10-18-2021 05:11 AM
Hi all, I was wondering - can i block execution of files based on bioc\ioc and or file name?
As in, not just raise an alert(which i already have) but also actively block the file execution
10-20-2021 10:48 AM
If you are simply looking to block file execution based on file criteria (E.g Hash), then you could utilize the Global Block List within the Action Center. If you are looking for more granularity on the your block list use-case, then you are add a file or folder directly to a Restriction Profile and add the profile to a policy and assign the updated policy to your targeted endpoints. You will need to ensure the targeted endpoints are online and connected with the XDR console in order to receive the policy update.
FYI... Configure a Custom Prevention Rule Insight , there are additional criteria that has to be met in order for the user-define rule to be applied as a custom prevention rule. If you want more context on what EDR data is collected from your testing efforts, then you can navigate to the Endpoint Administration, and right-click on "Endpoint Name" from your connected test endpoint, and select "Open in Quick Launcher", then select "Search all events on <endpoint name>". This will open an XQL query, and you utilize the magnifying glass icon to search for your desired event details. This workflow will provide you with additional context on the associated field that may be used for additional query related use-cases.
10-18-2021 06:36 AM
just curious why you would not block (at lease the file name) based on hash? (seems safest).
10-18-2021 09:04 AM
Hi @Daniel_Itenberg,
Yes there is an option to block file execution in XDR utilizing the BIOC use-case. It is first important to understand that Cortex XDR rules (E.g. BIOC and IOC) are detection rules; therefore, they do not include prevention functionality. These rules will create a detection alert once the criteria has been met. You have the option create a BIOC rule based on specific behavior and add that BIOC to a Restriction profile.
Please note, The BIOC to BTP feature (Restriction Security Profile) is meant for specific custom BIOC rules to be written, and not configured built off of existing predefined detection BIOC rules which may be problematic for prevention. The BTP engine monitors larger data and has a separate data collection pipeline than EDR data; therefore, the recommendation is to create a specific custom rule, and deploy it slowly on small groups and / or non-production endpoints in order to monitor for any operational impact.
10-18-2021 10:54 PM
I want that too, but i also want to block by file name - for example i don't want people using utorrent, so i want to block the installer by it's file name together with hash
10-19-2021 01:57 AM
I created a custom BIOC for bittorent web\utorrent web dmg files, and added them to a restriction profile that is currently deployed only to my endpoint. However, I can run those files without so much as a peep from the xdr. I put the file name and sha256 in the BIOC.
10-20-2021 10:48 AM
If you are simply looking to block file execution based on file criteria (E.g Hash), then you could utilize the Global Block List within the Action Center. If you are looking for more granularity on the your block list use-case, then you are add a file or folder directly to a Restriction Profile and add the profile to a policy and assign the updated policy to your targeted endpoints. You will need to ensure the targeted endpoints are online and connected with the XDR console in order to receive the policy update.
FYI... Configure a Custom Prevention Rule Insight , there are additional criteria that has to be met in order for the user-define rule to be applied as a custom prevention rule. If you want more context on what EDR data is collected from your testing efforts, then you can navigate to the Endpoint Administration, and right-click on "Endpoint Name" from your connected test endpoint, and select "Open in Quick Launcher", then select "Search all events on <endpoint name>". This will open an XQL query, and you utilize the magnifying glass icon to search for your desired event details. This workflow will provide you with additional context on the associated field that may be used for additional query related use-cases.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
