This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Blocking connections to malicious IP address?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Blocking connections to malicious IP address?

JahidAliyev
L2 Linker

‎11-14-2024 12:23 PM

Hello, 

 

I have a question. I have Cortex XDR agents installed on my endpoints. I just recently also installed Forti Analyzer and it detected some potential malicious IP addresses that my endpoints have connections to. I wonder why Cortex XDR cannot detect and block connections to these malicious IP addresses. Some of these malicious IPs are 139.45.197.252, 139.45.197.227, 139.45.197.151, 139.45.197.236. 

 

Note: My all profiles are in block mode and nothing in allow/block list. 

0 Likes Likes
1 REPLY 1

nar
L3 Networker

‎11-15-2024 11:27 PM

Hi @JahidAliyev 

Thanks for your query on LC!

Basically, Cortex XDR will not monitor the network Traffic, it will block if any malicious activity occurs on the endpoint with any process execution.
Cortex XDR agent identifies a remote network connection that attempts to perform malicious activity—such as encrypting endpoint files—the agent can automatically block the IP address to close all existing communication and block new connections from this IP address to the endpoint. 

So, Cortex XDR agent does not block connection attempts to remote addresses if this connection does not yield further activity. If there is no malicious activity was initiated due to this connection. If the connection to that remote address would have executed any harmful activity, the XDR agent should have prevented it before causing any damage.

Based on the above facts, I think its worth investigating this activity and the endpoint where traffic being initiated to see if any anomalies and also checking the firewall.

Give it a like or mark this response as a solution if this added value to your question.

Best,
Naveen


0 Likes Likes
  • 307 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks