171#M3700 <P>Hello,<BR /><BR /></P> <P>There is an issue with one of the BIOC rules provided by Palo Alto. Specifically in the rule with Global ID "94fed992-c1da-4b69-9caa-292221b8c070".<BR /><BR /></P> <P>The wildcards for the command line arguments that this rule intents to detect, are off. To be precise all leading wildcards in this detection have a space afterwards, thus rendering the rule unable to detect the actual activity taking place.<BR />E.g. (not real argument): * test*, while the correct would be *test*.<BR /><BR /></P> <P>I have tested this and indeed it does not work as intended right now.<BR /><BR /></P> <P>Could you please review it from your side and make the necessary changes or guide me in order to open a ticket/email elsewhere if needed ? But from what I understand, this is not a tenant specific issue, so I thought opening a thread here was more appropriate.<BR /><BR /></P> <P>Thanks in advance,<BR />Ilias</P> Fri, 24 Feb 2023 11:02:30 GMT ithermos 2023-02-24T11:02:30Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/palo-alto-bioc-rule-content-error-specific-rule/m-p/532171#M3700 <P>Hello,<BR /><BR /></P> <P>There is an issue with one of the BIOC rules provided by Palo Alto. Specifically in the rule with Global ID "94fed992-c1da-4b69-9caa-292221b8c070".<BR /><BR /></P> <P>The wildcards for the command line arguments that this rule intents to detect, are off. To be precise all leading wildcards in this detection have a space afterwards, thus rendering the rule unable to detect the actual activity taking place.<BR />E.g. (not real argument): * test*, while the correct would be *test*.<BR /><BR /></P> <P>I have tested this and indeed it does not work as intended right now.<BR /><BR /></P> <P>Could you please review it from your side and make the necessary changes or guide me in order to open a ticket/email elsewhere if needed ? But from what I understand, this is not a tenant specific issue, so I thought opening a thread here was more appropriate.<BR /><BR /></P> <P>Thanks in advance,<BR />Ilias</P> Fri, 24 Feb 2023 11:02:30 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/palo-alto-bioc-rule-content-error-specific-rule/m-p/532171#M3700 ithermos 2023-02-24T11:02:30Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/palo-alto-bioc-rule-content-error-specific-rule/m-p/532211#M3705 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/269744">@ithermos</a>.</P> <P>&nbsp;</P> <P>I would recommend opening a TAC case with these findings so that it is properly documented and can be investigated internally by Palo Alto teams.</P> Fri, 24 Feb 2023 18:08:15 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/palo-alto-bioc-rule-content-error-specific-rule/m-p/532211#M3705 timurphy 2023-02-24T18:08:15Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/palo-alto-bioc-rule-content-error-specific-rule/m-p/534428#M3835 <P>Hi all,<BR /><BR />Just a heads up, via TAC case indeed, the resolution is on the way. IMO though, there should be another path for these kinds of issues (rule/content based, global etc).<BR /><BR />Thanks,<BR />Ilias</P> Wed, 15 Mar 2023 08:22:23 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/palo-alto-bioc-rule-content-error-specific-rule/m-p/534428#M3835 ithermos 2023-03-15T08:22:23Z