Free Preparation Discussions
MENU
Palo Alto Networks PCDRA Exam - Topic 1 Question 88 Discussion
Topic #: 1
To create a BIOC rule with XQL query you must at a minimum filter on which field in order for it to be a valid BIOC rule?
To create a BIOC rule with XQL query, you must at a minimum filter on theevent_typefield in order for it to be a valid BIOC rule. The event_type field indicates the type of event that triggered the alert, such as PROCESS, FILE, REGISTRY, NETWORK, or USER_ACCOUNT. Filtering on this field helps you narrow down the scope of your query and focus on the relevant events for your use case. Other fields, such as causality_chain, endpoint_name, threat_event, are optional and can be used to further refine your query or display additional information in the alert.Reference:
Palo Alto Networks Certified Detection and Remediation Analyst (PCDRA) Study Guide, page 9
Palo Alto Networks Cortex XDR Documentation, BIOC Rule Query Syntax
Currently there are no comments in this discussion, be the first to comment!