topic Re: [Cortex XDR] - I Want to monitor the file creation, modification, removal, etc. under the specified path through the BIOC Rule. in Cortex XDR Discussions

[Cortex XDR] - I Want to monitor the file creation, modification, removal, etc. under the specified path through the BIOC Rule.

S.Lin576639 — Mon, 20 Jan 2025 05:22:59 GMT

Dear Everyone,

I would like to use the XDR BIOC Rule to block the host from creating, editing, deleting, renaming, etc. files in specific file paths.

I tried to write a BIOC Rule but found that it can't be successfully applied to the Restrictions profile, and there is no Alert generated due to the matching of this rule, does anyone know why it can't be applied to the Restrictions profile? Thanks for your help!

BIOC detail：

dataset = xdr_data | filter event_type = ENUM.FILE and
event_sub_type in(
ENUM.FILE_DIR_REMOVE, ENUM.FILE_DIR_CREATE,
ENUM.FILE_DIR_RENAME, ENUM.FILE_DIR_WRITE,
ENUM.FILE_CREATE_NEW, ENUM.FILE_REMOVE,
ENUM.FILE_RENAME, ENUM.FILE_WRITE,
ENUM.FILE_CHANGE_OWNER ,ENUM.FILE_DIR_CHANGE_OWNER,
ENUM.FILE_SET_SECURITY_DESCRIPTOR, ENUM.FILE_DIR_SET_SECURITY_DESCRIPTOR,
ENUM.FILE_IMPERSONATE_PIPE, ENUM.FILE_SET_ATTRIBUTE,
ENUM.FILE_DELETE_EXT_ATTRIBUTE,
ENUM.DOT_NET_SUSPICIOUS_FILE_EXISTS_CHECK,ENUM.DOT_NET_SUSPICIOUS_REFLECTION
)
| filter lowercase(action_file_path) = "d:\*"

Re: [Cortex XDR] - I Want to monitor the file creation, modification, removal, etc. under the specified path through the BIOC Rule.

jmazzeo — Mon, 20 Jan 2025 15:35:33 GMT

Hi @S.Lin576639, thanks for reaching us using the Live Community.

You can't add the BIOC to a restrictions profile because you are not filtering a process. The restrictions profiles are used to block processes after being detected by the custom BIOC rule.

More information here and here.

This example worked for me in a quick test:

dataset = xdr_data | filter event_type = ENUM.FILE and event_sub_type in(ENUM.FILE_CREATE_NEW, ENUM.FILE_RENAME, ENUM.FILE_WRITE) | filter action_file_path contains "*Downloads*" // Change it with your path | fields agent_hostname, action_file_path, action_file_name // Add more fields as needed

If this post answers your question, please mark it as the solution.

Re: [Cortex XDR] - I Want to monitor the file creation, modification, removal, etc. under the specified path through the BIOC Rule.

S.Lin576639 — Tue, 21 Jan 2025 09:35:57 GMT

Dear @jmazzeo,

So the BIOC Rule can only be added to the restrictions profile for monitoring (generating an Alert) if no Process is specified? Is there any restriction on adding bioc rule to restrictions profile?

Thank you.

Re: [Cortex XDR] - I Want to monitor the file creation, modification, removal, etc. under the specified path through the BIOC Rule.

J.Gammara — Thu, 23 Jan 2025 14:33:23 GMT

Hello @S.Lin576639 ,

I hope everything is going well, I would like to share with you this information:

"By using the BIOC rules, you can configure custom prevention rules to terminate the causality chain of a malicious process according to the Action Mode defined in the associated Restrictions Security Profile and trigger Cortex XDR Agent behavioral prevention type alerts in addition to the BIOC rule detection alerts.

For example, if you configure a custom prevention rule for a BIOC Process event, apply it to the Restrictions profile with an action mode set to Block, the Cortex XDR agent:

Blocks a process at the endpoint level according to the defined rule properties.
Triggers a behavioral prevention alert you can monitor and investigate in the Alerts table."

This is from https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Documentation/Create-a-BIOC-rule

So basically it depends on the Action mode that you configure on your restriction profile. It will give you the option to Alert or Block(kill the causalitychain) and Alert.

Re: [Cortex XDR] - I Want to monitor the file creation, modification, removal, etc. under the specified path through the BIOC Rule.

vkonar — Fri, 07 Mar 2025 14:45:08 GMT

What are the possible reasons on why i am unable to get add restriction profile option on my custom BIOC rule?

Re: [Cortex XDR] - I Want to monitor the file creation, modification, removal, etc. under the specified path through the BIOC Rule.

jmazzeo — Fri, 07 Mar 2025 16:36:12 GMT

Can you share the BIOC rule? Please clean any sensitive information.

Re: [Cortex XDR] - I Want to monitor the file creation, modification, removal, etc. under the specified path through the BIOC Rule.

vkonar — Sat, 08 Mar 2025 05:54:13 GMT

Dear @jmazzeo ,

Please find below BIOC rule Behavior.

Process [ action type = execution AND target process name = procexp.exe ] AND Process [ initiated by = powershell.exe , powershell_ise.exe ] AND Host [ host name = <REDACTED> AND host os = <REDACTED> ]

Is this enough or need further details? Let me know.

Re: [Cortex XDR] - I Want to monitor the file creation, modification, removal, etc. under the specified path through the BIOC Rule.

jmazzeo — Fri, 14 Mar 2025 13:46:42 GMT

Hi @vkonar, you need to remove the hostname and the host OS. The BIOC rules needs to be focused in processes behavior, but also I think that one is too generic and can cause issues. Could be good to add a command line that can start the process execution from powersheel.

Re: [Cortex XDR] - I Want to monitor the file creation, modification, removal, etc. under the specified path through the BIOC Rule.

vkonar — Sat, 15 Mar 2025 13:41:29 GMT

Removed Hostname and Host OS . Now i am able to see add to restriction profile option on BIOC rule. Thanks again!