A BIOC rule is a custom detection rule that uses the Cortex Query Language (XQL) to define the

behavior or actions that indicate a potential threat. A BIOC rule can use the xdr_data and

cloud_audit_log datasets and presets for these datasets. A BIOC rule can also use the filter stage,

alter stage, and functions without any aggregations in the XQL query. The query must return a single

field named action_process_image, which is the process image name of the suspicious process. The

query must also include the event_type and event_sub_type fields in the filter stage to specify the

type and sub-type of the event that triggers the rule.

Option B is the correct answer because it meets all the requirements for a valid BIOC rule query. It

uses the xdr_data dataset, the filter stage, the event_type and event_sub_type fields, and the

action_process_image_name field with a regular expression to match any process image name that

ends with .pdf.exe or .docx.exe, which are common indicators of malicious files.

Option A is incorrect because it does not include the event_type field in the filter stage, which is

mandatory for a BIOC rule query.

Option C is incorrect because it does not include the event_type and event_sub_type fields in the

filter stage, and it uses the fields stage, which is not supported for a BIOC rule query. It also returns

the action_process_image field instead of the action_process_image_name field, which is the

expected output for a BIOC rule query.

Option D is incorrect because it uses the event_behavior field, which is not supported for a BIOC rule

query. It also does not include the event_type field in the filter stage, and it uses the event_sub_type

field incorrectly. The event_sub_type field should be equal to PROCESS_START, not true.

Reference:

Working with BIOCs

Cortex Query Language (XQL) Reference