BIOC rule

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

BIOC rule

L0 Member

How to make BIOC rule in cortex xdr if an attacker tries to upload data to aws from PowerShell CLI? Cortex XDR 

1 accepted solution

Accepted Solutions

L4 Transporter

Hello @Anirudha_Jadhav 

 

Thanks for reaching out on LiveCommunity!

You can use the Network entity within query builder which provides you with pre build format in order to search network activity by IP address, port, host name, protocol, and more. In addition to network activity you can add acting process where you can define the Powershell parameters like command line, path, SHA256 etc in order to capture powershell details.

Apart from it you can take help from query library by searching for "upload" keyword. There are several prebuilt queries to detect data upload. You can take reference from them and build you own.

 

Please click Accept as Solution to acknowledge that the answer to your question has been provided.

View solution in original post

2 REPLIES 2

L4 Transporter

Hello @Anirudha_Jadhav 

 

Thanks for reaching out on LiveCommunity!

You can use the Network entity within query builder which provides you with pre build format in order to search network activity by IP address, port, host name, protocol, and more. In addition to network activity you can add acting process where you can define the Powershell parameters like command line, path, SHA256 etc in order to capture powershell details.

Apart from it you can take help from query library by searching for "upload" keyword. There are several prebuilt queries to detect data upload. You can take reference from them and build you own.

 

Please click Accept as Solution to acknowledge that the answer to your question has been provided.

L4 Transporter

Hello @Anirudha_Jadhav 

 

Please share the XQL query of the BIOC rule. You can get it by going to BIOC rule and then right click to Open in XQL.

  • 1 accepted solution
  • 383 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!