This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Agent Blocking files/processes dynamically based on conditions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Agent Blocking files/processes dynamically based on conditions

michaelsysec242
L3 Networker

‎03-19-2023 01:17 AM

Hello XDR Enthusiasts,

I am working with multiple XDR Tenants and would like to block a file/process based on conditions. I understand that you can use the Prevention features to block files based on a block/black list. This can also be configured on the Malware Profile settings where specific severity incidents can induce the agent to block the file automatically.  My question is; Is it possible to configure conditions for the Agent to stop a file? For example only when a filename does not equal X then block it? 

I thought of two solutions, yet I am not sure that they will be suitable;

  1. To create a BIOC rule with a critical severity or similar in order that the block rule can be determined on policy based on its severity. I am not sure that the XDR has this capability. 
  2. I am working with a Production Level Cortex XSOAR, is there a playbook or automation that can be implemented to block the file during it's runtime? Due to the time delta between the agent identifying and the XSOAR running a playbook there will be a delay.

I would be interested to know whether the XDR Agent blocking abilities can be set to default based on rules. 

Many thanks,

MR

Cortex XSOAR 

Cortex XDR 

PCSAE
Cortex XSOAR
Thumbnail of Cortex XSOAR
Palo Alto Networks
Cortex XSOAR
Security Operations
View on Product Page
Cortex XDR
Thumbnail of Cortex XDR
Palo Alto Networks
Cortex XDR
Security Operations
View on Product Page
0 Likes Likes
1 REPLY 1

bbarmanroy
L5 Sessionator

‎03-19-2023 07:18 PM

Hi @michaelsysec242 the ability to create custom BIOC to terminate an execution should do the trick. Please look into this LiveCommunity post where the solution has been explained.

0 Likes Likes
  • 1234 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks