This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

[Cortex XDR] - I Want to monitor the file creation, modification, removal, etc. under the specified path through the BIOC Rule.

cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 

[Cortex XDR] - I Want to monitor the file creation, modification, removal, etc. under the specified path through the BIOC Rule.

S.Lin576639
L1 Bithead

‎01-19-2025 09:22 PM

Dear Everyone,

I would like to use the XDR BIOC Rule to block the host from creating, editing, deleting, renaming, etc. files in specific file paths.

 

I tried to write a BIOC Rule but found that it can't be successfully applied to the Restrictions profile, and there is no Alert generated due to the matching of this rule, does anyone know why it can't be applied to the Restrictions profile? Thanks for your help!

 

BIOC detail:

dataset = xdr_data | filter event_type = ENUM.FILE and
event_sub_type in(
ENUM.FILE_DIR_REMOVE, ENUM.FILE_DIR_CREATE,
ENUM.FILE_DIR_RENAME, ENUM.FILE_DIR_WRITE,
ENUM.FILE_CREATE_NEW, ENUM.FILE_REMOVE,
ENUM.FILE_RENAME, ENUM.FILE_WRITE,
ENUM.FILE_CHANGE_OWNER ,ENUM.FILE_DIR_CHANGE_OWNER,
ENUM.FILE_SET_SECURITY_DESCRIPTOR, ENUM.FILE_DIR_SET_SECURITY_DESCRIPTOR,
ENUM.FILE_IMPERSONATE_PIPE, ENUM.FILE_SET_ATTRIBUTE,
ENUM.FILE_DELETE_EXT_ATTRIBUTE,
ENUM.DOT_NET_SUSPICIOUS_FILE_EXISTS_CHECK,ENUM.DOT_NET_SUSPICIOUS_REFLECTION
)
| filter lowercase(action_file_path) = "d:\*"

 

 

0 Likes Likes
8 REPLIES 8

jmazzeo
L5 Sessionator

‎01-20-2025 07:35 AM

Hi @S.Lin576639, thanks for reaching us using the Live Community.

 

You can't add the BIOC to a restrictions profile because you are not filtering a process. The restrictions profiles are used to block processes after being detected by the custom BIOC rule.

More information here and here.

 

This example worked for me in a quick test:

dataset = xdr_data 
| filter event_type = ENUM.FILE and event_sub_type in(ENUM.FILE_CREATE_NEW, ENUM.FILE_RENAME, ENUM.FILE_WRITE)
| filter action_file_path contains "*Downloads*" // Change it with your path
| fields agent_hostname, action_file_path, action_file_name // Add more fields as needed

 

If this post answers your question, please mark it as the solution.

JM
0 Likes Likes

S.Lin576639
L1 Bithead
In response to jmazzeo

‎01-21-2025 01:35 AM

Dear @jmazzeo,

So the BIOC Rule can only be added to the restrictions profile for monitoring (generating an Alert) if no Process is specified? Is there any restriction on adding bioc rule to restrictions profile?

 

Thank you.

0 Likes Likes

J.Gammara
L1 Bithead
In response to S.Lin576639

‎01-23-2025 06:33 AM

Hello @S.Lin576639 ,

I hope everything is going well, I would like to share with you this information:

"By using the BIOC rules, you can configure custom prevention rules to terminate the causality chain of a malicious process according to the Action Mode defined in the associated Restrictions Security Profile and trigger Cortex XDR Agent behavioral prevention type alerts in addition to the BIOC rule detection alerts.

For example, if you configure a custom prevention rule for a BIOC Process event, apply it to the Restrictions profile with an action mode set to Block, the Cortex XDR agent:

0 Likes Likes

vkonar
L1 Bithead

‎03-07-2025 06:45 AM

What are the possible reasons on why i am unable to get add restriction profile option on my custom BIOC rule?no_option_restriction_profile_add.png

0 Likes Likes

jmazzeo
L5 Sessionator
In response to vkonar

‎03-07-2025 08:36 AM

Can you share the BIOC rule? Please clean any sensitive information.

JM
0 Likes Likes

vkonar
L1 Bithead
In response to jmazzeo

‎03-07-2025 09:54 PM

Dear @jmazzeo , 

Please find below BIOC rule Behavior.

 

Process [ action type = execution AND target process name = procexp.exe ] AND Process [ initiated by = powershell.exe , powershell_ise.exe ] AND Host [ host name = <REDACTED> AND host os = <REDACTED> ]

 

Is this enough or need further details? Let me know.

 

0 Likes Likes

jmazzeo
L5 Sessionator
In response to vkonar

‎03-14-2025 06:46 AM

Hi @vkonar, you need to remove the hostname and the host OS. The BIOC rules needs to be focused in processes behavior, but also I think that one is too generic and can cause issues. Could be good to add a command line that can start the process execution from powersheel.

JM

vkonar
L1 Bithead
In response to jmazzeo

‎03-15-2025 06:41 AM

Removed Hostname and Host OS . Now i am able to see add to restriction profile option on BIOC rule. Thanks again! 

0 Likes Likes
  • 856 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks