03-12-2026 09:26 AM
Hi everyone,
I’m working on a BIOC of type Process, and I’m trying to use the process_file_info field as a filter. When I run a search, this field shows up as a JSON object containing details like product name, version, etc.
The problem is:
BIOC filters only seem to support exact string matching, and since process_file_info is JSON, I can’t match individual fields inside it.
If I try using a wildcard, I get this error:
Field action_process_file_info for operator wildcard is invalid.
Expected string but received json.
Has anyone found a way to filter on specific values inside process_file_info within a BIOC, or is this simply not supported?
If not, what’s the recommended workaround?
Thanks!
03-12-2026 03:05 PM
Hello @FCossard ,
Greetings for the day.
In Cortex XDR, the process_file_info field (and variations like action_process_file_info or actor_process_file_info) is a structured Record or JSON object containing multiple metadata attributes. Direct filtering on the root field using string-based operators (like contains or wildcards) is not supported, because the system expects a primitive string but receives a complex JSON object, which results in an error.
The most effective way to filter on specific values inside process_file_info is to create an XQL-based BIOC and use dot notation to target nested string attributes within the JSON object.
Navigate to Detection > BIOC > Add BIOC.
Select XQL Query as the rule type (rather than the form-based builder).
Reference the specific sub-field using the format [FIELD_NAME].[ATTRIBUTE].
To filter for a specific product name and version within a process execution:
process_file_infoCommon attributes you can reference with dot notation:
product_name
file_version
product_version
company
description
internal_name
original_name
legal_copyright
These fields are extracted from the executable’s metadata.
If you only need to match process name, path, or command line, it is recommended to use existing primitive string fields, as these support standard BIOC UI operators and wildcards:
Process name: action_process_image_name
Full path: action_process_image_path
Command line: action_process_image_command_line
If you intend to use this BIOC for Custom Prevention Rules (CPR):
Ensure the fields you reference are supported for prevention.
Some complex JSON-based logic may be restricted to Detection Only if it cannot be evaluated synchronously by the agent.
The BIOC must be enabled within a Restriction Profile to block activity.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
03-12-2026 03:05 PM
Hello @FCossard ,
Greetings for the day.
In Cortex XDR, the process_file_info field (and variations like action_process_file_info or actor_process_file_info) is a structured Record or JSON object containing multiple metadata attributes. Direct filtering on the root field using string-based operators (like contains or wildcards) is not supported, because the system expects a primitive string but receives a complex JSON object, which results in an error.
The most effective way to filter on specific values inside process_file_info is to create an XQL-based BIOC and use dot notation to target nested string attributes within the JSON object.
Navigate to Detection > BIOC > Add BIOC.
Select XQL Query as the rule type (rather than the form-based builder).
Reference the specific sub-field using the format [FIELD_NAME].[ATTRIBUTE].
To filter for a specific product name and version within a process execution:
process_file_infoCommon attributes you can reference with dot notation:
product_name
file_version
product_version
company
description
internal_name
original_name
legal_copyright
These fields are extracted from the executable’s metadata.
If you only need to match process name, path, or command line, it is recommended to use existing primitive string fields, as these support standard BIOC UI operators and wildcards:
Process name: action_process_image_name
Full path: action_process_image_path
Command line: action_process_image_command_line
If you intend to use this BIOC for Custom Prevention Rules (CPR):
Ensure the fields you reference are supported for prevention.
Some complex JSON-based logic may be restricted to Detection Only if it cannot be evaluated synchronously by the agent.
The BIOC must be enabled within a Restriction Profile to block activity.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
03-16-2026 03:39 AM
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
