This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Analytic BIOC Rules, right click open in query builder, informational severity not available

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Analytic BIOC Rules, right click open in query builder, informational severity not available

NathanBradley
L3 Networker

‎05-10-2022 07:04 AM

We have a support ticket open for "informational" analytic BIOC rules that are not alerting.

These do not show up in the incidents or alert table, but the number of alerts in that column has more than 0

Support has indicated there is not a way to view the hits of the rule

Does anyone know a way to view these analytic bioc rule alerts

 

When viewing normal bioc rules, you can right click and open in query builder.

This option isn't available when looking at analytic bioc rules.

Is there a place or way to view how the rule is structured...what the xql query is? 

 

2 people had this problem.
3 REPLIES 3

KanwarSingh01
L3 Networker

‎05-11-2022 09:45 PM - edited ‎05-11-2022 09:46 PM

@NathanBradley 

The below article can best explain you the logic behind all the ABIOC rules setup in Cortex.

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-...

In general, informational alerts will only show up when an incident is triggered and get stitched with other alerts as part of insights in an incident to help better understand the incident.

 

Speaking for myself, if we start investigating into informational alerts then we will end up chasing false positives but there might be cases where your investigation might lead to a possible suspicious activity.

 

In order to find the suspicious activity you will first need to know some start point. For example:

In this cases we are looking for a command called "net user" (we created a BIOC rule to detect this command as informational). So lets say the query returned a result from there on we dig into the causality chain and then click on the process itself and then see the activity for alert as informational. (Not the best way to look for informational alert but does the trick.) You can use a similar logic to find ABIOC informational alerts.

KanwarSingh01_1-1652330651374.png

 

Thank You.

Kind Regards
KS
0 Likes Likes

NathanBradley
L3 Networker

‎05-12-2022 07:05 AM

Im looking for a way to either see the events that caused the analytic bioc to fire

or a way to view the query behind the rule

 

For example the rule below has 7 alerts

 

NathanBradley_0-1652364269918.png

 

 

 

0 Likes Likes

SamuelSt
L0 Member
In response to KanwarSingh01

‎01-16-2023 02:05 PM

Wondering how I can hunt for BIOC "elevation of privilege" events, for example pertinent to "CVE-2023-21674 "

0 Likes Likes
  • 2811 Views
  • 3 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks