05-23-2022 11:09 PM
Hey dear sec community!
is there a way to setup an correlation rule, which can block and not only detect?
I couldn't find a way. I tried the XQL queries from the libary.
BR
Rob
06-06-2022 11:29 AM
Hi Cyber1985,
There are specific restrictions when attempting to use a custom prevention rule through the Restrictions Profile. Link to documentation is here (https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/... ), however, I will summarize below:
Please review your BIOC rule and ensure that it meets these guidelines, if possible, post the BIOC rule here for further troubleshooting.
06-06-2022 12:52 PM
I found out, you should not take the fields and timeframe to your XQL Query, when a BIOC-Rule + Restriction Input should be created out of it.
So I was able to get my goal 🙂
Thank you very much @afurze @bbarmanroy !
BR
Rob
05-24-2022 02:55 AM
Hi @Cyber1985 I believe what you're looking for is Restrictions Profile. You can create a BIOC and add it to a Restrictions Profile for it to block certain behavior. Please note that this will be a post-execution module.
An example is preventing users from using Google Chrome to visit https://1.1.1.1. You can write that BIOC and add it a Restrictions Profile, and apply that to an endpoint/set of endpoints via Security policies.
05-27-2022 03:02 PM
So correlation rules can't trigger a block, am I right?
So I created a BIOC Rule, here you can see it:
Where is the connection missing? I can remember in past I got that connection between BIOC and custom prevention rule which I could find under the restriction profile.
But now I can only enable it, but cannot define only my custom once, I don't want cortex to block all BIOCs. How can I deal with that?
BR
Rob
06-02-2022 07:57 PM
Hi @Cyber1985 please see the below screenshot where I am able to add it to a Restrictions Profile. I hope this meets your needs.
06-06-2022 10:59 AM
Hey! Sure this fits somewhere my needs. But when I create a BIOC Rule out of a XQL, it won't work to put it into a restriction profile.
I like XQL and how do I translate it to the "standard input BIOC language"?
BR
Rob
06-06-2022 11:29 AM
Hi Cyber1985,
There are specific restrictions when attempting to use a custom prevention rule through the Restrictions Profile. Link to documentation is here (https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/... ), however, I will summarize below:
Please review your BIOC rule and ensure that it meets these guidelines, if possible, post the BIOC rule here for further troubleshooting.
06-06-2022 12:52 PM
I found out, you should not take the fields and timeframe to your XQL Query, when a BIOC-Rule + Restriction Input should be created out of it.
So I was able to get my goal 🙂
Thank you very much @afurze @bbarmanroy !
BR
Rob
11-19-2024 02:06 AM
Hi Cyber1985,
Correlation rules only shows actions as an alert. they do not any capability to block the action
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
