When creating a BIOC rule, which XQL query can be used?
When creating a BIOC rule, which XQL query can be used?
When creating a BIOC rule, it is important to filter the event type and subtype accurately to ensure precise matching of events. The correct XQL query uses filters on both event_type and event_sub_type to narrow down the events accordingly. The given option correctly filters for PROCESS type events with a specific subtype (PROCESS_START) and checks if the action_process_image_name matches the given regular expression pattern.
Correct answer is: B A: missing event_type C: wrong action_process_image D: wrong event_behaviour
Correct answer is: B "The XQL query must at a minimum filter on the event_type field in order for it to be a valid BIOC rule."