topic Re: URL & Application level blocking possibilities in Cortex XDR. in Cortex XDR Discussions

URL & Application level blocking possibilities in Cortex XDR.

Aneesh — Fri, 22 Mar 2024 06:04:56 GMT

Hi All,

Hope you all are doing good.

Can anyone help me to understand the possibilities of url and application-level blocking in XDR?

Following are my scenarios,

1. Blocking of URLs in XDR.

2. Blocking of execution/installation of specific applications in XDR.

3. Blocking of applications running without installation.(eg. anydesk application running directly by double clicking the .exe file).

Support will be very much appreciated.

Aneesh

Re: URL & Application level blocking possibilities in Cortex XDR.

aspatil — Tue, 26 Mar 2024 07:53:52 GMT

Hello @Aneesh ,

Thanks for reaching out on LiveCommunity!

For URL blocking you can take the help of EDL blocking:

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Manage-External-Dynamic-Lists

For point 2 and three you can configure a custom prevention rule for a BIOC Process event, apply it to the Restrictions profile with an action mode set to Block.

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Create-a-BIOC-Rule

If you feel this has answered your query, please let us know by clicking on "mark this as a Solution". Thank you.

Re: URL & Application level blocking possibilities in Cortex XDR.

ycgmis — Fri, 13 Dec 2024 16:39:03 GMT

This is just pointing a firewall to an EDL that's managed in the cortex tenant. What if the user takes their laptop home and is no longer behind the corporate firewall? Is there a method of blocking access to a URL by cortex XDR itself?

Re: URL & Application level blocking possibilities in Cortex XDR.

maximk — Sat, 14 Dec 2024 23:35:26 GMT

Indeed, EDL can't be helpful without firewall. All the mentioned restrictions can be achieved using BIOC rules assigned to restriction profile.

Example of BIOC for blocking URL:

dataset = xdr_data

| filter event_type = ENUM.NETWORK and action_external_hostname in ("facebook.com", "instagram.com", "linkedin.com", "x.com")

Re: URL & Application level blocking possibilities in Cortex XDR.

maximk — Tue, 04 Feb 2025 11:38:39 GMT

Unfortunately for some reason the proposed BIOC can't be assigned to restriction profile.

Re: URL & Application level blocking possibilities in Cortex XDR.

jmazzeo — Tue, 04 Feb 2025 19:42:09 GMT

To configure a BIOC rule as a prevention rule:

In the BIOC Rule table, from the Source field, filter and locate a user-defined rule you want to apply as a custom prevention rule. You can only apply a BIOC rule that you created either from scratch or a Cortex XDR global rule template that meets the following criteria.
- The user-defined BIOC rule does not include the following field configurations.
  - All Events—Host Name
  - File Event—Device Type, Device Serial Number
  - Process Event—Device Type, Device Serial Number
  - Network Event—Country, Raw Packet
- BIOC rules with OS scope definitions must align with the Restrictions profile OS.
- When defining the Process criteria for a user-defined BIOC rule event type, you can select to run only on actor, causality, and OS actor on Windows, and causality and OS actor on Linux and Mac.
From the doc: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Documentation/Create-a-BIOC-rule