Analytic BIOC Rules, right click open in query builder, informational severity not available

cancel
Showing results for 
Search instead for 
Did you mean: 

Analytic BIOC Rules, right click open in query builder, informational severity not available

L2 Linker

We have a support ticket open for "informational" analytic BIOC rules that are not alerting.

These do not show up in the incidents or alert table, but the number of alerts in that column has more than 0

Support has indicated there is not a way to view the hits of the rule

Does anyone know a way to view these analytic bioc rule alerts

 

When viewing normal bioc rules, you can right click and open in query builder.

This option isn't available when looking at analytic bioc rules.

Is there a place or way to view how the rule is structured...what the xql query is? 

 

2 REPLIES 2

L3 Networker

@NathanBradley 

The below article can best explain you the logic behind all the ABIOC rules setup in Cortex.

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-...

In general, informational alerts will only show up when an incident is triggered and get stitched with other alerts as part of insights in an incident to help better understand the incident.

 

Speaking for myself, if we start investigating into informational alerts then we will end up chasing false positives but there might be cases where your investigation might lead to a possible suspicious activity.

 

In order to find the suspicious activity you will first need to know some start point. For example:

In this cases we are looking for a command called "net user" (we created a BIOC rule to detect this command as informational). So lets say the query returned a result from there on we dig into the causality chain and then click on the process itself and then see the activity for alert as informational. (Not the best way to look for informational alert but does the trick.) You can use a similar logic to find ABIOC informational alerts.

KanwarSingh01_1-1652330651374.png

 

Thank You.

Kind Regards
KS

L2 Linker

Im looking for a way to either see the events that caused the analytic bioc to fire

or a way to view the query behind the rule

 

For example the rule below has 7 alerts

 

NathanBradley_0-1652364269918.png

 

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!