https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/simulating-quot-respond-to-malicious-causality-chain-quot/m-p/551662#M4859 <P>Hello there,</P> <P>&nbsp;</P> <P>As the title suggests, we are looking for a test we can simulate the behavior (have kali / attacker / victim test environment).&nbsp;</P> <P>Any suggestions?</P> <P>&nbsp;</P> <P>Thanks</P> Sat, 29 Jul 2023 08:25:08 GMT OnurOnoglu 2023-07-29T08:25:08Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/simulating-quot-respond-to-malicious-causality-chain-quot/m-p/551662#M4859 <P>Hello there,</P> <P>&nbsp;</P> <P>As the title suggests, we are looking for a test we can simulate the behavior (have kali / attacker / victim test environment).&nbsp;</P> <P>Any suggestions?</P> <P>&nbsp;</P> <P>Thanks</P> Sat, 29 Jul 2023 08:25:08 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/simulating-quot-respond-to-malicious-causality-chain-quot/m-p/551662#M4859 OnurOnoglu 2023-07-29T08:25:08Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/simulating-quot-respond-to-malicious-causality-chain-quot/m-p/552037#M4877 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/159531">@OnurOnoglu</a>&nbsp;</P> <P>&nbsp;</P> <P>Thanks for reaching out to us!</P> <P>With&nbsp;"Respond to malicious casualty chain" feature enabled Cortex XDR agent identifies a remote network connection that attempts&nbsp;<SPAN><SPAN class="proto-highlight">to</SPAN>&nbsp;perform&nbsp;<SPAN class="proto-highlight">malicious</SPAN>&nbsp;</SPAN><SPAN>activity—such&nbsp;as&nbsp;encrypting&nbsp;endpoint&nbsp;files. The agent then can automatically block the IP address to close&nbsp;all&nbsp;existing&nbsp;communication&nbsp;and&nbsp;block&nbsp;new&nbsp;connections&nbsp;from&nbsp;this&nbsp;IP&nbsp;address&nbsp;<SPAN class="proto-highlight">to</SPAN>&nbsp;the&nbsp;endpoint.&nbsp;When&nbsp;</SPAN><SPAN class="phrase">Cortex XDR&nbsp;</SPAN><SPAN>blocks an IP address per endpoint, that address remains blocked throughout all agent profiles and policies, including any host-firewall policy rules. You can view the list of all blocked IP addresses per endpoint from the&nbsp;</SPAN><SPAN class="guilabel">Action Center</SPAN><SPAN>, as well as unblock them to re-enable communication as appropriate.</SPAN></P> <P>Unfortunately we cannot share any such script or test to simulate such behaviour because this involves a remote host to simulate attack which go through your network and may create other problems for you.&nbsp;</P> <P>&nbsp;</P> Tue, 01 Aug 2023 10:56:39 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/simulating-quot-respond-to-malicious-causality-chain-quot/m-p/552037#M4877 nsinghvirk 2023-08-01T10:56:39Z