This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Behavioral threat detected (rule: bioc.syscall.remote banker behavior)

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Behavioral threat detected (rule: bioc.syscall.remote banker behavior)

EricAghasian
L1 Bithead

‎11-08-2020 03:47 PM

Hi Guys, 

 

In the Cortex XDR, we are getting an alert indicating Behavioral threat detected (rule: bioc.syscall.remote banker behavior). Although the file is blocked which is benign, the is no information related to the rule. Does anyone have a clear idea about the rule?

 

Regards

4 people had this problem.
5 REPLIES 5

KanwarSingh01
L3 Networker

‎11-23-2020 05:03 PM

Hi There,

 

We would recommend you to open up a support case with palo alto where you will have to submit the alert data for them to investigate.

 

The rule which you have mentioned alone does not signify much as this is a friendly name to one of the rule set in EDR.

KanwarSingh01_0-1606179743657.png

Kind Regards
KS
0 Likes Likes

EricAghasian
L1 Bithead
In response to KanwarSingh01

‎11-23-2020 05:09 PM

I have already opened the case with them and they confirmed my case as a FP but the issue is that there is no explanation about it. As long as there is no explanation, it cannot be decide whether the alert is a FP or a real threat. 

0 Likes Likes

KanwarSingh01
L3 Networker
In response to EricAghasian

‎11-23-2020 05:33 PM

Did you have an alert around the same time on the same endpoint? If yes, can you post the details on that alert?

Kind Regards
KS
0 Likes Likes

KRisselada
L2 Linker

‎01-28-2021 02:24 PM

@KanwarSingh01 my apologies if I missed it, but is there a central location or notification of what the list of BTP rules looks like?  What is their contents?  When were they applied, etc?  Perhaps I am totally missing it, but I don't know where to find that.  Weather its for this particular one or ANY BTP rule (Behavioral threat detected (rule: bioc.syscall.entrypoint_patching) OR Behavioral threat detected (rule: heuristic.agb.5637) OR Behavioral threat detected (rule: accessibility_feature_escalation), etc

I mean the name has some clue to what its doing but is there insight as a Cortex XDR admin, you have of them and the BTP list looks like?  What they do, when they were last changed or had updates to them?


thank you

EricAghasian
L1 Bithead

‎05-19-2021 06:18 PM

Hi KRisselada, 

 

You cannot find any list of BIOC rules per my knowledge and a follow up with Palo Engineers. These are preconfigured rules from Palo Alto Networks with no intention to share (if they share, protection would go undermine). 

 

Regards

0 Likes Likes
  • 7525 Views
  • 5 replies
  • 2 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks