https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/i-want-to-block-certain-certutil-commands-from-being-executed/m-p/1237976#M8735 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/879871463">@P.Madye</a>&nbsp;</P> <P>&nbsp;</P> <P>Restrictions Profile in Cortex XDR is not the same thing as a BIOC rule. So you cant always put a BIOC within a Restriction profile.&nbsp;</P> <P><BR />Restrictions Profile is a prevention feature that blocks execution of files, processes, scripts, or DLLs based on static conditions (e.g., file path, extension, process name, certificate).<BR />Your query is a behavioral detection (network activity + process + command-line arguments). That’s dynamic behavior detection, not static blocking.<BR />Because of this, Restrictions cannot “understand” filters like event_type, event_sub_type, or regex on command lines.<BR /><BR /></P> <P>If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.</P> <P>&nbsp;</P> <P>KR,</P> <P>Luis</P> <P>&nbsp;</P> Mon, 15 Sep 2025 14:24:48 GMT eluis 2025-09-15T14:24:48Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/i-want-to-block-certain-certutil-commands-from-being-executed/m-p/1237479#M8725 <P>Unable to get it why the below BIOC rule can't be added into the restrictions policy.&nbsp;I was trying to write a BIOC rule for monitoring dropped files via certutil. :&nbsp;</P> <P>&nbsp;</P> <P>dataset = xdr_data</P> <P>| filter event_type = 2 and event_sub_type = ENUM.NETWORK_STREAM_CONNECT</P> <P>| filter actor_process_image_name = "certutil.exe"</P> <P>| filter (</P> <P>os_actor_process_command_line ~= ".*-urlcache.*" or</P> <P>os_actor_process_command_line ~= ".*-decode.*" or</P> <P>os_actor_process_command_line ~= ".*-encode.*" )</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 08 Sep 2025 14:48:46 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/i-want-to-block-certain-certutil-commands-from-being-executed/m-p/1237479#M8725 P.Madye 2025-09-08T14:48:46Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/i-want-to-block-certain-certutil-commands-from-being-executed/m-p/1237976#M8735 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/879871463">@P.Madye</a>&nbsp;</P> <P>&nbsp;</P> <P>Restrictions Profile in Cortex XDR is not the same thing as a BIOC rule. So you cant always put a BIOC within a Restriction profile.&nbsp;</P> <P><BR />Restrictions Profile is a prevention feature that blocks execution of files, processes, scripts, or DLLs based on static conditions (e.g., file path, extension, process name, certificate).<BR />Your query is a behavioral detection (network activity + process + command-line arguments). That’s dynamic behavior detection, not static blocking.<BR />Because of this, Restrictions cannot “understand” filters like event_type, event_sub_type, or regex on command lines.<BR /><BR /></P> <P>If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.</P> <P>&nbsp;</P> <P>KR,</P> <P>Luis</P> <P>&nbsp;</P> Mon, 15 Sep 2025 14:24:48 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/i-want-to-block-certain-certutil-commands-from-being-executed/m-p/1237976#M8735 eluis 2025-09-15T14:24:48Z