https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/bioc-not-prevent/m-p/1254908#M9351 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/307134">@tlmarques</a>&nbsp;,</P> <P>&nbsp;</P> <P>Greetings for the day.</P> <DIV class="" data-is-intersecting="true" data-turn-id-container="8bccfb5f-fd6f-4b89-94a0-748432221f45">&nbsp;</DIV> <DIV class="" data-is-intersecting="true" data-turn-id-container="request-6a0f6c0f-2c60-83ea-b42b-a7f7697a935c-3"> <SECTION class="text-token-text-primary w-full focus:outline-none has-data-writing-block:pointer-events-none [&amp;:has([data-writing-block])&gt;*]:pointer-events-auto R6Vx5W_threadScrollVars scroll-mb-[calc(var(--scroll-root-safe-area-inset-bottom,0px)+var(--thread-response-height))] scroll-mt-[calc(var(--header-height)+min(200px,max(70px,20svh)))]" dir="auto" data-turn="assistant" data-scroll-anchor="false" data-testid="conversation-turn-66" data-turn-id-container="request-6a0f6c0f-2c60-83ea-b42b-a7f7697a935c-3" data-turn-id="request-6a0f6c0f-2c60-83ea-b42b-a7f7697a935c-3"> <DIV class="text-base my-auto mx-auto pb-10 [--thread-content-margin:var(--thread-content-margin-xs,calc(var(--spacing)*4))] @w-sm/main:[--thread-content-margin:var(--thread-content-margin-sm,calc(var(--spacing)*6))] @w-lg/main:[--thread-content-margin:var(--thread-content-margin-lg,calc(var(--spacing)*16))] px-(--thread-content-margin)"> <DIV class="[--thread-content-max-width:40rem] @w-lg/main:[--thread-content-max-width:48rem] mx-auto max-w-(--thread-content-max-width) flex-1 group/turn-messages focus-visible:outline-hidden relative flex w-full min-w-0 flex-col agent-turn"> <DIV class="flex max-w-full flex-col gap-4 grow"> <DIV class="min-h-8 text-message relative flex w-full flex-col items-end gap-2 text-start break-words whitespace-normal outline-none keyboard-focused:focus-ring [.text-message+&amp;]:mt-1" dir="auto" tabindex="0" data-turn-start-message="true" data-message-model-slug="gpt-5-5" data-message-id="b0db3f29-582d-42df-bd24-8587b2321814" data-message-author-role="assistant"> <DIV class="flex w-full flex-col gap-1 empty:hidden"> <DIV class="markdown prose dark:prose-invert wrap-break-word w-full dark markdown-new-styling"> <P data-end="265" data-start="0">Standard Behavioral Indicator of Compromise (BIOC) rules in Cortex XDR are configured for <STRONG data-end="108" data-start="90">Detection only</STRONG> by default. To enable prevention (blocking), you must convert the BIOC into a <STRONG data-end="213" data-start="187">Custom Prevention Rule</STRONG> and apply it to an active <STRONG data-end="264" data-start="240">Restrictions Profile</STRONG>.</P> <P data-end="265" data-start="0">&nbsp;</P> <P data-end="442" data-start="267">The rule you created is currently failing to block because of incompatible XQL syntax and the selected event type. Follow these steps to configure it correctly for prevention:</P> <H5 data-end="473" data-start="444" data-section-id="1bn0tbm">1. Please Correct the XQL Syntax:</H5> <P data-end="646" data-start="475">The Cortex XDR agent has specific requirements for prevention rules. The <CODE data-end="558" data-start="548">contains</CODE> operator and simple string matching are often incompatible with agent-side enforcement.</P> <UL data-end="934" data-start="648"> <LI data-end="754" data-start="648" data-section-id="kn08ii"><STRONG data-end="677" data-start="650">Use the Regex Operator:</STRONG> Replace <CODE data-end="696" data-start="686">contains</CODE> with the regular expression operator <CODE data-end="738" data-start="734">~=</CODE> (tilde equals).</LI> <LI data-end="934" data-start="755" data-section-id="1ptd7fw"><STRONG data-end="783" data-start="757">Change the Event Type:</STRONG> Instead of <CODE data-end="812" data-start="795">ENUM.LOAD_IMAGE</CODE>, use <CODE data-end="832" data-start="818">ENUM.PROCESS</CODE>. This enables the agent to block the command at execution time rather than reacting to a module load.</LI> </UL> <H5 data-end="968" data-start="936"><STRONG data-end="968" data-start="936">Recommended Corrected Query:</STRONG></H5> <DIV class="relative w-full mt-4 mb-1"> <DIV class=""> <DIV class="relative"> <DIV class="h-full min-h-0 min-w-0"> <DIV class="h-full min-h-0 min-w-0"> <DIV class="border border-token-border-light border-radius-3xl corner-superellipse/1.1 rounded-3xl"> <DIV class="h-full w-full border-radius-3xl bg-token-bg-elevated-secondary corner-superellipse/1.1 overflow-clip rounded-3xl lxnfua_clipPathFallback"> <DIV class="relative"> <DIV class=""> <DIV class="relative z-0 flex max-w-full"> <DIV id="code-block-viewer" class="q9tKkq_viewer cm-editor z-10 light:cm-light dark:cm-light flex h-full w-full flex-col items-stretch ͼs ͼ16" dir="ltr"> <DIV class="cm-scroller"> <PRE class="cm-content q9tKkq_readonly m-0"><CODE><SPAN>dataset = xdr_data </SPAN><BR /><SPAN>| filter event_type = ENUM.PROCESS </SPAN><BR /><SPAN>| filter action_process_image_command_line ~= ".*netsh.*advfirewall.*set.*currentprofile.*state.*off.*"</SPAN></CODE></PRE> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> <H4 data-end="1192" data-start="1154" data-section-id="57c76b">2. Configure the Prevention Action</H4> <P data-end="1281" data-start="1194">Once the BIOC rule is saved using compatible syntax, link it to a Restrictions Profile:</P> <OL data-end="1857" data-start="1283"> <LI data-end="1325" data-start="1283" data-section-id="d1idvz">Navigate to <STRONG data-end="1324" data-start="1298">Detection Rules → BIOC</STRONG>.</LI> <LI data-end="1521" data-start="1326" data-section-id="1duxics">Locate your rule, right-click it, and select <STRONG data-end="1405" data-start="1374">Add to restrictions profile</STRONG>.<BR data-end="1409" data-start="1406" /><EM data-end="1521" data-start="1412">(If this option is missing, the XQL syntax is still incompatible with the agent’s prevention requirements.)</EM></LI> <LI data-end="1603" data-start="1522" data-section-id="1ryf4u7">Select the <STRONG data-end="1568" data-start="1536">Windows Restrictions Profile</STRONG> assigned to your target endpoints.</LI> <LI data-end="1759" data-start="1604" data-section-id="830kwn">In the profile settings, ensure the rule is <STRONG data-end="1662" data-start="1651">Enabled</STRONG>. The enforcement action for an enabled Custom Prevention Rule is automatically set to <STRONG data-end="1758" data-start="1749">Block</STRONG>.</LI> <LI data-end="1857" data-start="1760" data-section-id="18ug1gb">Save the profile and perform a <STRONG data-end="1813" data-start="1794">manual check-in</STRONG> on the endpoint to force the policy update.</LI> </OL> <H4 data-end="1880" data-start="1859" data-section-id="1eultmf">(Important Caveats here)</H4> <P data-end="2144" data-start="1882"><STRONG data-end="1906" data-start="1882">Asynchronous Nature:</STRONG><BR data-end="1909" data-start="1906" />Behavioral Threat Protection (BTP) is an asynchronous module. If the <CODE data-end="1985" data-start="1978">netsh</CODE> process executes and terminates very quickly before the agent can intervene, the alert may appear as <STRONG data-end="2099" data-start="2087">Detected</STRONG> even though the rule is configured to block.</P> <P data-end="2144" data-start="1882">&nbsp;</P> <P data-end="2345" data-start="2146"><STRONG data-end="2163" data-start="2146">Whitelisting:</STRONG>Some critical system processes are whitelisted from termination to maintain OS stability. If the command originates from a whitelisted process, process termination may be skipped.