Blocking EFSRPC

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Blocking EFSRPC

L0 Member

In the 7/17 content release notes, improvements have been made to "Suspicious Encrypting File System Remote call (EFSRPC) to domain controller' generated by XDR Analytics BIOC detected on 2 hosts."


By default, the action for this is to detect/alert. I would like to change this to block. Does anyone know how to accomplish this? Better yet, what is the best way to determine which cortex settings/policies apply to a specific Incident? Is there some master list of Incident types and respective settings?


I looked through Prevention Profiles and could not find a setting that makes sense for the EFSRPC alert. Thanks in advance for any help you can provide.

1 accepted solution

Accepted Solutions

L4 Transporter

Hi @Kyle_Begle,

 

Thanks for reaching out on LIVEcommunity!

 

In regards to the rule you're mentioning it is an analytics BIOC.  This means there is not block functionality associated with it.  Analytics BIOCs are not produced in real time and therefore cannot block. Please take a look at the Analytics Concepts. for a better understanding of how analytics work.  Essentially it's looking at a lot of different factors after the event to determine the larger picture.

 

By looking into the activity that caused the alert you may be able to find similarities you can use to create a high fidelity BIOC which can be used to block unwanted activity in your environment.

 

I hope you find this information helpful.  Have a great day!

View solution in original post

2 REPLIES 2

L4 Transporter

Hi @Kyle_Begle,

 

Thanks for reaching out on LIVEcommunity!

 

In regards to the rule you're mentioning it is an analytics BIOC.  This means there is not block functionality associated with it.  Analytics BIOCs are not produced in real time and therefore cannot block. Please take a look at the Analytics Concepts. for a better understanding of how analytics work.  Essentially it's looking at a lot of different factors after the event to determine the larger picture.

 

By looking into the activity that caused the alert you may be able to find similarities you can use to create a high fidelity BIOC which can be used to block unwanted activity in your environment.

 

I hope you find this information helpful.  Have a great day!

L4 Transporter

Hi @Kyle_Begle 

Just to add while looking into the activity that caused the alert you can "Debug alert" to see the interesting fields which can be used for creating BIOC and then you can configure BIOC rules as custom prevention rules and incorporate them with your Restrictions profiles as shared above by @anlynch .
Screenshot for reference:

PiyushKohli_0-1689822671748.png

Ref: 
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Working-wit... 

 

Thanks

  • 1 accepted solution
  • 1715 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!