topic Re: [Cortex] How to Block Multiple C2 IP Addresses Using Cortex XDR in Cortex XDR Discussions

[Cortex] How to Block Multiple C2 IP Addresses Using Cortex XDR

S.Lin576639 — Mon, 28 Apr 2025 08:27:07 GMT

Dear Everyone,

My customer has a requirement: they would like the Cortex XDR Agent to detect and block multiple specified C2 IP addresses.
I would like to ask if anyone has encountered a similar case or has any relevant experience to share.

Currently, I am aware that this can be achieved by configuring Host Firewall Rules, which fulfills the requirement.
Additionally, I have tried using a BIOC Rule to detect and block the specified IP addresses. However, I found that even though detection works, it cannot be directly added to the Restrictions Profile for blocking.

Any suggestions or alternative approaches would be greatly appreciated.
Thank you!

Re: [Cortex] How to Block Multiple C2 IP Addresses Using Cortex XDR

aspatil — Mon, 28 Apr 2025 09:48:34 GMT

Hello @S.Lin576639 ,

Alternative approach here is to use EDL:
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Manage-External-Dynamic-Lists

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.

Re: [Cortex] How to Block Multiple C2 IP Addresses Using Cortex XDR

S.Lin576639 — Mon, 28 Apr 2025 10:19:59 GMT

Dear @aspatil ,

EDL is provided by Cortex to the PA firewall as one of the ways to share blocked IPs or domains, right? Is it possible for the agent to block directly through EDL? Please let me know if I misunderstood anything. Thank you

Re: [Cortex] How to Block Multiple C2 IP Addresses Using Cortex XDR

aspatil — Mon, 28 Apr 2025 12:13:24 GMT

EDLs: Used by Palo Alto Networks firewalls for network-level blocking
Cortex XDR Agent: Does not consume EDLs directly but can block IPs via host firewall rules and detect threats using BIOC rules.
Domain/URL Blocking: Requires integration with firewalls, as the agent doesn't support this natively.

Re: [Cortex] How to Block Multiple C2 IP Addresses Using Cortex XDR

S.Lin576639 — Tue, 29 Apr 2025 02:30:23 GMT

Dear @aspatil,

Thanks for the reply, I know user can block IP address via HostFirewall, how would you recommend setting up the BIOC Rule?

As mentioned earlier, I have tried to create BIOC Rule but it cannot added to the Restrictions Profile, rule details are provided below:

Thanks.

Re: [Cortex] How to Block Multiple C2 IP Addresses Using Cortex XDR

SeanDeHarris — Tue, 29 Apr 2025 03:26:13 GMT

Using "Network" instead of "Network Connection" when creating BIOC rules, then you should add this to restriction profile respectively.

Re: [Cortex] How to Block Multiple C2 IP Addresses Using Cortex XDR

S.Lin576639 — Fri, 02 May 2025 08:52:10 GMT

Dear @SeanDeHarris ,

Thanks for your reply, I used “Network” to recreate the BIOC rules, but it still can't add the restriction profile.

Bioc rule detail：

Network [ action type = all AND remote ip = 14.139.185.60 ]

In addition, User connects to a specific C2 IP by pinging, but I observed it through “Network” and “Network Connection” respectively, and found that the connection record is only found in “Network Connection”.

Please refer to the attached photos for the above screenshots.