https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/will-the-rule-builder-accept-powershell-commands/m-p/540918#M4282 <P>Hi Chris_Dietz,<BR /><BR />Yes, the CMD field in the BIOC rule builder applies to any process command line captured by the XDR agent, including powershell. You can narrow your rule down further by defining powershell.exe as the process name in the rule builder as well.&nbsp;<BR /><BR />Thanks,<BR />Ben</P> Wed, 03 May 2023 14:21:50 GMT bbucao 2023-05-03T14:21:50Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/will-the-rule-builder-accept-powershell-commands/m-p/540606#M4260 <P>Will the process rule builder accept Powershell commands? or only Windows command line?</P> Mon, 01 May 2023 15:59:52 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/will-the-rule-builder-accept-powershell-commands/m-p/540606#M4260 Chris_Dietz 2023-05-01T15:59:52Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/will-the-rule-builder-accept-powershell-commands/m-p/540918#M4282 <P>Hi Chris_Dietz,<BR /><BR />Yes, the CMD field in the BIOC rule builder applies to any process command line captured by the XDR agent, including powershell. You can narrow your rule down further by defining powershell.exe as the process name in the rule builder as well.&nbsp;<BR /><BR />Thanks,<BR />Ben</P> Wed, 03 May 2023 14:21:50 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/will-the-rule-builder-accept-powershell-commands/m-p/540918#M4282 bbucao 2023-05-03T14:21:50Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/will-the-rule-builder-accept-powershell-commands/m-p/540923#M4285 <P>Thanks Ben! What do I do if I have a multiple line command? Do I just paste it all in there?</P> Wed, 03 May 2023 14:30:09 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/will-the-rule-builder-accept-powershell-commands/m-p/540923#M4285 Chris_Dietz 2023-05-03T14:30:09Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/will-the-rule-builder-accept-powershell-commands/m-p/540941#M4287 <P>Hi Chris_Dietz,<BR /><BR />I may have misunderstood your original question. The logic you use to match the traffic will depend on how it was executed. If a command prompt is used to execute powershell commands such as&nbsp;<EM>powershell.exe Write-Host "Hello, World!",&nbsp;</EM>You could use the process rule builder to match on the command line.&nbsp; If the command/commands were executed through a powershell terminal you can try using the query below as a template to create rules off of. You can add any number of filtering criteria on the "content" field which should result in matches on your identified powershell activity. I do recommend running some test powershell commands and validating that you can match on it using a variation of the below query, which is valid to save as a BIOC rule.<BR /><BR />dataset = xdr_data<BR />| filter event_type = EVENT_LOG and action_evtlog_message = "AmsiScanBuffer "<BR />| alter content = json_extract_scalar(action_evtlog_data_fields, "$.content")<BR />|filter actor_process_image_path contains "powershell"<BR />//| filter content contains "Write-Host Hello, World"&nbsp;<BR /><BR /><BR />Thanks,<BR />Ben</P> Wed, 03 May 2023 17:04:10 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/will-the-rule-builder-accept-powershell-commands/m-p/540941#M4287 bbucao 2023-05-03T17:04:10Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/will-the-rule-builder-accept-powershell-commands/m-p/540962#M4288 <P>Hi Ben,</P> <P>&nbsp;</P> <P>I'm trying to take some of the Red Canary tests and add the criteria to Cortex. Here is a link to what I'm looking at to give you an idea.</P> <P><A href="https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md" target="_blank">https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md</A></P> <P>&nbsp;</P> Wed, 03 May 2023 17:22:31 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/will-the-rule-builder-accept-powershell-commands/m-p/540962#M4288 Chris_Dietz 2023-05-03T17:22:31Z