XDR utilizes custom BIOC rules where you create BIOC rules based on the set of attribute-value pairs to automatically convert the leads into alerts. Please also reference detections in the XDR analytics alert reference for possible alerts relating uncommon PowerShell commands/ scheduled tasks.
To create a BIOC rule, navigate to Incident Response> Query Builder> then select XQL search. Here, you can enter an XQL query to identify endpoints executing PowerShell. To get started, here is a query to test:
dataset = xdr_data // Using the XDR dataset
| filter lowercase(actor_process_image_name) = "powershell.exe"and action_evtlog_username not contains "system"// Filtering for parent process is powershell.exe and filtering out system
| filter event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_START and lowercase(actor_process_image_name) = "powershell.exe" // Filtering for parent process is powershell.exe
| alter process_cmd = if(lowercase(action_process_image_command_line) contains "c:\users", replex(lowercase(action_process_image_command_line), "c:\\users\\[a-zA-Z0-9.]*", "c:\\users\\USERNAME"), action_process_image_command_line) // Running an alter command to make sure the functions later ignore differences in user paths
| fields action_process_image_name as process_name, action_process_image_command_line as process_cmd, event_id,agent_hostname as hostname, actor_process_image_path as process_path, causality_actor_process_image_path as cgo_path, causality_actor_process_command_line as cgo_cmd // Getting the relevant fields
Once the XQL query is complete, you can create a BIOC rule utilizing its insightful information. BIOC rules can be added via Detection Rules > BIOC > + Add BIOC.
To block, you can add the BIOC rule via a Customer Prevention rule in the Restrictions Profile.
The Restriction profile allows you to apply custom made BIOC's that upon detection will be prevented by the agent, in case you are using the default profiles then no prevention will take place but the detection will happen if the BIOC rule is configured in your BIOC repository (preconfigured or custom made BIOCs).
Here is a walkthrough of the process Custom Prevention Rules| Palo Alto Networks
After testing is complete, to narrow the scope, consider applying this BIOC/Restrictions profile to endpoints via a policy applied to an endpoint group.
If you found this response helpful, please like and click Accept as Solution.
... View more