Blocking connections to malicious IP address?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Blocking connections to malicious IP address?

L2 Linker

Hello, 

 

I have a question. I have Cortex XDR agents installed on my endpoints. I just recently also installed Forti Analyzer and it detected some potential malicious IP addresses that my endpoints have connections to. I wonder why Cortex XDR cannot detect and block connections to these malicious IP addresses. Some of these malicious IPs are 139.45.197.252, 139.45.197.227, 139.45.197.151, 139.45.197.236. 

 

Note: My all profiles are in block mode and nothing in allow/block list. 

1 REPLY 1

L3 Networker

Hi @JahidAliyev 

Thanks for your query on LC!

Basically, Cortex XDR will not monitor the network Traffic, it will block if any malicious activity occurs on the endpoint with any process execution.
Cortex XDR agent identifies a remote network connection that attempts to perform malicious activity—such as encrypting endpoint files—the agent can automatically block the IP address to close all existing communication and block new connections from this IP address to the endpoint. 

So, Cortex XDR agent does not block connection attempts to remote addresses if this connection does not yield further activity. If there is no malicious activity was initiated due to this connection. If the connection to that remote address would have executed any harmful activity, the XDR agent should have prevented it before causing any damage.

Based on the above facts, I think its worth investigating this activity and the endpoint where traffic being initiated to see if any anomalies and also checking the firewall.

Give it a like or mark this response as a solution if this added value to your question.

Best,
Naveen


  • 283 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!