topic Re: Blocking Domain/URL in Cortex XDR Discussions

Blocking Domain/URL

Marsooq-Akkaradathil — Fri, 15 May 2020 07:29:57 GMT

Hi Team,

I know we can block IP addresses with new feature called host firewall,.Since the ip is dynamic , its not a good option for me. Is it possible to block url or domain in cortex xdr?

Re: Blocking Domain/URL

dfalcon — Tue, 19 May 2020 03:48:02 GMT

Hi @Marsooq-Akkaradathil -

The current version of the product can only block an IP Address. You can, create an IOC that will alert on this. If you use XSOAR, you could also action on the IOC.

Re: Blocking Domain/URL

NikolayDimitrov — Mon, 24 Jan 2022 10:47:27 GMT

Great thank you! Hope they add the new feature to block also domains if not URL with the host firewall. Till then if the customer also has Palo Alto firewalls maybe this is an option for the Cortex XDR to generate EDL lists that the Palo Alto firewall (Palo Alto Firewall and Cortex XDR integration) can consume:

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/response-actions/manage-external-dynamic-lists.html

Also it is good to enable the firewalls access to the Cortex XDR and for the firewall to send its logs to the Cortex Data Lake so the Cortex XDR can see the network taffic:

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/get-started-with-cortex-xdr-prevent/set-up-endpoint-protection/enable-access-to-cortex-xdr.html

https://www.paloaltonetworks.com/blog/2020/03/cortex-busted-by-cortex-xdr/