- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
02-22-2021 06:20 PM
Hello community,
In our company we have implemented Cortex XDR with Pro per endpoint and pro per terabyte licenses.
the incident response area asks me to verify the viability of applying the following preventive measures in cortex xdr
1st. Block the execution of a specific process by its name without having the hash.
2nd block writing and execution in specific directories. As well as blocking the creation of new folders with a specific name.
Is it possible to perform the previously indicated actions?
Stay tuned.
Best regards.
02-23-2021 03:44 PM
Hi @Marcelo_Campos,
You should be able to accomplish both using Cortex XDR using the following instructions. On Windows devices, you can prevent the execution of a process by name or path by creating a rule in a restrictions profile and applying that to a policy. To enable, do the following:
For endpoints that do not have Windows as an operating system, you can enable detection of a process using BIOC. Create a BIOC to monitor for a process with a specific name:
As for your second request, you can create a BIOC and convert it into an XDR Agent prevention rule for compatible endpoints by doing the following:
02-23-2021 03:44 PM
Hi @Marcelo_Campos,
You should be able to accomplish both using Cortex XDR using the following instructions. On Windows devices, you can prevent the execution of a process by name or path by creating a rule in a restrictions profile and applying that to a policy. To enable, do the following:
For endpoints that do not have Windows as an operating system, you can enable detection of a process using BIOC. Create a BIOC to monitor for a process with a specific name:
As for your second request, you can create a BIOC and convert it into an XDR Agent prevention rule for compatible endpoints by doing the following:
03-03-2021 09:56 PM
Hello @Marcelo_Campos
Cortex XDR™ Pro Administrator’s Guide - https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!