https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/using-xdr-to-block-older-versions-of-an-application/m-p/542111#M4349 <P>How about using a BIOC where the filename and path match but the hashes don't match? The hashes in the list should be the ones approved for use, and the condition should be "!=". Essentially, that'd pinpoint all executions where the filename and path match but the approved hashes won't be detected. The allowed list of hashes is known to you, finite and is updated on a periodic basis based on your organization's compliance requirement.</P> <P>&nbsp;</P> <P>Here's a sample BIOC based on a <A href="https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/block-especific-process-and-folder-directory/m-p/387259#M566" target="_blank">previously accepted solution (see answer to 2nd request)</A>: Make the changes in the BIOC definition to meet your requirements. When you click "Test", you should be able to see the events that are detected by the BIOC.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="bbarmanroy_0-1684119671790.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/50164i3A8948A82810CEE9/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="bbarmanroy_0-1684119671790.png" alt="bbarmanroy_0-1684119671790.png" /></span></P> <P>You can append additional hashes by separating them with a "|" sign (<A href="https://www.compart.com/en/unicode/U+007C" target="_blank">unicode here</A>).</P> <P>&nbsp;</P> <P>Add the finalized BIOC to a restrictions profile. That should do the trick.</P> Mon, 15 May 2023 03:06:09 GMT bbarmanroy 2023-05-15T03:06:09Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/using-xdr-to-block-older-versions-of-an-application/m-p/541926#M4324 <P>I'm attempting to use XDR to block older versions of an application, and only allow the few latest releases. There are hundreds of older versions of this application so blocking each one by hash is not really an option. Also the application's install path and process executable have the same name with every version so blocking by path or executable name is not an option. I've been trying to create either a process BIOC to block the installed exe's of the older versions or a file BIOC to prevent the installer of the older versions to run, but I'm fairly new to XDR and XQL so I haven't had luck getting either one to work properly. Anyone have any experience with a task like this or a good reference to use for assistance?&nbsp; &nbsp;</P> Thu, 11 May 2023 21:24:33 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/using-xdr-to-block-older-versions-of-an-application/m-p/541926#M4324 bjchappell 2023-05-11T21:24:33Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/using-xdr-to-block-older-versions-of-an-application/m-p/542078#M4343 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/274096">@bjchappell</a>&nbsp;and thank you for writing to Live Community.<BR /><BR />Since you mentioned hundreds of of older versions of this app, but you want to enable only a select few, have you considered tacking this from a different perspective?<BR /><BR />You can try blocking all versions of the application using a&nbsp;<A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Add-a-New-Restrictions-Security-Profile" target="_self">prevention profile</A>&nbsp; and only <A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Administrator-Guide/Action-Center" target="_self">allow-list</A> the last few versions by hash. Of course, this also means you will have to keep the allow-list up to date whenever a new version is released.<BR /><BR />Hope this helps!</P> Sun, 14 May 2023 11:58:41 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/using-xdr-to-block-older-versions-of-an-application/m-p/542078#M4343 mavraham 2023-05-14T11:58:41Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/using-xdr-to-block-older-versions-of-an-application/m-p/542111#M4349 <P>How about using a BIOC where the filename and path match but the hashes don't match? The hashes in the list should be the ones approved for use, and the condition should be "!=". Essentially, that'd pinpoint all executions where the filename and path match but the approved hashes won't be detected. The allowed list of hashes is known to you, finite and is updated on a periodic basis based on your organization's compliance requirement.</P> <P>&nbsp;</P> <P>Here's a sample BIOC based on a <A href="https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/block-especific-process-and-folder-directory/m-p/387259#M566" target="_blank">previously accepted solution (see answer to 2nd request)</A>: Make the changes in the BIOC definition to meet your requirements. When you click "Test", you should be able to see the events that are detected by the BIOC.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="bbarmanroy_0-1684119671790.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/50164i3A8948A82810CEE9/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="bbarmanroy_0-1684119671790.png" alt="bbarmanroy_0-1684119671790.png" /></span></P> <P>You can append additional hashes by separating them with a "|" sign (<A href="https://www.compart.com/en/unicode/U+007C" target="_blank">unicode here</A>).</P> <P>&nbsp;</P> <P>Add the finalized BIOC to a restrictions profile. That should do the trick.</P> Mon, 15 May 2023 03:06:09 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/using-xdr-to-block-older-versions-of-an-application/m-p/542111#M4349 bbarmanroy 2023-05-15T03:06:09Z