https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/blocking-efsrpc/m-p/550119#M4803 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/130057">@Kyle_Begle</a>&nbsp;<BR /><BR />Just to add while looking into the activity that caused the alert you can "Debug alert" to see the interesting fields which can be used for creating BIOC and then you <SPAN>can configure BIOC rules as&nbsp;</SPAN><SPAN class="proto-highlight">custom</SPAN><SPAN>&nbsp;</SPAN><SPAN class="proto-highlight">prevention</SPAN><SPAN>&nbsp;rules and incorporate them with your Restrictions profiles as shared above by <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/232716">@anlynch</a>&nbsp;.<BR />Screenshot for reference:</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PiyushKohli_0-1689822671748.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/51811iA4EA38D813344BDC/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="PiyushKohli_0-1689822671748.png" alt="PiyushKohli_0-1689822671748.png" /></span></P> <P>Ref:&nbsp;<BR /><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Working-with-BIOCs" target="_blank">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Working-with-BIOCs</A>&nbsp;</P> <P>&nbsp;</P> <P>Thanks</P> Thu, 20 Jul 2023 03:12:11 GMT PiyushKohli 2023-07-20T03:12:11Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/blocking-efsrpc/m-p/550034#M4794 <P>In the <A href="https://live.paloaltonetworks.com/t5/cortex-xdr-articles/content-release-notes/ta-p/257570" target="_blank" rel="noopener">7/17 content release notes</A>, improvements have been made to "Suspicious Encrypting File System Remote call (EFSRPC) to domain controller' generated by XDR Analytics BIOC detected on 2 hosts."</P> <P><BR />By default, the action for this is to detect/alert. I would like to change this to block. Does anyone know how to accomplish this? Better yet, what is the best way to determine which cortex settings/policies apply to a specific Incident? Is there some master list of Incident types and respective settings?</P> <P><BR />I looked through Prevention Profiles and could not find a setting that makes sense for the EFSRPC alert. Thanks in advance for any help you can provide.</P> Wed, 19 Jul 2023 16:01:46 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/blocking-efsrpc/m-p/550034#M4794 Kyle_Begle 2023-07-19T16:01:46Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/blocking-efsrpc/m-p/550061#M4799 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/130057">@Kyle_Begle</a>,</P> <P>&nbsp;</P> <P>Thanks for reaching out on LIVEcommunity!</P> <P>&nbsp;</P> <P>In regards to the rule you're mentioning it is an analytics BIOC.&nbsp; This means there is not block functionality associated with it.&nbsp; Analytics BIOCs are not produced in real time and therefore cannot block. Please take a look at the <A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Analytics-Concepts" target="_self">Analytics Concepts.</A>&nbsp;for a better understanding of how analytics work.&nbsp; Essentially it's looking at a lot of different factors after the event to determine the larger picture.</P> <P>&nbsp;</P> <P>By looking into the activity that caused the alert you may be able to find similarities you can use to create a high fidelity BIOC which can be used to block unwanted activity in your environment.</P> <P>&nbsp;</P> <P>I hope you find this information helpful.&nbsp; Have a great day!</P> Wed, 19 Jul 2023 20:17:00 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/blocking-efsrpc/m-p/550061#M4799 anlynch 2023-07-19T20:17:00Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/blocking-efsrpc/m-p/550119#M4803 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/130057">@Kyle_Begle</a>&nbsp;<BR /><BR />Just to add while looking into the activity that caused the alert you can "Debug alert" to see the interesting fields which can be used for creating BIOC and then you <SPAN>can configure BIOC rules as&nbsp;</SPAN><SPAN class="proto-highlight">custom</SPAN><SPAN>&nbsp;</SPAN><SPAN class="proto-highlight">prevention</SPAN><SPAN>&nbsp;rules and incorporate them with your Restrictions profiles as shared above by <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/232716">@anlynch</a>&nbsp;.<BR />Screenshot for reference:</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PiyushKohli_0-1689822671748.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/51811iA4EA38D813344BDC/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="PiyushKohli_0-1689822671748.png" alt="PiyushKohli_0-1689822671748.png" /></span></P> <P>Ref:&nbsp;<BR /><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Working-with-BIOCs" target="_blank">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Working-with-BIOCs</A>&nbsp;</P> <P>&nbsp;</P> <P>Thanks</P> Thu, 20 Jul 2023 03:12:11 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/blocking-efsrpc/m-p/550119#M4803 PiyushKohli 2023-07-20T03:12:11Z