This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

bioc not prevent

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

bioc not prevent

tlmarques
L4 Transporter

‎05-27-2026 05:17 AM

Hi everyone,

 

i've created this bioc:

dataset = xdr_data | filter event_type = ENUM.LOAD_IMAGE | filter ACTOR_PROCESS_COMMAND_LINE contains "netsh" and ACTOR_PROCESS_COMMAND_LINE contains "advfirewall" and ACTOR_PROCESS_COMMAND_LINE contains "set" and ACTOR_PROCESS_COMMAND_LINE contains "currentprofile" and ACTOR_PROCESS_COMMAND_LINE contains "state" and ACTOR_PROCESS_COMMAND_LINE contains "off"
 
 
but the cortex not prevent this action, only detect ... how i can configure this for prevent??

If this post answers your question, please mark it as the solution.




Best regards
Tiago Marques
0 Likes Likes
1 REPLY 1

susekar
L5 Sessionator

‎05-27-2026 12:48 PM

Hello @tlmarques ,

 

Greetings for the day.

 

Standard Behavioral Indicator of Compromise (BIOC) rules in Cortex XDR are configured for Detection only by default. To enable prevention (blocking), you must convert the BIOC into a Custom Prevention Rule and apply it to an active Restrictions Profile.

 

The rule you created is currently failing to block because of incompatible XQL syntax and the selected event type. Follow these steps to configure it correctly for prevention:

1. Please Correct the XQL Syntax:

The Cortex XDR agent has specific requirements for prevention rules. The contains operator and simple string matching are often incompatible with agent-side enforcement.

  • Use the Regex Operator: Replace contains with the regular expression operator ~= (tilde equals).
  • Change the Event Type: Instead of ENUM.LOAD_IMAGE, use ENUM.PROCESS. This enables the agent to block the command at execution time rather than reacting to a module load.
Recommended Corrected Query:
dataset = xdr_data 
| filter event_type = ENUM.PROCESS 
| filter action_process_image_command_line ~= ".*netsh.*advfirewall.*set.*currentprofile.*state.*off.*"

2. Configure the Prevention Action

Once the BIOC rule is saved using compatible syntax, link it to a Restrictions Profile:

  1. Navigate to Detection Rules → BIOC.
  2. Locate your rule, right-click it, and select Add to restrictions profile.
    (If this option is missing, the XQL syntax is still incompatible with the agent’s prevention requirements.)
  3. Select the Windows Restrictions Profile assigned to your target endpoints.
  4. In the profile settings, ensure the rule is Enabled. The enforcement action for an enabled Custom Prevention Rule is automatically set to Block.
  5. Save the profile and perform a manual check-in on the endpoint to force the policy update.

(Important Caveats here)

Asynchronous Nature:
Behavioral Threat Protection (BTP) is an asynchronous module. If the netsh process executes and terminates very quickly before the agent can intervene, the alert may appear as Detected even though the rule is configured to block.

 

Whitelisting:Some critical system processes are whitelisted from termination to maintain OS stability. If the command originates from a whitelisted process, process termination may be skipped.

 

Note - License Requirement: Creating and managing custom BIOC rules requires a Cortex XDR Pro license.

 

 

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

 

Thanks & Regards,
S. Subashkar Sekar

0 Likes Likes
  • 48 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks