How to filter process_file_info in a BIOC

FCossard — Thu, 12 Mar 2026 16:26:48 GMT

Hi everyone,

I’m working on a BIOC of type Process, and I’m trying to use the process_file_info field as a filter. When I run a search, this field shows up as a JSON object containing details like product name, version, etc.

The problem is:
BIOC filters only seem to support exact string matching, and since process_file_info is JSON, I can’t match individual fields inside it.

If I try using a wildcard, I get this error:

Field action_process_file_info for operator wildcard is invalid.
Expected string but received json.

Has anyone found a way to filter on specific values inside process_file_info within a BIOC, or is this simply not supported?
If not, what’s the recommended workaround?

Thanks!

Re: How to filter process_file_info in a BIOC

susekar — Thu, 12 Mar 2026 22:05:29 GMT

Hello @FCossard ,

Greetings for the day.

In Cortex XDR, the process_file_info field (and variations like action_process_file_info or actor_process_file_info) is a structured Record or JSON object containing multiple metadata attributes. Direct filtering on the root field using string-based operators (like contains or wildcards) is not supported, because the system expects a primitive string but receives a complex JSON object, which results in an error.

Recommended Workaround: Use Dot Notation in an XQL BIOC

The most effective way to filter on specific values inside process_file_info is to create an XQL-based BIOC and use dot notation to target nested string attributes within the JSON object.

Step-by-Step Implementation

Navigate to Detection > BIOC > Add BIOC.
Select XQL Query as the rule type (rather than the form-based builder).
Reference the specific sub-field using the format [FIELD_NAME].[ATTRIBUTE].

Example Query

To filter for a specific product name and version within a process execution:

dataset = xdr_data
| filter event_type = ENUM.PROCESS
| filter action_process_file_info.product_name contains "AnyDesk"
| filter action_process_file_info.file_version = "6.3.2"

Available Sub-Fields inside `process_file_info`

Common attributes you can reference with dot notation:

product_name
file_version
product_version
company
description
internal_name
original_name
legal_copyright

These fields are extracted from the executable’s metadata.

Alternative: Use Dedicated String Fields:

If you only need to match process name, path, or command line, it is recommended to use existing primitive string fields, as these support standard BIOC UI operators and wildcards:

Process name: action_process_image_name
Full path: action_process_image_path
Command line: action_process_image_command_line

Important Note on Prevention

If you intend to use this BIOC for Custom Prevention Rules (CPR):

Ensure the fields you reference are supported for prevention.
Some complex JSON-based logic may be restricted to Detection Only if it cannot be evaluated synchronously by the agent.
The BIOC must be enabled within a Restriction Profile to block activity.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Thanks & Regards,
S. Subashkar Sekar

Re: How to filter process_file_info in a BIOC

FCossard — Mon, 16 Mar 2026 10:39:33 GMT

Well noted regarding the distinction between JSON and string results. I’m just trying to understand why, in this case, the default XSIAM BIOC query allows access to this field if it’s supposed to be available only in XQL Queries. Is there a roadmap indicating when these parameters might become directly usable?

topic Re: How to filter process_file_info in a BIOC in Cortex XSIAM Discussions

How to filter process_file_info in a BIOC

Re: How to filter process_file_info in a BIOC

Recommended Workaround: Use Dot Notation in an XQL BIOC

Step-by-Step Implementation

Example Query

Available Sub-Fields inside process_file_info

Alternative: Use Dedicated String Fields:

Important Note on Prevention

Re: How to filter process_file_info in a BIOC

Available Sub-Fields inside `process_file_info`