topic Re: Best way to restrict software by digital signer in Cortex XDR Discussions

Best way to restrict software by digital signer

Jason-Voice1 — Fri, 19 Apr 2024 07:48:36 GMT

hey guys, i'm not clear how to block the running (installing) of certain software using XDR by restricting by digital signer.

Is it possible to cerate a BIOC and apply to a restricted profile? If not, what would you say is the best way to go about this?

Our scenario is we'd like to block the use / installation of a certain piece of software, and I'm thinking that some sort of digital signer restriction might do this.

Thanks for any help in advance.

Re: Best way to restrict software by digital signer

jmazzeo — Fri, 19 Apr 2024 18:25:14 GMT

Hi @Jason-Voice1, thanks for reaching us using the Live Community.

Your approach using a custom BIOC is the correct one. The following screenshot is an example I have in our Lab, to block a signer execution and installation.

If this post answers your question, please mark it as the solution.

Re: Best way to restrict software by digital signer

E.Jafarov — Sat, 23 Nov 2024 07:32:15 GMT

Hi Jason-Voice1

You have to use XQL query based on singature. For example:

dataset = xdr_data |
filter event_type=ENUM.PROCESS |
filter (causality_actor_process_signature_vendor contains """Brave Software, Inc.""")