09-08-2025 07:48 AM
Unable to get it why the below BIOC rule can't be added into the restrictions policy. I was trying to write a BIOC rule for monitoring dropped files via certutil. :
dataset = xdr_data
| filter event_type = 2 and event_sub_type = ENUM.NETWORK_STREAM_CONNECT
| filter actor_process_image_name = "certutil.exe"
| filter (
os_actor_process_command_line ~= ".*-urlcache.*" or
os_actor_process_command_line ~= ".*-decode.*" or
os_actor_process_command_line ~= ".*-encode.*" )
09-15-2025 07:24 AM
Hi @P.Madye
Restrictions Profile in Cortex XDR is not the same thing as a BIOC rule. So you cant always put a BIOC within a Restriction profile.
Restrictions Profile is a prevention feature that blocks execution of files, processes, scripts, or DLLs based on static conditions (e.g., file path, extension, process name, certificate).
Your query is a behavioral detection (network activity + process + command-line arguments). That’s dynamic behavior detection, not static blocking.
Because of this, Restrictions cannot “understand” filters like event_type, event_sub_type, or regex on command lines.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.
KR,
Luis
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
