- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-12-2025 10:22 AM
Good afternoon,
I'm trying to create a BIOC rule that tells me when users are trying to access the wetransfer.com and dropbox.com DNS. To do this, I generated the following XQL. When run, it shows me the logs of the connections to these DNS.
dataset = xdr_data
| filter dns_query_name = "*wetransfer*" or dns_query_name = "*dropbox*"
This XQL works correctly, but when I write it in the BIOC rule, it gives me errors. First, it tells me I should include an Event_type. I modified the XQL and it looks like this:
dataset = xdr_data
| filter event_type = "STORY"
| filter dns_query_name = "*wetransfer*" or dns_query_name = "*dropbox*"
But when I run it, it tells me that BIOC is not supported.
Could you help me correct this XQL so that it works as a BIOC rule?
thanks
03-25-2025 09:43 AM
Hello, the XQL that worked for me to create the BIOC was this one:
dataset = xdr_data
| filter event_type = ENUM.STORY
| filter dns_query_name = "*wetransfer*" or dns_query_name = "*dropbox*"
|filter actor_process_image_name != "svchost.exe" or actor_process_command_line != "*svchost.exe*"
I filtered it so it wouldn't generate alerts with network services. After this, I generated an automation rule based on the BIOC alerts to stop the CGO from running on the processes. Thank you.
03-14-2025 06:58 AM
Hi @Rolando_Pena, thanks for reaching us using the Live Community.
Try this one:
dataset = xdr_data
| filter event_type = ENUM.NETWORK and action_external_hostname in ("*wetransfer*","*dropbox*")
If this post answers your question, please mark it as the solution.
03-25-2025 09:43 AM
Hello, the XQL that worked for me to create the BIOC was this one:
dataset = xdr_data
| filter event_type = ENUM.STORY
| filter dns_query_name = "*wetransfer*" or dns_query_name = "*dropbox*"
|filter actor_process_image_name != "svchost.exe" or actor_process_command_line != "*svchost.exe*"
I filtered it so it wouldn't generate alerts with network services. After this, I generated an automation rule based on the BIOC alerts to stop the CGO from running on the processes. Thank you.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!