- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
02-24-2023 03:02 AM
Hello,
There is an issue with one of the BIOC rules provided by Palo Alto. Specifically in the rule with Global ID "94fed992-c1da-4b69-9caa-292221b8c070".
The wildcards for the command line arguments that this rule intents to detect, are off. To be precise all leading wildcards in this detection have a space afterwards, thus rendering the rule unable to detect the actual activity taking place.
E.g. (not real argument): * test*, while the correct would be *test*.
I have tested this and indeed it does not work as intended right now.
Could you please review it from your side and make the necessary changes or guide me in order to open a ticket/email elsewhere if needed ? But from what I understand, this is not a tenant specific issue, so I thought opening a thread here was more appropriate.
Thanks in advance,
Ilias
02-24-2023 10:08 AM
Hi @ithermos.
I would recommend opening a TAC case with these findings so that it is properly documented and can be investigated internally by Palo Alto teams.
02-24-2023 10:08 AM
Hi @ithermos.
I would recommend opening a TAC case with these findings so that it is properly documented and can be investigated internally by Palo Alto teams.
03-15-2023 01:22 AM
Hi all,
Just a heads up, via TAC case indeed, the resolution is on the way. IMO though, there should be another path for these kinds of issues (rule/content based, global etc).
Thanks,
Ilias
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!