https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/bioc-detection-for-cve-2023-2033/m-p/539083#M4168 <P>Hi community,</P> <P>&nbsp;</P> <P>I am attempting to create a BIOC detection for&nbsp;<SPAN>CVE-2023-2033.&nbsp;</SPAN></P> <P>&nbsp;</P> <P>I can see via host insights there are some machines which are running versions vulnerable to this exploit, however I am looking to create a BIOC to trigger based on chrome being spawned with a version of&nbsp;<SPAN>112.0.5615.121 or less.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>I can't seem to determine which query builder field will need to contain the version number. </SPAN></P> <P>&nbsp;</P> <P><SPAN>Would anyone else have any insight&nbsp;into this?&nbsp;</SPAN></P> Mon, 17 Apr 2023 21:54:41 GMT Callum_Crawford 2023-04-17T21:54:41Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/bioc-detection-for-cve-2023-2033/m-p/539083#M4168 <P>Hi community,</P> <P>&nbsp;</P> <P>I am attempting to create a BIOC detection for&nbsp;<SPAN>CVE-2023-2033.&nbsp;</SPAN></P> <P>&nbsp;</P> <P>I can see via host insights there are some machines which are running versions vulnerable to this exploit, however I am looking to create a BIOC to trigger based on chrome being spawned with a version of&nbsp;<SPAN>112.0.5615.121 or less.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>I can't seem to determine which query builder field will need to contain the version number. </SPAN></P> <P>&nbsp;</P> <P><SPAN>Would anyone else have any insight&nbsp;into this?&nbsp;</SPAN></P> Mon, 17 Apr 2023 21:54:41 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/bioc-detection-for-cve-2023-2033/m-p/539083#M4168 Callum_Crawford 2023-04-17T21:54:41Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/bioc-detection-for-cve-2023-2033/m-p/539137#M4170 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/182321">@Callum_Crawford</a>&nbsp;</P> <P>&nbsp;</P> <P>Apologies I had to remove my earlier post as using earlier XQL logic you may find the endpoints running that specific chrome version however using this preset <SPAN>you won't be able to create a BIOC rule</SPAN>.</P> <P>&nbsp;</P> <P><SPAN>preset = host_inventory_applications</SPAN><BR /><SPAN>| filter (application_name = "Google Chrome") and version &lt;= "112.0.5615.121"</SPAN></P> <P>&nbsp;</P> <P><SPAN>Let me check test and share it.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Thanks</SPAN></P> Tue, 18 Apr 2023 05:23:34 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/bioc-detection-for-cve-2023-2033/m-p/539137#M4170 PiyushKohli 2023-04-18T05:23:34Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/bioc-detection-for-cve-2023-2033/m-p/539307#M4186 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/182321">@Callum_Crawford</a>&nbsp;</P> <P>&nbsp;</P> <P>Greetings! I have an update on your above Use Case, if I understood correctly you would like to detect endpoints vulnerable to&nbsp;<SPAN>CVE-2023-2033 and has chrome version&nbsp;112.0.5615.121 or less running on that endpoint. Instead of BIOC to achieve&nbsp;this you may <A href="https://docs-cortex.paloaltonetworks.com/r/3/Cortex-XDR-Pro-Administrator-Guide/Correlation-Rule-Details" target="_self">create Correlation Rule</A> and the Alert/Incident will be triggered whenever there is match.</SPAN></P> <P>&nbsp;</P> <P><SPAN>For Testing I tried below logic and it create alert for the use case I understood as shared above.</SPAN></P> <P>&nbsp;</P> <P><SPAN>dataset = va_cves <BR />| filter name = "CVE-2023-28293"<BR />| arrayexpand affected_hosts <BR />| join type = inner (preset = xdr_process | filter (actor_process_image_name contains "chrome") | dedup agent_hostname ) as end end.agent_hostname = affected_hosts<BR />| join type = inner (preset = host_inventory_applications | filter (application_name = "Google Chrome") and version &lt;= "112.0.5615.121") as ed ed.endpoint_name = affected_hosts <BR />| dedup endpoint_name<BR /><BR /></SPAN></P> <P><SPAN>You may further tune the query based on your requirement.&nbsp;</SPAN></P> <P>&nbsp;</P> <P>Hope this helps!</P> <P>Please mark the response as "Accept as Solution" if it answers your query.</P> <P><BR />Regards.</P> Wed, 19 Apr 2023 07:20:11 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/bioc-detection-for-cve-2023-2033/m-p/539307#M4186 PiyushKohli 2023-04-19T07:20:11Z