02-20-2026 11:18 AM
We are attempting to make a custom BIOC rule to prevent the use of certain softwares on our servers. Applying the BIOC to a prevention profile works, except for when we add any exceptions. Say we are attempting to block Google Chrome on servers, we add an exception for a prefix used for end user device names and the BIOC can no longer be applied to any prevention rule. Am I missing something? Is this a bug perhaps?
02-26-2026 05:21 AM
Hello @M.McClure ,
Greetings for the day.
The behavior you are experiencing is a design limitation of Cortex XDR and not a bug. When a Behavioral Indicator of Compromise (BIOC) rule is added to a Restrictions Profile for prevention, it is converted into a rule that must be evaluated locally by the Cortex XDR agent on the endpoint.
To ensure the agent can enforce these rules in real time without relying on server-side context, certain fields are prohibited in the BIOC query logic. Adding an exception based on Host Name (or device name prefixes) makes the rule ineligible for prevention enforcement, causing it to disappear from selection lists or lose the "Add to restrictions profile" option.
A BIOC rule cannot be applied to a prevention profile if it contains any of the following fields:
All Events: Host Name (this is likely what is triggering your issue).
File Events: Device Type, Device Serial Number.
Process Events: Device Type, Device Serial Number, User Name.
Network Events: Country, Raw Packet.
XQL Specific: Complex operators like contains or in used with wildcards (*) are often unsupported; use regex (~=) instead.
Instead of including host-based exceptions within the BIOC rule itself, you should separate the behavioral definition from the deployment scope.
Remove the filters or exceptions related to host names or device prefixes. Ensure the rule only defines the behavior you want to block (for example, the execution of chrome.exe).
Navigate to Detection Rules > BIOC.
Right-click your generic rule and select Add to restrictions profile.
Navigate to Endpoints > Policy Management > Prevention > Policy Rules.
Create a policy rule that targets only your servers (by group, alias, or hostname).
Assign the Restriction Profile containing your custom BIOC to this specific policy.
For end-user devices, use a different policy rule that does not include this Restriction Profile.
This approach allows the BIOC to remain agent-enforceable while still restricting the block action to the specific set of servers you intend to protect.
If your goal is specifically to block Chrome, it is often recommended to use the Add to Block list feature within the Restriction Profile directly, adding the executable names (for example, chrome.exe, ChromeSetup.exe) rather than using a behavioral BIOC. BIOCs are asynchronous and may allow initial execution before terminating the process.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