</P> <P data-end="2345" data-start="2146">&nbsp;</P> <P data-is-only-node="" data-is-last-node="" data-end="2452" data-start="2347"><STRONG data-end="2371" data-start="2347">Note - License Requirement:&nbsp;</STRONG>Creating and managing custom BIOC rules requires a <STRONG data-end="2443" data-start="2425">Cortex XDR Pro</STRONG> license.</P> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </SECTION> </DIV> <P>&nbsp;</P> <P>&nbsp;</P> <P>If you feel this has answered your query, please let us know by clicking&nbsp;<STRONG>like&nbsp;</STRONG>and on&nbsp;<STRONG>"mark this as a Solution".</STRONG></P> <P>&nbsp;</P> <P>Thanks &amp; Regards,<BR />S. Subashkar Sekar</P> Wed, 27 May 2026 19:48:03 GMT susekar 2026-05-27T19:48:03Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/bioc-not-prevent/m-p/1254890#M9350 <P>Hi everyone,</P> <P>&nbsp;</P> <P>i've created this bioc:</P> <DIV class="ng-scroll-content"> <DIV class="tw:mx-6 tw:mb-4 tw:flex"> <DIV class="tw:flex tw:min-w-0 tw:flex-1 tw:flex-col tw:gap-2"><SPAN class="tw:text-body-sm-normal tw:break-words tw:line-clamp-5 ng-star-inserted">dataset = xdr_data | filter event_type = ENUM.LOAD_IMAGE | filter ACTOR_PROCESS_COMMAND_LINE contains "netsh" and ACTOR_PROCESS_COMMAND_LINE contains "advfirewall" and ACTOR_PROCESS_COMMAND_LINE contains "set" and ACTOR_PROCESS_COMMAND_LINE contains "currentprofile" and ACTOR_PROCESS_COMMAND_LINE contains "state" and ACTOR_PROCESS_COMMAND_LINE contains "off"</SPAN></DIV> </DIV> </DIV> <DIV class="tw:flex tw:w-full tw:flex-1 tw:flex-col"> <DIV class="tw:flex tw:h-10 tw:items-center"> <DIV class="tw:ml-auto tw:flex tw:items-center tw:gap-2 tw:pr-6"> <DIV class="tw:active:bg-input-active tw:appearance-none tw:base tw:bg-transparent tw:flex tw:focus-visible:outline-hidden tw:h-8 tw:hover:bg-input-hover tw:items-center tw:max-w-full tw:min-w-24 tw:placeholder:text-placeholder tw:pr-[36px] tw:px-3 tw:rounded-sm tw:select-none tw:self-stretch tw:text-base tw:w-full tw:aria-expanded:bg-input-default tw:cursor-pointer tw:focus-visible:ring tw:focus:bg-input-default tw:text-default" tabindex="0" role="combobox" aria-disabled="false" aria-invalid="false" aria-required="false" aria-expanded="false" aria-haspopup="listbox" data-slot="combobox-trigger">&nbsp;</DIV> </DIV> </DIV> </DIV> <DIV class="ng-scroll-content"> <DIV class="tw:mx-6 tw:flex tw:flex-1 tw:flex-col"> <DIV class="tw:mt-1.5 tw:mb-10 tw:flex tw:flex-1 tw:flex-col tw:gap-6"> <DIV class="tw:flex tw:w-full tw:flex-1 tw:flex-col"> <DIV class="tw:h-full tw:m-0 tw:px-5 tw:py-4"> <DIV class="tw:flex tw:flex-1 tw:items-center tw:justify-between">&nbsp;</DIV> <DIV class="tw:flex tw:flex-1 tw:items-center tw:justify-between">&nbsp;</DIV> <DIV class="tw:flex tw:flex-1 tw:items-center tw:justify-between">but the cortex not prevent this action, only detect ... how i can configure this for prevent??<BR /><BR /></DIV> </DIV> </DIV> </DIV> </DIV> </DIV> Wed, 27 May 2026 12:17:11 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/bioc-not-prevent/m-p/1254890#M9350 tlmarques 2026-05-27T12:17:11Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/bioc-not-prevent/m-p/1254908#M9351 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/307134">@tlmarques</a>&nbsp;,</P> <P>&nbsp;</P> <P>Greetings for the day.</P> <DIV class="" data-is-intersecting="true" data-turn-id-container="8bccfb5f-fd6f-4b89-94a0-748432221f45">&nbsp;</DIV> <DIV class="" data-is-intersecting="true" data-turn-id-container="request-6a0f6c0f-2c60-83ea-b42b-a7f7697a935c-3"> <SECTION class="text-token-text-primary w-full focus:outline-none has-data-writing-block:pointer-events-none [&amp;:has([data-writing-block])&gt;*]:pointer-events-auto R6Vx5W_threadScrollVars scroll-mb-[calc(var(--scroll-root-safe-area-inset-bottom,0px)+var(--thread-response-height))] scroll-mt-[calc(var(--header-height)+min(200px,max(70px,20svh)))]" dir="auto" data-turn="assistant" data-scroll-anchor="false" data-testid="conversation-turn-66" data-turn-id-container="request-6a0f6c0f-2c60-83ea-b42b-a7f7697a935c-3" data-turn-id="request-6a0f6c0f-2c60-83ea-b42b-a7f7697a935c-3"> <DIV class="text-base my-auto mx-auto pb-10 [--thread-content-margin:var(--thread-content-margin-xs,calc(var(--spacing)*4))] @w-sm/main:[--thread-content-margin:var(--thread-content-margin-sm,calc(var(--spacing)*6))] @w-lg/main:[--thread-content-margin:var(--thread-content-margin-lg,calc(var(--spacing)*16))] px-(--thread-content-margin)"> <DIV class="[--thread-content-max-width:40rem] @w-lg/main:[--thread-content-max-width:48rem] mx-auto max-w-(--thread-content-max-width) flex-1 group/turn-messages focus-visible:outline-hidden relative flex w-full min-w-0 flex-col agent-turn"> <DIV class="flex max-w-full flex-col gap-4 grow"> <DIV class="min-h-8 text-message relative flex w-full flex-col items-end gap-2 text-start break-words whitespace-normal outline-none keyboard-focused:focus-ring [.text-message+&amp;]:mt-1" dir="auto" tabindex="0" data-turn-start-message="true" data-message-model-slug="gpt-5-5" data-message-id="b0db3f29-582d-42df-bd24-8587b2321814" data-message-author-role="assistant"> <DIV class="flex w-full flex-col gap-1 empty:hidden"> <DIV class="markdown prose dark:prose-invert wrap-break-word w-full dark markdown-new-styling"> <P data-end="265" data-start="0">Standard Behavioral Indicator of Compromise (BIOC) rules in Cortex XDR are configured for <STRONG data-end="108" data-start="90">Detection only</STRONG> by default. To enable prevention (blocking), you must convert the BIOC into a <STRONG data-end="213" data-start="187">Custom Prevention Rule</STRONG> and apply it to an active <STRONG data-end="264" data-start="240">Restrictions Profile</STRONG>.</P> <P data-end="265" data-start="0">&nbsp;</P> <P data-end="442" data-start="267">The rule you created is currently failing to block because of incompatible XQL syntax and the selected event type. Follow these steps to configure it correctly for prevention:</P> <H5 data-end="473" data-start="444" data-section-id="1bn0tbm">1. Please Correct the XQL Syntax:</H5> <P data-end="646" data-start="475">The Cortex XDR agent has specific requirements for prevention rules. The <CODE data-end="558" data-start="548">contains</CODE> operator and simple string matching are often incompatible with agent-side enforcement.</P> <UL data-end="934" data-start="648"> <LI data-end="754" data-start="648" data-section-id="kn08ii"><STRONG data-end="677" data-start="650">Use the Regex Operator:</STRONG> Replace <CODE data-end="696" data-start="686">contains</CODE> with the regular expression operator <CODE data-end="738" data-start="734">~=</CODE> (tilde equals).</LI> <LI data-end="934" data-start="755" data-section-id="1ptd7fw"><STRONG data-end="783" data-start="757">Change the Event Type:</STRONG> Instead of <CODE data-end="812" data-start="795">ENUM.LOAD_IMAGE</CODE>, use <CODE data-end="832" data-start="818">ENUM.PROCESS</CODE>. This enables the agent to block the command at execution time rather than reacting to a module load.</LI> </UL> <H5 data-end="968" data-start="936"><STRONG data-end="968" data-start="936">Recommended Corrected Query:</STRONG></H5> <DIV class="relative w-full mt-4 mb-1"> <DIV class=""> <DIV class="relative"> <DIV class="h-full min-h-0 min-w-0"> <DIV class="h-full min-h-0 min-w-0"> <DIV class="border border-token-border-light border-radius-3xl corner-superellipse/1.1 rounded-3xl"> <DIV class="h-full w-full border-radius-3xl bg-token-bg-elevated-secondary corner-superellipse/1.1 overflow-clip rounded-3xl lxnfua_clipPathFallback"> <DIV class="relative"> <DIV class=""> <DIV class="relative z-0 flex max-w-full"> <DIV id="code-block-viewer" class="q9tKkq_viewer cm-editor z-10 light:cm-light dark:cm-light flex h-full w-full flex-col items-stretch ͼs ͼ16" dir="ltr"> <DIV class="cm-scroller"> <PRE class="cm-content q9tKkq_readonly m-0"><CODE><SPAN>dataset = xdr_data </SPAN><BR /><SPAN>| filter event_type = ENUM.PROCESS </SPAN><BR /><SPAN>| filter action_process_image_command_line ~= ".*netsh.*advfirewall.*set.*currentprofile.*state.*off.*"</SPAN></CODE></PRE> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> <H4 data-end="1192" data-start="1154" data-section-id="57c76b">2. Configure the Prevention Action</H4> <P data-end="1281" data-start="1194">Once the BIOC rule is saved using compatible syntax, link it to a Restrictions Profile:</P> <OL data-end="1857" data-start="1283"> <LI data-end="1325" data-start="1283" data-section-id="d1idvz">Navigate to <STRONG data-end="1324" data-start="1298">Detection Rules → BIOC</STRONG>.</LI> <LI data-end="1521" data-start="1326" data-section-id="1duxics">Locate your rule, right-click it, and select <STRONG data-end="1405" data-start="1374">Add to restrictions profile</STRONG>.<BR data-end="1409" data-start="1406" /><EM data-end="1521" data-start="1412">(If this option is missing, the XQL syntax is still incompatible with the agent’s prevention requirements.)</EM></LI> <LI data-end="1603" data-start="1522" data-section-id="1ryf4u7">Select the <STRONG data-end="1568" data-start="1536">Windows Restrictions Profile</STRONG> assigned to your target endpoints.</LI> <LI data-end="1759" data-start="1604" data-section-id="830kwn">In the profile settings, ensure the rule is <STRONG data-end="1662" data-start="1651">Enabled</STRONG>. The enforcement action for an enabled Custom Prevention Rule is automatically set to <STRONG data-end="1758" data-start="1749">Block</STRONG>.</LI> <LI data-end="1857" data-start="1760" data-section-id="18ug1gb">Save the profile and perform a <STRONG data-end="1813" data-start="1794">manual check-in</STRONG> on the endpoint to force the policy update.</LI> </OL> <H4 data-end="1880" data-start="1859" data-section-id="1eultmf">(Important Caveats here)</H4> <P data-end="2144" data-start="1882"><STRONG data-end="1906" data-start="1882">Asynchronous Nature:</STRONG><BR data-end="1909" data-start="1906" />Behavioral Threat Protection (BTP) is an asynchronous module. If the <CODE data-end="1985" data-start="1978">netsh</CODE> process executes and terminates very quickly before the agent can intervene, the alert may appear as <STRONG data-end="2099" data-start="2087">Detected</STRONG> even though the rule is configured to block.</P> <P data-end="2144" data-start="1882">&nbsp;</P> <P data-end="2345" data-start="2146"><STRONG data-end="2163" data-start="2146">Whitelisting:</STRONG>Some critical system processes are whitelisted from termination to maintain OS stability. If the command originates from a whitelisted process, process termination may be skipped.</P> <P data-end="2345" data-start="2146">&nbsp;</P> <P data-is-only-node="" data-is-last-node="" data-end="2452" data-start="2347"><STRONG data-end="2371" data-start="2347">Note - License Requirement:&nbsp;</STRONG>Creating and managing custom BIOC rules requires a <STRONG data-end="2443" data-start="2425">Cortex XDR Pro</STRONG> license.</P> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </SECTION> </DIV> <P>&nbsp;</P> <P>&nbsp;</P> <P>If you feel this has answered your query, please let us know by clicking&nbsp;<STRONG>like&nbsp;</STRONG>and on&nbsp;<STRONG>"mark this as a Solution".</STRONG></P> <P>&nbsp;</P> <P>Thanks &amp; Regards,<BR />S. Subashkar Sekar</P> Wed, 27 May 2026 19:48:03 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/bioc-not-prevent/m-p/1254908#M9351 susekar 2026-05-27T19:48:03Z