To create a BIOC rule with XQL query you must at a minimum filter on which field in order for it to be a valid BIOC rule?
To create a BIOC rule with XQL query you must at a minimum filter on which field in order for it to be a valid BIOC rule?
To create a BIOC rule with an XQL query, you must at a minimum filter on the 'threat_event' field. The 'threat_event' field is essential for identifying specific security incidents and is a core component of BIOC rules. Filtering on this field ensures that the rule is targeting relevant threat data.
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/datasheets/education/pcdra-study-guide.pdf pg 74.
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Create-a-BIOC-Rule