https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/custom-bioc-rule-won-t-apply-to-prevention-profile/m-p/1249055#M9170 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/309634035">@M.McClure</a>&nbsp;,</P> <P>&nbsp;</P> <P>Greetings for the day.<BR /><BR /></P> <P data-end="373" data-start="83">The behavior you are experiencing is a design limitation of Cortex XDR and not a bug. When a Behavioral Indicator of Compromise (BIOC) rule is added to a Restrictions Profile for prevention, it is converted into a rule that must be evaluated locally by the Cortex XDR agent on the endpoint.</P> <P data-end="373" data-start="83">&nbsp;</P> <P data-end="740" data-start="375">To ensure the agent can enforce these rules in real time without relying on server-side context, certain fields are prohibited in the BIOC query logic. Adding an exception based on Host Name (or device name prefixes) makes the rule ineligible for prevention enforcement, causing it to disappear from selection lists or lose the "Add to restrictions profile" option.</P> <P data-end="740" data-start="375">&nbsp;</P> <H4 data-end="788" data-start="747">Prohibited Fields for Prevention BIOCs:</H4> <P data-end="887" data-start="790">A BIOC rule cannot be applied to a prevention profile if it contains any of the following fields:</P> <UL data-end="1264" data-start="889"> <LI data-end="964" data-start="889"> <P data-end="964" data-start="891"><STRONG data-end="906" data-start="891">All Events:</STRONG> Host Name (this is likely what is triggering your issue).</P> </LI> <LI data-end="1018" data-start="965"> <P data-end="1018" data-start="967"><STRONG data-end="983" data-start="967">File Events:</STRONG> Device Type, Device Serial Number.</P> </LI> <LI data-end="1086" data-start="1019"> <P data-end="1086" data-start="1021"><STRONG data-end="1040" data-start="1021">Process Events:</STRONG> Device Type, Device Serial Number, User Name.</P> </LI> <LI data-end="1129" data-start="1087"> <P data-end="1129" data-start="1089"><STRONG data-end="1108" data-start="1089">Network Events:</STRONG> Country, Raw Packet.</P> </LI> <LI data-end="1264" data-start="1130"> <P data-end="1264" data-start="1132"><STRONG data-end="1149" data-start="1132">XQL Specific:</STRONG> Complex operators like <CODE data-end="1183" data-start="1173">contains</CODE> or <CODE data-end="1191" data-start="1187">in</CODE> used with wildcards (*) are often unsupported; use regex (<CODE data-end="1254" data-start="1250">~=</CODE>) instead.</P> </LI> </UL> <H4 data-end="1294" data-start="1271">Recommended Solution:</H4> <P data-end="1440" data-start="1296">Instead of including host-based exceptions within the BIOC rule itself, you should separate the behavioral definition from the deployment scope.</P> <H5 data-end="1471" data-start="1442">1. Modify the BIOC Rule:</H5> <P data-end="1652" data-start="1472">Remove the filters or exceptions related to host names or device prefixes. Ensure the rule only defines the behavior you want to block (for example, the execution of <CODE data-end="1650" data-start="1638">chrome.exe</CODE>).</P> <H5 data-end="1689" data-start="1654">2. Add to Restriction Profile:</H5> <UL data-end="1809" data-start="1690"> <LI data-end="1733" data-start="1690"> <P data-end="1733" data-start="1692">Navigate to <STRONG data-end="1730" data-start="1704">Detection Rules &gt; BIOC</STRONG>.</P> </LI> <LI data-end="1809" data-start="1734"> <P data-end="1809" data-start="1736">Right-click your generic rule and select <STRONG data-end="1808" data-start="1777">Add to restrictions profile</STRONG>.</P> </LI> </UL> <H5 data-end="1853" data-start="1811">3. Use Policy Management for Scoping:</H5> <UL data-end="2208" data-start="1854"> <LI data-end="1932" data-start="1854"> <P data-end="1932" data-start="1856">Navigate to <STRONG data-end="1929" data-start="1868">Endpoints &gt; Policy Management &gt; Prevention &gt; Policy Rules</STRONG>.</P> </LI> <LI data-end="2020" data-start="1933"> <P data-end="2020" data-start="1935">Create a policy rule that targets only your servers (by group, alias, or hostname).</P> </LI> <LI data-end="2108" data-start="2021"> <P data-end="2108" data-start="2023">Assign the Restriction Profile containing your custom BIOC to this specific policy.</P> </LI> <LI data-end="2208" data-start="2109"> <P data-end="2208" data-start="2111">For end-user devices, use a different policy rule that does not include this Restriction Profile.</P> </LI> </UL> <P data-end="2362" data-start="2210">This approach allows the BIOC to remain agent-enforceable while still restricting the block action to the specific set of servers you intend to protect.</P> <H4 data-end="2401" data-start="2369">Alternative for Google Chrome:</H4> <P data-is-only-node="" data-is-last-node="" data-end="2753" data-start="2403">If your goal is specifically to block Chrome, it is often recommended to use the <STRONG data-end="2505" data-start="2484">Add to Block list</STRONG> feature within the Restriction Profile directly, adding the executable names (for example, <CODE data-end="2609" data-start="2597">chrome.exe</CODE>, <CODE data-end="2628" data-start="2611">ChromeSetup.exe</CODE>) rather than using a behavioral BIOC. BIOCs are asynchronous and may allow initial execution before terminating the process.</P> <P>&nbsp;</P> <P>If you feel this has answered your query, please let us know by clicking like and on&nbsp;<STRONG>"mark this as a Solution".</STRONG></P> <P>&nbsp;</P> <P>Thanks &amp; Regards,<BR />S. Subashkar Sekar</P> Thu, 26 Feb 2026 13:21:23 GMT susekar 2026-02-26T13:21:23Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/custom-bioc-rule-won-t-apply-to-prevention-profile/m-p/1248727#M9168 <P>We are attempting to make a custom BIOC rule to prevent the use of certain softwares on our servers. Applying the BIOC to a prevention profile works, except for when we add any exceptions. Say we are attempting to block Google Chrome on servers, we add an exception for a prefix used for end user device names and the BIOC can no longer be applied to any prevention rule. Am I missing something? Is this a bug perhaps?</P> Fri, 20 Feb 2026 19:18:47 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/custom-bioc-rule-won-t-apply-to-prevention-profile/m-p/1248727#M9168 M.McClure 2026-02-20T19:18:47Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/custom-bioc-rule-won-t-apply-to-prevention-profile/m-p/1249055#M9170 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/309634035">@M.McClure</a>&nbsp;,</P> <P>&nbsp;</P> <P>Greetings for the day.<BR /><BR /></P> <P data-end="373" data-start="83">The behavior you are experiencing is a design limitation of Cortex XDR and not a bug. When a Behavioral Indicator of Compromise (BIOC) rule is added to a Restrictions Profile for prevention, it is converted into a rule that must be evaluated locally by the Cortex XDR agent on the endpoint.</P> <P data-end="373" data-start="83">&nbsp;</P> <P data-end="740" data-start="375">To ensure the agent can enforce these rules in real time without relying on server-side context, certain fields are prohibited in the BIOC query logic. Adding an exception based on Host Name (or device name prefixes) makes the rule ineligible for prevention enforcement, causing it to disappear from selection lists or lose the "Add to restrictions profile" option.</P> <P data-end="740" data-start="375">&nbsp;</P> <H4 data-end="788" data-start="747">Prohibited Fields for Prevention BIOCs:</H4> <P data-end="887" data-start="790">A BIOC rule cannot be applied to a prevention profile if it contains any of the following fields:</P> <UL data-end="1264" data-start="889"> <LI data-end="964" data-start="889"> <P data-end="964" data-start="891"><STRONG data-end="906" data-start="891">All Events:</STRONG> Host Name (this is likely what is triggering your issue).</P> </LI> <LI data-end="1018" data-start="965"> <P data-end="1018" data-start="967"><STRONG data-end="983" data-start="967">File Events:</STRONG> Device Type, Device Serial Number.</P> </LI> <LI data-end="1086" data-start="1019"> <P data-end="1086" data-start="1021"><STRONG data-end="1040" data-start="1021">Process Events:</STRONG> Device Type, Device Serial Number, User Name.</P> </LI> <LI data-end="1129" data-start="1087"> <P data-end="1129" data-start="1089"><STRONG data-end="1108" data-start="1089">Network Events:</STRONG> Country, Raw Packet.</P> </LI> <LI data-end="1264" data-start="1130"> <P data-end="1264" data-start="1132"><STRONG data-end="1149" data-start="1132">XQL Specific:</STRONG> Complex operators like <CODE data-end="1183" data-start="1173">contains</CODE> or <CODE data-end="1191" data-start="1187">in</CODE> used with wildcards (*) are often unsupported; use regex (<CODE data-end="1254" data-start="1250">~=</CODE>) instead.</P> </LI> </UL> <H4 data-end="1294" data-start="1271">Recommended Solution:</H4> <P data-end="1440" data-start="1296">Instead of including host-based exceptions within the BIOC rule itself, you should separate the behavioral definition from the deployment scope.</P> <H5 data-end="1471" data-start="1442">1. Modify the BIOC Rule:</H5> <P data-end="1652" data-start="1472">Remove the filters or exceptions related to host names or device prefixes. Ensure the rule only defines the behavior you want to block (for example, the execution of <CODE data-end="1650" data-start="1638">chrome.exe</CODE>).</P> <H5 data-end="1689" data-start="1654">2. Add to Restriction Profile:</H5> <UL data-end="1809" data-start="1690"> <LI data-end="1733" data-start="1690"> <P data-end="1733" data-start="1692">Navigate to <STRONG data-end="1730" data-start="1704">Detection Rules &gt; BIOC</STRONG>.</P> </LI> <LI data-end="1809" data-start="1734"> <P data-end="1809" data-start="1736">Right-click your generic rule and select <STRONG data-end="1808" data-start="1777">Add to restrictions profile</STRONG>.</P> </LI> </UL> <H5 data-end="1853" data-start="1811">3. Use Policy Management for Scoping:</H5> <UL data-end="2208" data-start="1854"> <LI data-end="1932" data-start="1854"> <P data-end="1932" data-start="1856">Navigate to <STRONG data-end="1929" data-start="1868">Endpoints &gt; Policy Management &gt; Prevention &gt; Policy Rules</STRONG>.</P> </LI> <LI data-end="2020" data-start="1933"> <P data-end="2020" data-start="1935">Create a policy rule that targets only your servers (by group, alias, or hostname).</P> </LI> <LI data-end="2108" data-start="2021"> <P data-end="2108" data-start="2023">Assign the Restriction Profile containing your custom BIOC to this specific policy.</P> </LI> <LI data-end="2208" data-start="2109"> <P data-end="2208" data-start="2111">For end-user devices, use a different policy rule that does not include this Restriction Profile.</P> </LI> </UL> <P data-end="2362" data-start="2210">This approach allows the BIOC to remain agent-enforceable while still restricting the block action to the specific set of servers you intend to protect.</P> <H4 data-end="2401" data-start="2369">Alternative for Google Chrome:</H4> <P data-is-only-node="" data-is-last-node="" data-end="2753" data-start="2403">If your goal is specifically to block Chrome, it is often recommended to use the <STRONG data-end="2505" data-start="2484">Add to Block list</STRONG> feature within the Restriction Profile directly, adding the executable names (for example, <CODE data-end="2609" data-start="2597">chrome.exe</CODE>, <CODE data-end="2628" data-start="2611">ChromeSetup.exe</CODE>) rather than using a behavioral BIOC. BIOCs are asynchronous and may allow initial execution before terminating the process.</P> <P>&nbsp;</P> <P>If you feel this has answered your query, please let us know by clicking like and on&nbsp;<STRONG>"mark this as a Solution".</STRONG></P> <P>&nbsp;</P> <P>Thanks &amp; Regards,<BR />S. Subashkar Sekar</P> Thu, 26 Feb 2026 13:21:23 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/custom-bioc-rule-won-t-apply-to-prevention-profile/m-p/1249055#M9170 susekar 2026-02-26T13:21:23Z