https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/questions-about-ioc-bioc-suppression-rules/m-p/1231984#M8446 <P>We are doing a (somewhat rushed) Cortex XDR implementation, and I am new to EDR things (in general).&nbsp;</P> <P>&nbsp;</P> <P>I created an IOC/BIOC Supp rule today for an issue with running the Guardian Browser (I'll let you know if it works), and while there I see 52 System Generated rules. The description on them is "Same process triggered BIOC nnn on 100 different hosts." I thought I could both learn as well as possibly resolve them. The one I picked happened to be about drvinst.exe. "Well," I said, "that sounds simple."</P> <P>&nbsp;</P> <P>I searched for the SHA256 hash in the rule, and found thousands of results (that's how I found drvinst.exe). But when I searched Issues for that hash in&nbsp;Target Process SHA256, Initiator SHA256, CGO SHA256, File SHA256 - nada. Zip. There are other SHA256 fields I could check, but never let it be said I can't take a hint.</P> <P>&nbsp;</P> <P>So I got to thinking and I have a few questions, I'd appreciate hearing your thoughts:</P> <P>&nbsp;</P> <P>1. Does anyone do this, i.e. trying to resolve the issues causing these System Generated rules? Is it worth the effort?</P> <P>&nbsp;</P> <P>2. Does anyone know if a System Generated IOC/BIOC Suppression rule will also resolve the issues generated before the rule? (The rule I picked was generated today, so I'd have thought the related Issues would still be around, but I found none.</P> <P>&nbsp;</P> <P>3. Does anyone know if PAN writes these rules thinking about the apps/programs/images that cause them? In other words does the fact that this involves drvinst.exe, a well-known Windows process, allow them to generate the rule knowing "well that exe is fine" and NOT suppress issues for lesser known apps?</P> <P>&nbsp;</P> <P>Thanks for reading and hopefully helping me out?</P> <P>&nbsp;</P> <P>Paul</P> <P>&nbsp;</P> Wed, 18 Jun 2025 03:36:30 GMT ptrivino1 2025-06-18T03:36:30Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/questions-about-ioc-bioc-suppression-rules/m-p/1231984#M8446 <P>We are doing a (somewhat rushed) Cortex XDR implementation, and I am new to EDR things (in general).&nbsp;</P> <P>&nbsp;</P> <P>I created an IOC/BIOC Supp rule today for an issue with running the Guardian Browser (I'll let you know if it works), and while there I see 52 System Generated rules. The description on them is "Same process triggered BIOC nnn on 100 different hosts." I thought I could both learn as well as possibly resolve them. The one I picked happened to be about drvinst.exe. "Well," I said, "that sounds simple."</P> <P>&nbsp;</P> <P>I searched for the SHA256 hash in the rule, and found thousands of results (that's how I found drvinst.exe). But when I searched Issues for that hash in&nbsp;Target Process SHA256, Initiator SHA256, CGO SHA256, File SHA256 - nada. Zip. There are other SHA256 fields I could check, but never let it be said I can't take a hint.</P> <P>&nbsp;</P> <P>So I got to thinking and I have a few questions, I'd appreciate hearing your thoughts:</P> <P>&nbsp;</P> <P>1. Does anyone do this, i.e. trying to resolve the issues causing these System Generated rules? Is it worth the effort?</P> <P>&nbsp;</P> <P>2. Does anyone know if a System Generated IOC/BIOC Suppression rule will also resolve the issues generated before the rule? (The rule I picked was generated today, so I'd have thought the related Issues would still be around, but I found none.</P> <P>&nbsp;</P> <P>3. Does anyone know if PAN writes these rules thinking about the apps/programs/images that cause them? In other words does the fact that this involves drvinst.exe, a well-known Windows process, allow them to generate the rule knowing "well that exe is fine" and NOT suppress issues for lesser known apps?</P> <P>&nbsp;</P> <P>Thanks for reading and hopefully helping me out?</P> <P>&nbsp;</P> <P>Paul</P> <P>&nbsp;</P> Wed, 18 Jun 2025 03:36:30 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/questions-about-ioc-bioc-suppression-rules/m-p/1231984#M8446 ptrivino1 2025-06-18T03:36:30Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/questions-about-ioc-bioc-suppression-rules/m-p/1232020#M8452 <P>Hi Ptrivino1,</P> <P>&nbsp;</P> <P>Answering to your questions:&nbsp;</P> <P>&nbsp;</P> <OL> <LI>Yes, it is recommended that you fine tune your Cortex XDR instance to your needs. It will clean up your alerts and findings that are kind of false positives.&nbsp;<BR />You know that some legit windows or other vendor applications can be used by malicious actors to compromise systems, going stealth to antiviruses due to legit applications even signed by the developers. LOLBIN attack techniques.</LI> <LI>No</LI> <LI>We are creating the rules based on observed behavior, and environmental prevalence.</LI> </OL> <P>Feel free to click on like the answer if this helped you.</P> <P>&nbsp;</P> <P>If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.</P> <P>&nbsp;</P> <P>KR,</P> <P>Luis</P> <P>&nbsp;</P> Wed, 18 Jun 2025 10:00:54 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/questions-about-ioc-bioc-suppression-rules/m-p/1232020#M8452 eluis 2025-06-18T10:00:54Z