Cannot add BIOC rule to restriction profiles

Hello @S.Alves ,

Greetings for the day.

The "No matching profiles" error or the inability to add a Behavioral Indicator of Compromise (BIOC) rule to a Restrictions profile typically occurs when the rule's query contains fields that are incompatible with agent-side prevention or when no valid user-defined profiles exist.

1. Why you see "No matching profiles"

Custom Prevention Rules (converted BIOCs) are executed locally on the Cortex XDR agent. Because of this, they must be generic and cannot include fields that require server-side context or describe the endpoint's identity.

The rule will be disqualified from appearing for Restriction profiles if:

• Prohibited Fields are used: You cannot use fields like agent_hostname, agent_ip_addresses, agent_os_sub_type, or host_name.
• Incompatible Investigation Types: The BIOC must be based on supported types such as process_execution, file_event, or module_event. Rules based only on the generic PROCESS event type (without specific subtypes) may also be disqualified.
• Default Profiles: You can only add BIOCs to existing user-created Restriction profiles; "Cortex XDR Default" profiles will not appear as options.
• OS Mismatch: The BIOC rule's OS scope must align with the target Restrictions profile's OS.

2. How to correctly create a Signer-based Prevention Rule:

To block applications by their digital signer, follow these steps:

Step 1: Create the BIOC Rule:

1. Navigate to Detection Rules → BIOC and select + Add BIOC.
2. Choose the Process entity (using the rule builder/Legacy XQL).
3. Enable the Signer field:
   • By default, the SIGNER field is grayed out.
   • You must first set the SIGNATURE field to signed to enable it.
4. Enter the exact name of the signer in the SIGNER field (for example, NETSUPPORT LTD).
5. Ensure no prohibited fields (such as hostname or IP fields) are included in the query.

Step 2: Convert to Prevention:

1. Right-click the rule and select Add to restrictions profile.
2. Select your user-created Restrictions profile.

Step 3: Configure the Profile and Policy

1. Go to Endpoints → Policy Management → Profiles → Restrictions.
2. Ensure Custom Prevention Rule is enabled within the profile settings.
3. Assign this profile to a Policy Rule that targets the desired endpoints.
   
   

3. Important Implementation Note: Asynchronous Blocking:

Converted BIOC rules are asynchronous. The agent does not suspend a process while evaluating the rule; it allows the process to start and then issues a termination command if a match is found.

• If the process is extremely short-lived, it may finish before the agent can kill it, resulting in a "Detected" alert instead of "Prevented".
• For guaranteed synchronous prevention (blocking before launch), consider:
  • Adding the file hash to the blocklist in the Action Center, or
  • Blocking by Image Path in an Exceptions profile.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Thanks & Regards,
S. Subashkar Sekar