https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/bioc-rule/m-p/572872#M5876 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/312460">@Anirudha_Jadhav</a>&nbsp;</P> <P>&nbsp;</P> <P>Thanks for reaching out on LiveCommunity!</P> <P>You can use the Network entity within query builder which provides you with pre build format in order to s<SPAN>earch network activity by IP address, port, host name, protocol, and more. In addition to network activity you can add acting process where you can define the Powershell parameters like command line, path, SHA256 etc in order to capture powershell details.</SPAN></P> <P><SPAN>Apart from it you can take help from query library by searching for "upload" keyword. There are several prebuilt queries to detect data upload. You can take reference from them and build you own.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Please click&nbsp;<STRONG>Accept as Solution</STRONG>&nbsp;to acknowledge that the answer to your question has been provided.</SPAN></P> Fri, 12 Jan 2024 14:41:04 GMT nsinghvirk 2024-01-12T14:41:04Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/bioc-rule/m-p/572156#M5857 <P>How to make BIOC rule in cortex xdr if an attacker tries to upload data to aws from PowerShell CLI? <LI-PRODUCT title="Cortex XDR" id="Cortex_XDR"></LI-PRODUCT>&nbsp;</P> Mon, 08 Jan 2024 18:18:34 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/bioc-rule/m-p/572156#M5857 Anirudha_Jadhav 2024-01-08T18:18:34Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/bioc-rule/m-p/572872#M5876 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/312460">@Anirudha_Jadhav</a>&nbsp;</P> <P>&nbsp;</P> <P>Thanks for reaching out on LiveCommunity!</P> <P>You can use the Network entity within query builder which provides you with pre build format in order to s<SPAN>earch network activity by IP address, port, host name, protocol, and more. In addition to network activity you can add acting process where you can define the Powershell parameters like command line, path, SHA256 etc in order to capture powershell details.</SPAN></P> <P><SPAN>Apart from it you can take help from query library by searching for "upload" keyword. There are several prebuilt queries to detect data upload. You can take reference from them and build you own.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Please click&nbsp;<STRONG>Accept as Solution</STRONG>&nbsp;to acknowledge that the answer to your question has been provided.</SPAN></P> Fri, 12 Jan 2024 14:41:04 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/bioc-rule/m-p/572872#M5876 nsinghvirk 2024-01-12T14:41:04Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/bioc-rule/m-p/573196#M5891 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/312460">@Anirudha_Jadhav</a>&nbsp;</P> <P>&nbsp;</P> <P>Please share the XQL query of the BIOC rule. You can get it by going to BIOC rule and then right click to <STRONG>Open in XQL</STRONG>.</P> Tue, 16 Jan 2024 14:58:16 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/bioc-rule/m-p/573196#M5891 nsinghvirk 2024-01-16T14:58:16Z