https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-analytics-bioc-rules-severity/m-p/594239#M7044 <P>yes&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1372551263">@Fm12345</a>&nbsp;</P> <P>The automation rule is a good idea</P> <P>The rule is similar like that</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Alejandro_Hernandez_0-1723039623042.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/61371iF4786D59B0364002/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Alejandro_Hernandez_0-1723039623042.png" alt="Alejandro_Hernandez_0-1723039623042.png" /></span></P> <P>&nbsp;</P> Wed, 07 Aug 2024 14:07:14 GMT Alejandro_Hernandez 2024-08-07T14:07:14Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-analytics-bioc-rules-severity/m-p/593991#M7027 <P>I am writing to inquire about the procedure for modifying the severity levels of BIOCs (Behavioral Indicators of Compromise) within the Analytics module of Cortex XDR. Specifically, we are looking to understand how to create or adjust a custom rule where we can manually add a BIOC and select its severity level according to our needs.</P> <P>Could you please provide guidance or documentation on how to achieve this? Detailed instructions or any relevant steps to create or modify such a rule would be greatly appreciated.</P> Mon, 05 Aug 2024 08:29:10 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-analytics-bioc-rules-severity/m-p/593991#M7027 mirtoghrulseyid 2024-08-05T08:29:10Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-analytics-bioc-rules-severity/m-p/594018#M7028 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/288393">@mirtoghrulseyid</a>&nbsp;</P> <P>When you created a BIOC rule</P> <P>In Detection Rules &gt; BIOC &gt; Right click over BIOC rule and select edit</P> <P>And here you&nbsp; will change the severity&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Alejandro_Hernandez_0-1722869371789.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/61329iF6198DE5CBE5F24B/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Alejandro_Hernandez_0-1722869371789.png" alt="Alejandro_Hernandez_0-1722869371789.png" /></span></P> <P>&nbsp;</P> Mon, 05 Aug 2024 14:50:05 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-analytics-bioc-rules-severity/m-p/594018#M7028 Alejandro_Hernandez 2024-08-05T14:50:05Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-analytics-bioc-rules-severity/m-p/594095#M7031 <P>Hi Alejandro_Hernandez,</P> <P>Thank you for your response. However, what I need to change is not the BIOC itself, but the severity of the Analytics section.</P> <P>I can show you this picture as an example</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="XDRANALYTİCS.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/61354i9594029B8B065829/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="XDRANALYTİCS.png" alt="XDRANALYTİCS.png" /></span></P> <P> </P> <P>&nbsp;</P> Tue, 06 Aug 2024 08:08:03 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-analytics-bioc-rules-severity/m-p/594095#M7031 mirtoghrulseyid 2024-08-06T08:08:03Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-analytics-bioc-rules-severity/m-p/594177#M7040 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/288393">@mirtoghrulseyid</a>&nbsp;</P> <P>Checking the Analytics BIOC rules, here is not possible to modify the severity</P> <P>The only way to modify is when the alert is generated and set the new severity</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Alejandro_Hernandez_0-1722966878554.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/61366i1C7BC649FCAFF2ED/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Alejandro_Hernandez_0-1722966878554.png" alt="Alejandro_Hernandez_0-1722966878554.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Alejandro_Hernandez_1-1722966926432.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/61367i91E8FF2801B48055/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Alejandro_Hernandez_1-1722966926432.png" alt="Alejandro_Hernandez_1-1722966926432.png" /></span></P> <P>&nbsp;</P> Tue, 06 Aug 2024 17:56:54 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-analytics-bioc-rules-severity/m-p/594177#M7040 Alejandro_Hernandez 2024-08-06T17:56:54Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-analytics-bioc-rules-severity/m-p/594210#M7042 <P>Yes..as <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/57494">@Alejandro_Hernandez</a>&nbsp; mentioned it's not possible to edit analytics biocs or BIOCs from source as paloalto.</P> <P>&nbsp;</P> <P>Instead you can create automation rule and set criteria on alert name or combination of alert names and hosts etc.. the action of the automation can be to change severity. So that when such alert comes in the severity is set as per your requirement.</P> Wed, 07 Aug 2024 06:59:43 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-analytics-bioc-rules-severity/m-p/594210#M7042 Fm12345 2024-08-07T06:59:43Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-analytics-bioc-rules-severity/m-p/594239#M7044 <P>yes&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1372551263">@Fm12345</a>&nbsp;</P> <P>The automation rule is a good idea</P> <P>The rule is similar like that</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Alejandro_Hernandez_0-1723039623042.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/61371iF4786D59B0364002/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Alejandro_Hernandez_0-1723039623042.png" alt="Alejandro_Hernandez_0-1723039623042.png" /></span></P> <P>&nbsp;</P> Wed, 07 Aug 2024 14:07:14 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-analytics-bioc-rules-severity/m-p/594239#M7044 Alejandro_Hernandez 2024-08-07T14:07:14Z