https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/correlation-rules-and-biocs/m-p/543210#M4428 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/271703">@FabioFerreira</a>,</P> <P>&nbsp;</P> <P>For BIOC and correlation rules first I would recommend to start looking at threats you've seen in the past that weren't properly blocked or reported according to your organization's SOPs.&nbsp; Once that job has been handled sufficiently and your SOC team has matured I recommend looking outside of your organization and looking and new TTPs and threats that are being seen in the wild and build IOCs and correlations rules to match that activity.</P> <P>&nbsp;</P> <P>I understand this may not be the information you're looking for, but no one outside of your organization is going to be able to tell you exactly what you need to be looking for.&nbsp; Different threats are more prevalent in certain industries/verticals than others.&nbsp; Also, everyone's team is at a different level of maturity.'</P> <P>&nbsp;</P> <P>I hope this information helps.</P> Wed, 24 May 2023 15:08:10 GMT anlynch 2023-05-24T15:08:10Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/correlation-rules-and-biocs/m-p/543202#M4423 <P>Hi,</P> <P>&nbsp;</P> <P>What correlation rules and BIOCs created manually do you suggest?</P> <P>&nbsp;</P> <P>Regards,</P> <P>Fábio Ferreira</P> Wed, 24 May 2023 14:43:42 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/correlation-rules-and-biocs/m-p/543202#M4423 FabioFerreira 2023-05-24T14:43:42Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/correlation-rules-and-biocs/m-p/543210#M4428 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/271703">@FabioFerreira</a>,</P> <P>&nbsp;</P> <P>For BIOC and correlation rules first I would recommend to start looking at threats you've seen in the past that weren't properly blocked or reported according to your organization's SOPs.&nbsp; Once that job has been handled sufficiently and your SOC team has matured I recommend looking outside of your organization and looking and new TTPs and threats that are being seen in the wild and build IOCs and correlations rules to match that activity.</P> <P>&nbsp;</P> <P>I understand this may not be the information you're looking for, but no one outside of your organization is going to be able to tell you exactly what you need to be looking for.&nbsp; Different threats are more prevalent in certain industries/verticals than others.&nbsp; Also, everyone's team is at a different level of maturity.'</P> <P>&nbsp;</P> <P>I hope this information helps.</P> Wed, 24 May 2023 15:08:10 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/correlation-rules-and-biocs/m-p/543210#M4428 anlynch 2023-05-24T15:08:10Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/correlation-rules-and-biocs/m-p/543329#M4437 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/232716">@anlynch</a>&nbsp;</P> <P>&nbsp;</P> <P>Thank you for your reply.</P> <P>Sorry if I was not clear.</P> <P>We are already doing that and that information we don't need.</P> <P>I totally agree when you say, "<SPAN>no one outside of your organization is going to be able to tell you exactly what you need to be looking for</SPAN>"</P> <P>&nbsp;</P> <P>I was looking for something more generic.</P> <P>Let me know if you or someone could <SPAN>suggest&nbsp;</SPAN>some generic XQL or BIOC rules that could help us leverage our defenses.</P> <P>Sharing that kind of information will for sure help all community, I believe <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>&nbsp;</P> <P>Regards,</P> <P>Fábio Ferreira</P> Thu, 25 May 2023 12:40:18 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/correlation-rules-and-biocs/m-p/543329#M4437 FabioFerreira 2023-05-25T12:40:18Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/correlation-rules-and-biocs/m-p/555505#M5046 <P>You can look into OSINT data bases like Sigma and analyze if it make sense to your organisation and the telemetry you are collecting and can work from there. Rules may be a bit noisy so obviously need to tune out things based on your org. Hope it helps&nbsp;</P> Mon, 28 Aug 2023 10:37:33 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/correlation-rules-and-biocs/m-p/555505#M5046 AshokBabu 2023-08-28T10:37:33Z