This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Questions about IOC/BIOC Suppression rules

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Questions about IOC/BIOC Suppression rules

ptrivino1
L1 Bithead

‎06-17-2025 08:36 PM

We are doing a (somewhat rushed) Cortex XDR implementation, and I am new to EDR things (in general). 

 

I created an IOC/BIOC Supp rule today for an issue with running the Guardian Browser (I'll let you know if it works), and while there I see 52 System Generated rules. The description on them is "Same process triggered BIOC nnn on 100 different hosts." I thought I could both learn as well as possibly resolve them. The one I picked happened to be about drvinst.exe. "Well," I said, "that sounds simple."

 

I searched for the SHA256 hash in the rule, and found thousands of results (that's how I found drvinst.exe). But when I searched Issues for that hash in Target Process SHA256, Initiator SHA256, CGO SHA256, File SHA256 - nada. Zip. There are other SHA256 fields I could check, but never let it be said I can't take a hint.

 

So I got to thinking and I have a few questions, I'd appreciate hearing your thoughts:

 

1. Does anyone do this, i.e. trying to resolve the issues causing these System Generated rules? Is it worth the effort?

 

2. Does anyone know if a System Generated IOC/BIOC Suppression rule will also resolve the issues generated before the rule? (The rule I picked was generated today, so I'd have thought the related Issues would still be around, but I found none.

 

3. Does anyone know if PAN writes these rules thinking about the apps/programs/images that cause them? In other words does the fact that this involves drvinst.exe, a well-known Windows process, allow them to generate the rule knowing "well that exe is fine" and NOT suppress issues for lesser known apps?

 

Thanks for reading and hopefully helping me out?

 

Paul

 

0 Likes Likes
1 REPLY 1

eluis
L4 Transporter

‎06-18-2025 03:00 AM

Hi Ptrivino1,

 

Answering to your questions: 

 

  1. Yes, it is recommended that you fine tune your Cortex XDR instance to your needs. It will clean up your alerts and findings that are kind of false positives. 
    You know that some legit windows or other vendor applications can be used by malicious actors to compromise systems, going stealth to antiviruses due to legit applications even signed by the developers. LOLBIN attack techniques.
  2. No
  3. We are creating the rules based on observed behavior, and environmental prevalence.

Feel free to click on like the answer if this helped you.

 

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.

 

KR,

Luis

 

0 Likes Likes
  • 264 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks