https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-block-excel-macros/m-p/536802#M3976 <P>Try to block threat events 39154.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Raido_Rattameister_0-1680016039109.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/49067i10594A8CB32CF2BD/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Raido_Rattameister_0-1680016039109.png" alt="Raido_Rattameister_0-1680016039109.png" /></span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Raido_Rattameister_1-1680016120230.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/49068iAA77AB503FF306EE/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Raido_Rattameister_1-1680016120230.png" alt="Raido_Rattameister_1-1680016120230.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 28 Mar 2023 15:19:45 GMT Raido_Rattameister 2023-03-28T15:19:45Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-block-excel-macros/m-p/536778#M3974 <P>we have a new requirement we need to block&nbsp;&nbsp;&nbsp;Excel macros for specific groups of user&nbsp;<SPAN>&nbsp;anyone know how to block</SPAN></P> Tue, 28 Mar 2023 10:25:59 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-block-excel-macros/m-p/536778#M3974 RajeshPremSingh 2023-03-28T10:25:59Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-block-excel-macros/m-p/536802#M3976 <P>Try to block threat events 39154.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Raido_Rattameister_0-1680016039109.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/49067i10594A8CB32CF2BD/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Raido_Rattameister_0-1680016039109.png" alt="Raido_Rattameister_0-1680016039109.png" /></span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Raido_Rattameister_1-1680016120230.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/49068iAA77AB503FF306EE/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Raido_Rattameister_1-1680016120230.png" alt="Raido_Rattameister_1-1680016120230.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 28 Mar 2023 15:19:45 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-block-excel-macros/m-p/536802#M3976 Raido_Rattameister 2023-03-28T15:19:45Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-block-excel-macros/m-p/536804#M3977 <P>Could you please tell me how to integrate the rule with Cortex XDR?</P> Tue, 28 Mar 2023 15:25:02 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-block-excel-macros/m-p/536804#M3977 RajeshPremSingh 2023-03-28T15:25:02Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-block-excel-macros/m-p/536809#M3980 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/262549">@RajeshPremSingh</a>&nbsp;, thank you for writing to Live Community.<SPAN>.</SPAN><SPAN><BR /></SPAN><SPAN><BR /></SPAN><SPAN>You can create a new </SPAN><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Add-a-New-Malware-Security-Profile" target="_blank" rel="noopener"><SPAN>malware security profile </SPAN></A><SPAN>by going into Endpoints → policy management → add profile → choose OS → Malware →Office Files with Macros Examination (see screenshot attached). There, you can choose which action will be taken based on the policy you create.</SPAN><SPAN><BR /></SPAN><SPAN><BR /></SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="mavraham_0-1680020337451.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/49072iE0BDCDB9F1E3EFFF/image-size/medium?v=v2&amp;px=400" role="button" title="mavraham_0-1680020337451.png" alt="mavraham_0-1680020337451.png" /></span></P> <P>&nbsp;</P> <P><SPAN><BR /></SPAN><SPAN><BR /></SPAN><SPAN><BR /></SPAN><SPAN>After creating the profile, the next step would be to </SPAN><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Endpoint-Data-Collection" target="_blank" rel="noopener"><SPAN>apply the new security profiles to endpoint</SPAN></A><SPAN>(s). </SPAN><SPAN><BR /></SPAN><SPAN><BR /></SPAN><SPAN>Go into Policy Management → Add Policy → Create New → Enter policy name and select platform → Select the malware profile you created (see screenshot for example) → click next to choose which endpoints it will apply to and confirm the action.</SPAN><SPAN><BR /></SPAN><SPAN><BR /></SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="mavraham_1-1680020378021.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/49073i5851A51F0D3CF196/image-size/medium?v=v2&amp;px=400" role="button" title="mavraham_1-1680020378021.png" alt="mavraham_1-1680020378021.png" /></span></P> <P>&nbsp;</P> <P><SPAN><BR /></SPAN><SPAN>I’ve attached links to our documentation about how to create new security profiles and apply them to endpoints in case you are looking for more information.</SPAN><SPAN><BR /></SPAN><SPAN><BR /></SPAN><SPAN><BR /></SPAN><SPAN>Hope this helps!</SPAN></P> Tue, 28 Mar 2023 16:35:18 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-block-excel-macros/m-p/536809#M3980 mavraham 2023-03-28T16:35:18Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-block-excel-macros/m-p/536876#M3983 <P>Hello,&nbsp;&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/167148">@mavraham</a>&nbsp; Thanks for your Response,&nbsp;</P> <P>&nbsp;</P> <P>It's great help for us. We followed your mentioned steps. but it&nbsp;only blocks any malicious macros embedded in the office.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Excel Macros.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/49089i2BF83570EF70BE70/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Excel Macros.png" alt="Excel Macros.png" /></span></P> <P>&nbsp;</P> <P>we need to block the start and stop macro options.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Macro Start.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/49090i452BA313D5DDAC7F/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Macro Start.png" alt="Macro Start.png" /></span></P> <P>&nbsp;</P> <P>If is this macro option block is possible? please let us know.</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 29 Mar 2023 07:30:41 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-block-excel-macros/m-p/536876#M3983 Thendral_Arasu 2023-03-29T07:30:41Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-block-excel-macros/m-p/537107#M3994 <P>Hi ThendralMandu,</P> <P>&nbsp;</P> <P>We do not support blocking this capability.&nbsp; Cortex XDR is designed to prevent malicious applications and behaviors from running on your endpoints, it is not designed to be an endpoint control application.</P> Thu, 30 Mar 2023 14:00:06 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-block-excel-macros/m-p/537107#M3994 afurze 2023-03-30T14:00:06Z