Blocking connections to malicious IP address?

JahidAliyev — Thu, 14 Nov 2024 20:23:48 GMT

Hello,

I have a question. I have Cortex XDR agents installed on my endpoints. I just recently also installed Forti Analyzer and it detected some potential malicious IP addresses that my endpoints have connections to. I wonder why Cortex XDR cannot detect and block connections to these malicious IP addresses. Some of these malicious IPs are 139.45.197.252, 139.45.197.227, 139.45.197.151, 139.45.197.236.

Note: My all profiles are in block mode and nothing in allow/block list.

Re: Blocking connections to malicious IP address?

nar — Sat, 16 Nov 2024 07:27:09 GMT

Hi @JahidAliyev

Thanks for your query on LC!

Basically, Cortex XDR will not monitor the network Traffic, it will block if any malicious activity occurs on the endpoint with any process execution.
Cortex XDR agent identifies a remote network connection that attempts to perform malicious activity—such as encrypting endpoint files—the agent can automatically block the IP address to close all existing communication and block new connections from this IP address to the endpoint.

So, Cortex XDR agent does not block connection attempts to remote addresses if this connection does not yield further activity. If there is no malicious activity was initiated due to this connection. If the connection to that remote address would have executed any harmful activity, the XDR agent should have prevented it before causing any damage.

Based on the above facts, I think its worth investigating this activity and the endpoint where traffic being initiated to see if any anomalies and also checking the firewall.

Give it a like or mark this response as a solution if this added value to your question.

Best,
Naveen

topic Blocking connections to malicious IP address? in Cortex XDR Discussions

Blocking connections to malicious IP address?

Re: Blocking connections to malicious IP address?