This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who rated this post

BIOC not supported

Rolando_Pena
L1 Bithead

‎03-12-2025 10:22 AM

Good afternoon,

 

I'm trying to create a BIOC rule that tells me when users are trying to access the wetransfer.com and dropbox.com DNS. To do this, I generated the following XQL. When run, it shows me the logs of the connections to these DNS.

 

dataset = xdr_data
| filter dns_query_name = "*wetransfer*" or dns_query_name = "*dropbox*"

 

This XQL works correctly, but when I write it in the BIOC rule, it gives me errors. First, it tells me I should include an Event_type. I modified the XQL and it looks like this:

 

dataset = xdr_data
| filter event_type = "STORY"
| filter dns_query_name = "*wetransfer*" or dns_query_name = "*dropbox*"

 

But when I run it, it tells me that BIOC is not supported.

Could you help me correct this XQL so that it works as a BIOC rule?

 

thanks

(1)
Who rated this post
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks