topic Re: Block List not working in Cortex XDR Discussions

Block List not working

Oriavs — Tue, 23 Aug 2022 13:58:09 GMT

hey,

just for testing I created python file and extract the hash. after that added the hash to the "Block List".

click on "check-it now", run the python file and nothing happened!.

someone know what could be the problem?

thanks 🙂

First pic - the rule.

Sec pic- the hash

Third pic - the prove about non block file. (the python script himself)

Re: Block List not working

bbucao — Tue, 23 Aug 2022 14:15:26 GMT

Hi Oriavs,

The reason this is not working is .py files are not supported for the hash block/allow lists. See the documentation here for supported file types by operating system for this functionality.

Thanks,
Ben

Re: Block List not working

afurze — Tue, 23 Aug 2022 14:34:40 GMT

Bbucao is correct, what is executing is not the .py file, but the python interpreter, so you can't blacklist a python script directly.

Re: Block List not working

Oriavs — Tue, 23 Aug 2022 16:44:19 GMT

@afurze @bbucao ,
thanks for answer.

so, how can I block python (or other file type that is not PE) file? or even remove him with cortex?
I'm ask bc I have list of hundreds hashes, and I don't know the type of them.

thanks again!

Re: Block List not working

bbucao — Tue, 23 Aug 2022 17:03:15 GMT

Hi Oriavs,

I imagine these hashes came from some type of threat intel feed? If that is the case and you want to leverage them in Cortex XDR I recommend creating IOC rules by navigating to Detection Rules > IOC > + Add IOC, then you can select to create these rules individually for each hash, or upload via a file. When these rules are created, Cortex XDR will alert anytime these hashes are seen in your logs. Now to be clear, this will not block anything, but will alert you if one of these hashes is seen so you can investigate the traffic. If you are just wanting to search for and remove files based on hash, you can use the File Search and Destroy feature if you have the "Host Insights" add-on license.

Re: Block List not working

Oriavs — Wed, 24 Aug 2022 05:59:01 GMT

Hi, and thanks Ben.

there is way to block IOCs?

bc alert doesn't help me, in case of attack I don't need to know about it, I need to block it.

Re: Block List not working

bbucao — Wed, 24 Aug 2022 13:22:57 GMT

Hi Oriavs,

As data is streamed into the XDR cloud tenant from your XDR agents or other sources, the IOC rules are applied against that data to identify any matches. Since this is happening in the cloud versus at the agent there is no ability to perform blocking actions on IOC rules.

Cortex XDR uses a multi-method approach to stop both known and unknown threats including behavioral prevention and malware sandboxing which look at the actual behavior a file creates on a system. This is inherently more reliable then tracking static IOC's because one of the easiest things a threat actor can do is change a file hash which makes that IOC useless. It is much harder for the threat actor to change the overall behavior of their malware, or their Tactics Techniques and Procedures. Because of how easy it is to change a files hash, or file name, or change an IP address, static IOC's are known to have a very short shelf life before they become irrelevant compared to more modern and advanced detection methods. I find IOC's are most beneficial in a real-time use-case, where I am responding to an active threat and am pulling these IOC's from the identified malicious traffic in my network, then adding them as rules into Cortex XDR to help identify the scope of the Incident. You can view a list of the endpoint protection modules Cortex XDR leverages here.

Best Regards,

Ben

Re: Block List not working

Oriavs — Wed, 24 Aug 2022 13:43:57 GMT

Thanks about the answer.

I know behavior is much better then hashes.

But still, why I should care about who many hashes in the block list?

I have very good sources to receive hashes when attacker release payload to the big world, so why not?

why Palo Alto don't give me the option to block any type of file?

thanks again.

Re: Block List not working

WSeldenIII — Wed, 24 Aug 2022 19:48:46 GMT

Hi @Oriavs

If I am following this threat correctly, then you are looking for a way to block file exception based on file hash. You can add sha-256 hashes to the block list within the action center. This workflow is documented in the Manage File Execution tech. doc.