07-24-2025 08:49 AM
Hi OrkhaM,
BIOCs are for alerting, not preventing/blocking since BIOCs happen and are created and executed on the tenant, not on the agent.
BIOC rules detect behavior related to processes, registry, files, and network activity, but just at the tenant level. Basically these are on the analytics area which is analyse and alert.
So to block in your specific use case, please do the following:
1- Create your BIOC rule logic and save it
2- Go to the table of BIOC rules and right click on your rule, select Add to Restrictions Profile and then select the profiles linked to the endpoints where you want this BIOC Rule to take effect and block. Once you click on save, that BIOC can block if there is a match at the endpoints where this Add to Restrictions Profile is applied.
Watch out,. your logic makes sense and double check it and test it, otherwise you can be blocking legit actions or not blocking at all non-legit actions.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.
KR,
Luis
08-03-2025 09:15 PM
Hi,
We created BIOC rule and we have added it to restrictions. Like you said but its not blocking the actions.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
