This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

Rule for Detection Powershell Execution

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Rule for Detection Powershell Execution

J.Lopes279044
L0 Member

‎12-14-2025 01:23 AM

I created a BIOC to detect running processes in PowerShell and I intend to exclude some processes to avoid showing too many false positives, such as: SenseIR.exe and CompatTelRunner.exe.

 

JLopes279044_0-1765704165983.png

JLopes279044_1-1765704190548.png

 

Cortex XDR 

Cortex XDR
Thumbnail of Cortex XDR
Palo Alto Networks
Cortex XDR
Security Operations
View on Product Page
0 Likes Likes
1 REPLY 1

susekar
L4 Transporter

‎02-26-2026 05:25 AM

Hello @J.Lopes279044 ,

 

Greetings for the day.

 

To exclude legitimate processes like SenseIR.exe and CompatTelRunner.exe from your custom PowerShell BIOC rule and reduce false positives, you can use one of the following two methods:

Option 1: Create a BIOC Suppression Rule (Recommended):

This is the preferred method because it prevents the detection engine from matching the activity against specific legitimate processes without requiring you to modify the underlying BIOC rule logic.

Steps:

  1. Navigate to:
    Settings > Exceptions Configuration > IOC/BIOC Suppression Rules

  2. Click +Add Rule and select Create New.

  3. In the Scope section, define the criteria for the processes you wish to exclude
    (for example: Process Name is SenseIR.exe or CompatTelRunner.exe).

  4. Under BIOC selection, choose Specific BIOC.

  5. Search for and select the custom BIOC rule you created for PowerShell.

  6. Save the rule to suppress future alerts for these specific processes.

-------------------------------------------

Option 2: Modify the Custom BIOC Rule Logic:

If you prefer to tune the rule itself, you can add exclusion filters directly into the rule definition.

Using the BIOC Builder (GUI):

  1. Navigate to:
    Detection Rules > BIOC

  2. Locate and edit your custom BIOC.

  3. In the Filters section, add a condition to exclude the processes using the Does Not Equal or Not In operators.

Example filter logic:

Process Name != SenseIR.exe
AND Process Name != CompatTelRunner.exe
Using XQL (Query-Based BIOC):

If your BIOC is based on an XQL query, you can add a filter to exclude the specific process image names:

| filter actor_process_image_name not in ("SenseIR.exe", "CompatTelRunner.exe")
 

Alternatively, using individual “not equal” filters:

| filter actor_process_image_name != "SenseIR.exe"
and actor_process_image_name != "CompatTelRunner.exe"
 
Additional Best Practices:

  • Hash-Based Exclusions:
    If the process names are too common and you are concerned about potential security gaps, consider excluding them by their file hashes (MD5/SHA256) instead of names.

  • Restriction Profiles:
    If you intend to use this BIOC for prevention (blocking), ensure it is added to a Restriction Profile and enabled for the appropriate target endpoints.

 

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

 

Thanks & Regards,
S. Subashkar Sekar

 

 

0 Likes Likes
  • 391 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks