topic BIOC Rule Through XQL vs Builder in Cortex XDR Discussions

BIOC Rule Through XQL vs Builder

VarunPitale — Fri, 21 Mar 2025 12:04:47 GMT

Here is my BIOC Rule using XQL.

dataset = xdr_data
| filter event_type = ENUM.FILE
| filter agent_hostname = "XXXXX"
| filter action_file_path = "D:\XX\YY\*"
| filter event_sub_type = ENUM.FILE_RENAME OR event_sub_type = ENUM.FILE_REMOVE OR event_sub_type = ENUM.FILE_WRITE

I now get 12 alerts in the BIOC Rule

If I use Query Builder for BIOC,

File [ action type = rename, delete, write AND file path = D:\XX\YY\* ] AND Host [ host name = XXXXX ]

I now get only 3 alerts in the BIOC Rule, all of which are present in the previous list of alerts.

I am trying to understand what is the difference in these 2 rules. As far as my eyes can see, they are the exact same rule.

Re: BIOC Rule Through XQL vs Builder

aspatil — Thu, 27 Mar 2025 05:24:38 GMT

Hello @VarunPitale ,

The difference in alert counts between your XQL BIOC rule and Query Builder BIOC rule could be due to logical differences
Below query may not be interpreted correctly because OR might need explicit grouping.
| filter event_sub_type = ENUM.FILE_RENAME OR event_sub_type = ENUM.FILE_REMOVE OR event_sub_type = ENUM.FILE_WRITE
Better way to write it:
| filter event_sub_type in (ENUM.FILE_RENAME, ENUM.FILE_REMOVE, ENUM.FILE_WRITE)
In Query Builder, the conditions are structured differently

There can be other reasons
Implicit Filtering in Query Builder
Query Builder might automatically exclude:

Events that are not categorized under action type = rename, delete, write

Temporary or system-initiated file modifications

Duplicates or less relevant system events

XQL, on the other hand, may not have these implicit exclusions, leading to higher alert counts.
Differences in Event Processing
Some events might be grouped or deduplicated in Query Builder, reducing the alert count.

Query Builder may not consider certain system-generated file operations, whereas XQL pulls raw data.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.

Re: BIOC Rule Through XQL vs Builder

VarunPitale — Thu, 03 Apr 2025 08:30:04 GMT

Thanks @aspatil

I tried your solution and am still seeing the same. I tried this on a separate folder. Actions performed were

1. Create a new txt file.

2. Rename it

3. Rename it again

4. Delete it.

In Query results, I got 4 results.

Created BIOC Rule and saved it.

While testing BIOC rule, I got 4 results

Checking the alerts, only 1 alert was generated.