https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/ftp-transfer-custom-bioc/m-p/1086033#M7751 <P>Hello Palo Alto LiveCommunity,</P> <P>&nbsp;</P> <P>I’m currently working on a task where I need to create a custom BIOC (Behavioral Indicator of Compromise) and add it to a restriction profile to block FTP command lines. Specifically, I want to prevent FTP-related commands from being executed by monitoring and restricting certain patterns.</P> <P>&nbsp;</P> <P>I also need help with incorporating the following regex expression into the scope of action for a<SPAN>&nbsp;</SPAN><STRONG>remote IP<BR /><BR />it would be very appreciated if you have more details of how the BIOC must be created to block a process when it's associated with a restriction profile</STRONG><BR /><BR /></P> <P>An additional question is how BIOCs work when added as a Prevention Rule in a Restriction Profile.</P> <P>I can see that some rules can generate locks killing the process, and others only detect, does anyone know how this capability works?</P> Wed, 15 Jan 2025 22:28:25 GMT J.Gammara 2025-01-15T22:28:25Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/ftp-transfer-custom-bioc/m-p/1086033#M7751 <P>Hello Palo Alto LiveCommunity,</P> <P>&nbsp;</P> <P>I’m currently working on a task where I need to create a custom BIOC (Behavioral Indicator of Compromise) and add it to a restriction profile to block FTP command lines. Specifically, I want to prevent FTP-related commands from being executed by monitoring and restricting certain patterns.</P> <P>&nbsp;</P> <P>I also need help with incorporating the following regex expression into the scope of action for a<SPAN>&nbsp;</SPAN><STRONG>remote IP<BR /><BR />it would be very appreciated if you have more details of how the BIOC must be created to block a process when it's associated with a restriction profile</STRONG><BR /><BR /></P> <P>An additional question is how BIOCs work when added as a Prevention Rule in a Restriction Profile.</P> <P>I can see that some rules can generate locks killing the process, and others only detect, does anyone know how this capability works?</P> Wed, 15 Jan 2025 22:28:25 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/ftp-transfer-custom-bioc/m-p/1086033#M7751 J.Gammara 2025-01-15T22:28:25Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/ftp-transfer-custom-bioc/m-p/1086305#M7753 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1561359921">@J.Gammara</a>&nbsp;</P> <P>&nbsp;</P> <P>Thanks for reaching out on LiveCommunity!</P> <P>With BIOC rules, you can configure custom prevention rules to terminate the causality chain of a malicious process according to the Action Mode defined in the associated Restrictions Security Profile and trigger Cortex XDR Agent behavioral prevention type alerts in addition to the BIOC rule detection alerts.</P> <P>For example, if you configure a custom prevention rule for a BIOC Process event, apply it to the Restrictions profile with an action mode set to Block, the Cortex XDR agent:</P> <P>Blocks a process at the endpoint level according to the defined rule properties.</P> <P>Triggers a behavioral prevention alert you can monitor and investigate in the Alerts table.</P> <P>&nbsp;</P> <P>For more information on how to create a BIOC rule, please refer below doc.</P> <P><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Documentation/Create-a-BIOC-rule" target="_blank">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Documentation/Create-a-BIOC-rule</A></P> <P>&nbsp;</P> <P>You will find information on how to make a customer prevention rule using BIOC under heading&nbsp;"Configure a custom prevention rule".</P> <P>&nbsp;</P> <P>Please c<SPAN>lick&nbsp;</SPAN><STRONG>Accept as Solution</STRONG><SPAN>&nbsp;to acknowledge that the answer to your question has been provided.</SPAN></P> Thu, 16 Jan 2025 04:45:11 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/ftp-transfer-custom-bioc/m-p/1086305#M7753 nsinghvirk 2025-01-16T04:45:11Z