Blocking file execution based on nameand\or BIOC\IOC

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Blocking file execution based on nameand\or BIOC\IOC

L2 Linker

Hi all, I was wondering - can i block execution of files based on bioc\ioc and or file name? 

As in, not just raise an alert(which i already have) but also actively block the file execution

1 accepted solution

Accepted Solutions

Hi @Daniel_Itenberg 

 

If you are simply looking to block file execution based on file criteria (E.g Hash), then you could utilize the Global Block List within the Action Center.  If you are looking for more granularity on the your block list use-case, then you are add a file or folder directly to a Restriction Profile and add the profile to a policy and assign the updated policy to your targeted endpoints. You will need to ensure the targeted endpoints are online and connected with the XDR console in order to receive the policy update.

 

FYI... Configure a Custom Prevention Rule Insight , there are additional criteria that has to be met in order for the user-define rule to be applied as a custom prevention rule. If you want more context on what EDR data is collected from your testing efforts, then you can navigate to the Endpoint Administration, and right-click on "Endpoint Name" from your connected test endpoint, and select "Open in Quick Launcher", then select "Search all events on <endpoint name>". This will open an XQL query, and you utilize the magnifying glass icon to search for your desired event details. This workflow will provide you with additional context on the associated field that may be used for additional query related use-cases. 

View solution in original post

5 REPLIES 5

L3 Networker

just curious why you would not block (at lease the file name) based on hash? (seems safest).

L3 Networker

Hi @Daniel_Itenberg

 

Yes there is an option to block file execution in XDR utilizing the BIOC use-case. It is first important to understand that Cortex XDR rules (E.g. BIOC and IOC) are detection rules; therefore, they do not include prevention functionality. These rules will create a detection alert once the criteria has been met. You have the option create a BIOC rule based on specific behavior and add that BIOC to a Restriction profile

 

Please note,  The BIOC to BTP feature (Restriction Security Profile) is meant for specific custom BIOC rules to be written, and not configured built off of existing predefined detection BIOC rules which may be problematic for prevention. The BTP engine monitors larger data and has a separate data collection pipeline than EDR data; therefore, the recommendation is to create a specific custom rule, and deploy it slowly on small groups and / or non-production endpoints in order to monitor for any operational impact.

I want that too, but i also want to block by file name - for example i don't want people using utorrent, so i want to block the installer by it's file name together with hash

I created a custom BIOC for bittorent web\utorrent web dmg files, and added them to a restriction profile that is currently deployed only to my endpoint. However, I can run those files without so much as a peep from the xdr. I put the file name and sha256 in the BIOC.

 

Hi @Daniel_Itenberg 

 

If you are simply looking to block file execution based on file criteria (E.g Hash), then you could utilize the Global Block List within the Action Center.  If you are looking for more granularity on the your block list use-case, then you are add a file or folder directly to a Restriction Profile and add the profile to a policy and assign the updated policy to your targeted endpoints. You will need to ensure the targeted endpoints are online and connected with the XDR console in order to receive the policy update.

 

FYI... Configure a Custom Prevention Rule Insight , there are additional criteria that has to be met in order for the user-define rule to be applied as a custom prevention rule. If you want more context on what EDR data is collected from your testing efforts, then you can navigate to the Endpoint Administration, and right-click on "Endpoint Name" from your connected test endpoint, and select "Open in Quick Launcher", then select "Search all events on <endpoint name>". This will open an XQL query, and you utilize the magnifying glass icon to search for your desired event details. This workflow will provide you with additional context on the associated field that may be used for additional query related use-cases. 

  • 1 accepted solution
  • 6817 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!