https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/ioc-function/m-p/428105#M979 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/191261">@Muhammad-Rusli</a>,&nbsp;&nbsp;<A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/cortex-xdr-indicators.html" target="_self">XDR Indicator rules</A> (E.g. BIOC and IOC) are detection rules; therefore, they do not include prevention functionality. These rules will create a detection alert once the criteria has been met.&nbsp;<SPAN>You could also create a BIOC rule based on specific behavior and&nbsp;</SPAN><A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/cortex-xdr-indicators/working-with-biocs/create-a-bioc-rule.html#:~:text=your%20BIOC%20rule.-,Configure%20a%20Custom%20Prevention%20Rule,-Custom%20prevention%20rules" target="_self" rel="nofollow noopener noreferrer">add that BIOC to a Restriction profile</A>. The situation that you described sounds like a use-case to <A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/response-actions/manage-external-dynamic-lists" target="_self">manage external dynamic lists</A>.&nbsp; Please note, there are some requirements that need to be met in order to leverage this feature:&nbsp;</P><P>&nbsp;</P><DIV class="p"><DIV>To maintain an EDL in Cortex XDR, you must meet the following requirements:</DIV></DIV><DIV><UL><LI><DIV><DIV class="p"><DIV>Cortex XDR Pro per TB or Cortex Pro per Endpoint license</DIV></DIV></DIV></LI><LI><DIV><DIV class="p"><DIV>An<SPAN> App Administrator,&nbsp;Privileged Investigator, or&nbsp;Privileged Security Admin&nbsp;</SPAN>role which include EDL permissions</DIV></DIV></DIV></LI><LI><DIV><DIV class="p"><DIV>Palo Alto Networks firewall running PAN-OS 9.0 or a later release</DIV></DIV></DIV></LI><LI><DIV><DIV class="p"><DIV>Access to your Palo Alto Networks firewall configuration</DIV></DIV></DIV></LI></UL></DIV> Fri, 20 Aug 2021 14:41:13 GMT WSeldenIII 2021-08-20T14:41:13Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/ioc-function/m-p/427954#M974 <P>Hi Everyone,</P><P>&nbsp;</P><P>Until now, I cant understood a function from IOC in Cortex XDR.</P><P>Could please share to me what's a main function IOC XDR?</P><P>Because I have tried to create new rules, for block link m.facebook , like a picture.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MuhammadRusli_0-1629424930850.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/35802iAB0055BEF6570153/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="MuhammadRusli_0-1629424930850.png" alt="MuhammadRusli_0-1629424930850.png" /></span></P><P>&nbsp;</P><P>But, after that I have tried to access again, and the result I keep can access the URL.</P> Fri, 20 Aug 2021 02:03:12 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/ioc-function/m-p/427954#M974 Muhammad-Rusli 2021-08-20T02:03:12Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/ioc-function/m-p/428105#M979 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/191261">@Muhammad-Rusli</a>,&nbsp;&nbsp;<A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/cortex-xdr-indicators.html" target="_self">XDR Indicator rules</A> (E.g. BIOC and IOC) are detection rules; therefore, they do not include prevention functionality. These rules will create a detection alert once the criteria has been met.&nbsp;<SPAN>You could also create a BIOC rule based on specific behavior and&nbsp;</SPAN><A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/cortex-xdr-indicators/working-with-biocs/create-a-bioc-rule.html#:~:text=your%20BIOC%20rule.-,Configure%20a%20Custom%20Prevention%20Rule,-Custom%20prevention%20rules" target="_self" rel="nofollow noopener noreferrer">add that BIOC to a Restriction profile</A>. The situation that you described sounds like a use-case to <A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/response-actions/manage-external-dynamic-lists" target="_self">manage external dynamic lists</A>.&nbsp; Please note, there are some requirements that need to be met in order to leverage this feature:&nbsp;</P><P>&nbsp;</P><DIV class="p"><DIV>To maintain an EDL in Cortex XDR, you must meet the following requirements:</DIV></DIV><DIV><UL><LI><DIV><DIV class="p"><DIV>Cortex XDR Pro per TB or Cortex Pro per Endpoint license</DIV></DIV></DIV></LI><LI><DIV><DIV class="p"><DIV>An<SPAN> App Administrator,&nbsp;Privileged Investigator, or&nbsp;Privileged Security Admin&nbsp;</SPAN>role which include EDL permissions</DIV></DIV></DIV></LI><LI><DIV><DIV class="p"><DIV>Palo Alto Networks firewall running PAN-OS 9.0 or a later release</DIV></DIV></DIV></LI><LI><DIV><DIV class="p"><DIV>Access to your Palo Alto Networks firewall configuration</DIV></DIV></DIV></LI></UL></DIV> Fri, 20 Aug 2021 14:41:13 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/ioc-function/m-p/428105#M979 WSeldenIII 2021-08-20T14:41:13Z