How to block command & control traffic on IP address

M.Bathgate — Sun, 28 Jan 2024 22:53:42 GMT

Targeted Command & control processes or nefarious data extractions primarily go outbound using a IP address rather than a FQDN for the URI.

In PRISMA how can i create a rule to block all all outbound traffic directed at IP addresses (not preknown) , unless address is in an exception group ?

Aware that IP directed requests like https://1.2.3.4 can be detected as medium risk, category unknown , but applying a rule to that, blocks all traffic, as its applied at the HIP profile. I can apply to specific sites but that defeats the purpose, which is to auto block C&C activity or data extractions as i don't know in advance where the attackers are going to direct traffic.

If PRISMA is only getting the IP address, then is it possible to have a rule enforced client side by the agent maybe

Re: How to block command & control traffic on IP address

M.Bathgate — Wed, 28 Feb 2024 03:38:22 GMT

Abit disappointed that there hasn't been a reply , given its something fundamental in detection of zero day command and control , and something that competitor products have out of the box .

topic Re: How to block command & control traffic on IP address in Prisma Access Discussions

How to block command & control traffic on IP address

Re: How to block command & control traffic on IP address