This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

BIOC rule

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

BIOC rule

Go to solution
Anirudha_Jadhav
L0 Member

‎01-08-2024 10:18 AM

How to make BIOC rule in cortex xdr if an attacker tries to upload data to aws from PowerShell CLI? Cortex XDR 

Cortex XDR
Thumbnail of Cortex XDR
Palo Alto Networks
Cortex XDR
Security Operations
View on Product Page
0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
nsinghvirk
L4 Transporter

‎01-12-2024 06:41 AM

Hello @Anirudha_Jadhav 

 

Thanks for reaching out on LiveCommunity!

You can use the Network entity within query builder which provides you with pre build format in order to search network activity by IP address, port, host name, protocol, and more. In addition to network activity you can add acting process where you can define the Powershell parameters like command line, path, SHA256 etc in order to capture powershell details.

Apart from it you can take help from query library by searching for "upload" keyword. There are several prebuilt queries to detect data upload. You can take reference from them and build you own.

 

Please click Accept as Solution to acknowledge that the answer to your question has been provided.

View solution in original post

0 Likes Likes
2 REPLIES 2

Go to solution
nsinghvirk
L4 Transporter

‎01-12-2024 06:41 AM

Hello @Anirudha_Jadhav 

 

Thanks for reaching out on LiveCommunity!

You can use the Network entity within query builder which provides you with pre build format in order to search network activity by IP address, port, host name, protocol, and more. In addition to network activity you can add acting process where you can define the Powershell parameters like command line, path, SHA256 etc in order to capture powershell details.

Apart from it you can take help from query library by searching for "upload" keyword. There are several prebuilt queries to detect data upload. You can take reference from them and build you own.

 

Please click Accept as Solution to acknowledge that the answer to your question has been provided.

0 Likes Likes

Go to solution
nsinghvirk
L4 Transporter

‎01-16-2024 06:58 AM

Hello @Anirudha_Jadhav 

 

Please share the XQL query of the BIOC rule. You can get it by going to BIOC rule and then right click to Open in XQL.

0 Likes Likes
  • 1 accepted solution
  • 980 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks