03-12-2025 10:22 AM
Good afternoon,
I'm trying to create a BIOC rule that tells me when users are trying to access the wetransfer.com and dropbox.com DNS. To do this, I generated the following XQL. When run, it shows me the logs of the connections to these DNS.
dataset = xdr_data
| filter dns_query_name = "*wetransfer*" or dns_query_name = "*dropbox*"
This XQL works correctly, but when I write it in the BIOC rule, it gives me errors. First, it tells me I should include an Event_type. I modified the XQL and it looks like this:
dataset = xdr_data
| filter event_type = "STORY"
| filter dns_query_name = "*wetransfer*" or dns_query_name = "*dropbox*"
But when I run it, it tells me that BIOC is not supported.
Could you help me correct this XQL so that it works as a BIOC rule?
thanks
03-14-2025 06:58 AM
Hi @Rolando_Pena, thanks for reaching us using the Live Community.
Try this one:
dataset = xdr_data
| filter event_type = ENUM.NETWORK and action_external_hostname in ("*wetransfer*","*dropbox*")
If this post answers your question, please mark it as the solution.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
