Correlation rules create incident

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Correlation rules create incident

L3 Networker

Hey dear sec community!

 

is there a way to setup an correlation rule, which can block and not only detect?

I couldn't find a way. I tried the XQL queries from the libary. 

 

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/...

 

BR

 

Rob

2 accepted solutions

Accepted Solutions

Hi Cyber1985,

 

There are specific restrictions when attempting to use a custom prevention rule through the Restrictions Profile.  Link to documentation is here (https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/... ), however, I will summarize below:

 

  • To be valid as a BIOC rule, the XQL query must at least filter on event_type
  • To configure a BIOC rule as a prevention rule, the BIOC must not include the following field configurations
    • All Eevnts - Host Name
    • File Event - Device Type, Device Serial Number
    • Process Event - Device Type, Device Serial Number
    • Registry Event - Country, Raw Packet
  • If an OS scope is defined, it must match with the Restrictions profile OS type
  • When defining the Process criteria for a user-defined BIOC rule event type, you can select to run only on actor, causality, and OS actor on Windows, and causality and OS actor on Linux and Mac

Please review your BIOC rule and ensure that it meets these guidelines, if possible, post the BIOC rule here for further troubleshooting.

 

View solution in original post

I found out, you should not take the fields and timeframe to your XQL Query, when a BIOC-Rule + Restriction Input should be created out of it. 

So I was able to get my goal 🙂

 

Thank you very much @afurze @bbarmanroy ! 

 

BR

 

Rob

 

View solution in original post

7 REPLIES 7

L5 Sessionator

Hi @Cyber1985 I believe what you're looking for is Restrictions Profile. You can create a BIOC and add it to a Restrictions Profile for it to block certain behavior. Please note that this will be a post-execution module.

An example is preventing users from using Google Chrome to visit https://1.1.1.1. You can write that BIOC and add it a Restrictions Profile, and apply that to an endpoint/set of endpoints via Security policies.

So correlation rules can't trigger a block, am I right?

 

So I created a BIOC Rule, here you can see it: 

 

Cyber1985_0-1653688620562.png

 

Where is the connection missing? I can remember in past I got that connection between BIOC and custom prevention rule which I could find under the restriction profile. 

 

But now I can only enable it, but cannot define only my custom once, I don't want cortex to block all BIOCs. How can I deal with that? 

 

BR

 

Rob

 

Cyber1985_1-1653688824752.png

 

 

L5 Sessionator

Hi @Cyber1985 please see the below screenshot where I am able to add it to a Restrictions Profile. I hope this meets your needs.

bbarmanroy_0-1654225011171.png

 

Hey! Sure this fits somewhere my needs. But when I create a BIOC Rule out of a XQL, it won't work to put it into a restriction profile. 

I like XQL and how do I translate it to the "standard input BIOC language"? 

 

BR

 

Rob

Hi Cyber1985,

 

There are specific restrictions when attempting to use a custom prevention rule through the Restrictions Profile.  Link to documentation is here (https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/... ), however, I will summarize below:

 

  • To be valid as a BIOC rule, the XQL query must at least filter on event_type
  • To configure a BIOC rule as a prevention rule, the BIOC must not include the following field configurations
    • All Eevnts - Host Name
    • File Event - Device Type, Device Serial Number
    • Process Event - Device Type, Device Serial Number
    • Registry Event - Country, Raw Packet
  • If an OS scope is defined, it must match with the Restrictions profile OS type
  • When defining the Process criteria for a user-defined BIOC rule event type, you can select to run only on actor, causality, and OS actor on Windows, and causality and OS actor on Linux and Mac

Please review your BIOC rule and ensure that it meets these guidelines, if possible, post the BIOC rule here for further troubleshooting.

 

I found out, you should not take the fields and timeframe to your XQL Query, when a BIOC-Rule + Restriction Input should be created out of it. 

So I was able to get my goal 🙂

 

Thank you very much @afurze @bbarmanroy ! 

 

BR

 

Rob

 

L2 Linker

Hi Cyber1985,

Correlation rules only shows actions as an alert. they do not any capability to block the action

SmartIT
  • 2 accepted solutions
  • 4379 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!