https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/monitor-bitlocker/m-p/587990#M6735 <P>Hello,</P> <P>&nbsp;</P> <P>I am checking if it is possible, to monitor from cortex when BitLocker is enabled on the computer, via a BIOC?</P> <P>&nbsp;</P> <P>Best regards.</P> Mon, 27 May 2024 08:10:18 GMT JPrezHidalgo 2024-05-27T08:10:18Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/monitor-bitlocker/m-p/587990#M6735 <P>Hello,</P> <P>&nbsp;</P> <P>I am checking if it is possible, to monitor from cortex when BitLocker is enabled on the computer, via a BIOC?</P> <P>&nbsp;</P> <P>Best regards.</P> Mon, 27 May 2024 08:10:18 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/monitor-bitlocker/m-p/587990#M6735 JPrezHidalgo 2024-05-27T08:10:18Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/monitor-bitlocker/m-p/587992#M6737 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1039296089">@JPrezHidalgo</a>&nbsp;,</P> <P>&nbsp;</P> <P>Thank you for reaching out on Live community.</P> <P>&nbsp;</P> <P><SPAN>Behavioral indicators of compromise (BIOCs) enable you to alert and respond to behaviors—tactics, techniques, and procedures. Instead of hashes and other traditional indicators of compromise, BIOC rules detect behavior such as is related to processes, registry, files, and network activity.</SPAN></P> <P>&nbsp;</P> <P><SPAN>If you want to monitor the encryption status on the machines, you can refer to below query:<BR />dataset = endpoints <BR />|fields endpoint_name , endpoint_id , operating_system , encryption_status <BR /></SPAN></P> <P>&nbsp;</P> <P>You can create Dashboard or use correlation rule as per your need.&nbsp;</P> <P>&nbsp;</P> <P><SPAN>If you feel this has answered your query, please let us know by clicking on "mark this as a Solution".</SPAN></P> Mon, 27 May 2024 08:26:21 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/monitor-bitlocker/m-p/587992#M6737 aspatil 2024-05-27T08:26:21Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/monitor-bitlocker/m-p/587994#M6738 <P>In this case, we do not need to see the encryption status (if applied by Cortex XDR), but to see when the bitlocker goes from inactive to active.</P> Mon, 27 May 2024 08:58:24 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/monitor-bitlocker/m-p/587994#M6738 JPrezHidalgo 2024-05-27T08:58:24Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/monitor-bitlocker/m-p/588336#M6763 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1039296089">@JPrezHidalgo</a>&nbsp;,</P> <P>&nbsp;</P> <P>The idle way is to run manage-bde -status. However, if you want to be notified, I have found two ways here.</P> <P>&nbsp;</P> <P>1. To look for the event id's when encryption starts and completes and create a correlation rule and get alerted.</P> <P>2. Check with Microsoft which registries can be verified to ensure that encryption status changes and create the BIOC.</P> <P>&nbsp;</P> <P>Or you can get the report in every specific time frame and ingest back into XDR and create the correlation rule. Please ensure you have pro per GB license for it.</P> Thu, 30 May 2024 05:42:50 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/monitor-bitlocker/m-p/588336#M6763 aspatil 2024-05-30T05:42:50Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/monitor-bitlocker/m-p/588365#M6770 <P>Hello,</P> <P>&nbsp;</P> <P>Thank you very much for the answer, you are helping me enormously. The question is that the idea I had was to do what you said in point number 1.</P> <P>&nbsp;</P> <P>But I can not identify in the telemetry the event that allows me to perform the correlation rule to warn us.</P> <P>&nbsp;</P> <P>Thank you very much for your help.</P> <P>&nbsp;</P> <P>Best regards.</P> Thu, 30 May 2024 08:03:47 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/monitor-bitlocker/m-p/588365#M6770 JPrezHidalgo 2024-05-30T08:03:47Z