If you are simply looking to block file execution based on file criteria (E.g Hash), then you could utilize the Global Block List within the Action Center. If you are looking for more granularity on the your block list use-case, then you are add a file or folder directly to a Restriction Profile and add the profile to a policy and assign the updated policy to your targeted endpoints. You will need to ensure the targeted endpoints are online and connected with the XDR console in order to receive the policy update.
FYI... Configure a Custom Prevention Rule Insight , there are additional criteria that has to be met in order for the user-define rule to be applied as a custom prevention rule. If you want more context on what EDR data is collected from your testing efforts, then you can navigate to the Endpoint Administration, and right-click on "Endpoint Name" from your connected test endpoint, and select "Open in Quick Launcher", then select "Search all events on <endpoint name>". This will open an XQL query, and you utilize the magnifying glass icon to search for your desired event details. This workflow will provide you with additional context on the associated field that may be used for additional query related use-cases.
Yes there is an option to block file execution in XDR utilizing the BIOC use-case. It is first important to understand that Cortex XDR rules (E.g. BIOC and IOC) are detection rules; therefore, they do not include prevention functionality. These rules will create a detection alert once the criteria has been met. You have the option create a BIOC rule based on specific behavior and add that BIOC to a Restriction profile.
Please note, The BIOC to BTP feature (Restriction Security Profile) is meant for specific custom BIOC rules to be written, and not configured built off of existing predefined detection BIOC rules which may be problematic for prevention. The BTP engine monitors larger data and has a separate data collection pipeline than EDR data; therefore, the recommendation is to create a specific custom rule, and deploy it slowly on small groups and / or non-production endpoints in order to monitor for any operational impact.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!