topic Re: Is it possible to block IOC from Cortex XDR? in Cortex XDR Discussions

Is it possible to block IOC from Cortex XDR?

hpatel11 — Fri, 12 Aug 2022 15:50:10 GMT

I'm trying to block domain across in our environment. I don't want to use url filtering on PA FW, but I want to use XDR IOC to block it. is possible to do it?

Re: Is it possible to block IOC from Cortex XDR?

afurze — Fri, 12 Aug 2022 15:40:37 GMT

Hi Hpatel11,

Unfortunately, no, it is not possible to block IOCs with Cortex XDR directly, the IOCs exist only on the XDR server and are not sent to the agents. If you are an XDR Pro per Endpoint or Pro per TB customer, you can set up External Dynamic Lists and have your NGFW subscribe to those lists to automatically update your firewall policy directly from XDR.

Re: Is it possible to block IOC from Cortex XDR?

hpatel11 — Fri, 12 Aug 2022 15:41:29 GMT

I figured. Thanks!

Re: Is it possible to block IOC from Cortex XDR?

eluis — Fri, 12 Aug 2022 15:48:13 GMT

Hi @hpatel11

if IOCs are hashes you can block them adding them to the block list

Then as Afurze mentioned you can add other IOCs or internet web-sites to the EDLs so you can block them on your FWs

Other indicators like malicious email senders can be added (by your own procedures) to email server black lists...

Think of other tools you might have at your organization in order to appropriately block all kinds of IOCs

I hope this helps,
Luis

Re: Is it possible to block IOC from Cortex XDR?

Cyber1985 — Fri, 12 Aug 2022 17:39:33 GMT

I did this in my poc(long time ago), I blocked like www.heise.de through BIOC with restriction rule.

When I surfed on this webpage the whole browser got closed.

If you want I can repeat it in my cortex xdr pro per endpoint Environment.

Re: Is it possible to block IOC from Cortex XDR?

hpatel11 — Fri, 12 Aug 2022 17:43:23 GMT

I checked on BIOC but don't see anything for Domain. I see that we can do by IP.

Re: Is it possible to block IOC from Cortex XDR?

Cyber1985 — Fri, 12 Aug 2022 17:52:39 GMT

Have you tried to take a network query to view which field the domain is called?

Re: Is it possible to block IOC from Cortex XDR?

hpatel11 — Fri, 12 Aug 2022 18:09:17 GMT

Got it it's called action_external_hostname Let me try to use this.

Re: Is it possible to block IOC from Cortex XDR?

hpatel11 — Fri, 12 Aug 2022 18:57:07 GMT

I was able to create BIOC but can't associate BIOC with prevention policy. It's not syntax issue because I was able to trigger alert on it.

Re: Is it possible to block IOC from Cortex XDR?

RFeyertag — Fri, 12 Aug 2022 19:14:04 GMT

I think you need to do this from BIOC perspective. Not from the alert/incident perspective.

Re: Is it possible to block IOC from Cortex XDR?

hpatel11 — Fri, 12 Aug 2022 19:16:34 GMT

This is only option that we got.

Re: Is it possible to block IOC from Cortex XDR?

RFeyertag — Fri, 12 Aug 2022 19:43:53 GMT

So the guys from PA are right. You can only prevent with BIOC the processes.

At the moment I cannot say why it worked at my POC. I remember, when I opened the page the whole browser went down.

Re: Is it possible to block IOC from Cortex XDR?

RFeyertag — Fri, 12 Aug 2022 19:46:09 GMT

and by the way, you can add process BIOCs through right clicking and add to restriction profile.

Re: Is it possible to block IOC from Cortex XDR?

neelrohit — Wed, 17 Aug 2022 07:41:16 GMT

@Cyber1985 , please be notified that it is a process activity using network connection to destinations for incoming, outgoing and failed connections only. There is still a possibility for raw packets which is not something can be blocked using Cortex XDR.

Additionally, the BIOC rule as resriction actually blocks your browser process action and repetitive actions like these can be risky leading to crashing of the application itself and you might have to reinstall the application again.

Re: Is it possible to block IOC from Cortex XDR?

RFeyertag — Wed, 17 Aug 2022 12:17:00 GMT

Thank you very much for this information! I can remember that in my test the complete browser was "closed" automaticly.

Re: Is it possible to block IOC from Cortex XDR?

nikoolayy1 — Tue, 22 Nov 2022 15:17:43 GMT

I renembered this discussion and in the future if the Palo Alto XDR host firewall can have rules based on DNS FQDN Domains not only IP addresses then this could be possible. Maybe check for Request For enhancment as this could be added as it does not seem so complex but for now as mentioned the option BIOC and to use EDL with your Palo Alto Firewalls or Prisma Access.

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/endpoint-security/hardened-endpoint-security/host-firewall

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/hardened-endpoint-security/host-firewall/host-firewall-for-windows