topic Re: Honeyuser with machine account name in Cortex XDR Discussions

Honeyuser with machine account name

T.Nurmi — Thu, 29 Jan 2026 08:28:49 GMT

How to create BIOC rule for AD machine account. Example if someone use net use command. so how to create alert for this use case ?

Re: Honeyuser with machine account name

susekar — Thu, 29 Jan 2026 15:00:36 GMT

Hello @T.Nurmi ,

Greetings for the day.

To create a Behavioral Indicator of Compromise (BIOC) rule in Cortex XDR that alerts when an Active Directory (AD) machine account executes the net use command, you can use either the BIOC Rule Builder UI or a custom XQL query.

Option 1: Using the BIOC Rule Builder UI

Navigate to BIOC Configuration

Log in to the Cortex XDR console.
Go to Detection > Behavioral Indicators.
Click + Add BIOC and select the Process entity.

Define Rule Criteria

Process Name
- Image Name equals net.exe
Command Line Argument
- Command Line contains net use
Target Machine Account
- Filter the actor username to match Active Directory machine accounts, which typically end with a dollar sign ($).
- Example:
  - Regex: .*\$
  - Wildcard: *$

Set Alert and Severity

Choose an appropriate severity level (for example, Medium or High).
Set the action to Alert (or Block if you intend to enforce prevention via a Restriction Profile).

Save and Deploy

Save the rule.
If using this as a prevention rule, add it to a Restriction Profile and apply that profile to the relevant endpoints.

Option 2: Using XQL (Advanced)

You can also create a custom BIOC using an XQL query to detect this behavior:

dataset = xdr_data
| filter event_type = ENUM.PROCESS
| filter action_process_image_name = "net.exe"
| filter action_process_command_line contains "net use"
| filter actor_effective_username ~= ".*\\$"

Important Considerations

Asynchronous Execution
Custom BIOC rules are typically asynchronous, meaning the process may execute before the rule completes evaluation of the causality chain.
AD Context
Analytics-based BIOCs may leverage contextual baselining. For custom rules, filtering for machine accounts must be explicitly defined.
Testing
Always use the Test feature in the BIOC rule builder to validate the rule against historical data before enabling it in production.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Happy New year!!

Thanks & Regards,
S. Subashkar Sekar

Re: Honeyuser with machine account name

T.Nurmi — Fri, 30 Jan 2026 09:04:15 GMT

Hi. Thanks for greate answer. What about to use just this preset = network_story
| filter actor_effective_username ="*$" , if i want to follow all detections aroiund one account?

Re: Honeyuser with machine account name

susekar — Fri, 30 Jan 2026 13:57:15 GMT

Hello @T.Nurmi ,

Thank you for the response.

Regarding your question about using preset = network_story | filter actor_effective_username ="*$":

Dataset Suitability: The network_story preset is specifically designed for analyzing network sessions and DNS resolutions. While this is useful for following the network activity of an account, it will not trigger on the execution of the net use command itself. Command executions are logged as process events in the xdr_data or xdr_process datasets.
Machine Account Filtering: Your use of actor_effective_username ="*$" (or the regex ~= ".*\$") is a technically correct way to identify Active Directory machine accounts, as they are distinguished by the $ suffix.
Recommendation for Investigation: If your goal is to follow all detections and activities around one account, it is more comprehensive to use dataset = xdr_data (for raw telemetry) or dataset = alerts (for existing detections). network_story will only provide a limited view focused on network connections.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Thanks & Regards,
S. Subashkar Sekar