topic Re: Block especific Process and Folder/directory in Cortex XDR Discussions

Block especific Process and Folder/directory

Marcelo_Campos — Tue, 23 Feb 2021 02:20:46 GMT

Hello community,

In our company we have implemented Cortex XDR with Pro per endpoint and pro per terabyte licenses.

the incident response area asks me to verify the viability of applying the following preventive measures in cortex xdr

1st. Block the execution of a specific process by its name without having the hash.

2nd block writing and execution in specific directories. As well as blocking the creation of new folders with a specific name.

Is it possible to perform the previously indicated actions?

Stay tuned.

Best regards.

Re: Block especific Process and Folder/directory

gjenkins — Tue, 23 Feb 2021 23:44:04 GMT

Hi @Marcelo_Campos,

You should be able to accomplish both using Cortex XDR using the following instructions. On Windows devices, you can prevent the execution of a process by name or path by creating a rule in a restrictions profile and applying that to a policy. To enable, do the following:

Go to Endpoints > Policy Management > Profiles.
Click "New Profile."
Click "Windows" then "Restrictions."
Click "Next."
Give the profile a name.
Go to the "Executable Files" section.
Uncheck "Use Default (Disabled)."
Set the "Action Mode" to Block.
Add the files and folders in the "Block List" section.
Click "Create."
Finish by adding this Restrictions profile to the policy that applied to your target endpoints.

For endpoints that do not have Windows as an operating system, you can enable detection of a process using BIOC. Create a BIOC to monitor for a process with a specific name:

Go to Rules > BIOC.
Click "Add BIOC."
Click "Process."
Type your process name in the "Name" field.
Add any additional identifiers as needed.
Click "Save."
Monitor for BIOC alerts on the alerts table.

As for your second request, you can create a BIOC and convert it into an XDR Agent prevention rule for compatible endpoints by doing the following:

Go to Rules > BIOC.
Click "Add BIOC."
Click "File"
Type your process name in the "Name" field.
Type your directory in the "Path" field.
Add any additional identifiers as needed.
Click "Save."
Again, go to Rules > BIOC.
Right-click your newly-created BIOC rule.
Click "Add to restrictions profile."
Select the target compatible restrictions profile.
Click "Add"

Re: Block especific Process and Folder/directory

calroy — Thu, 04 Mar 2021 05:56:25 GMT

Hello @Marcelo_Campos

Cortex XDR™ Pro Administrator’s Guide - https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/investigate-endpoint-alerts/cortex-xdr-alerts