04-28-2025 01:27 AM
Dear Everyone,
My customer has a requirement: they would like the Cortex XDR Agent to detect and block multiple specified C2 IP addresses.
I would like to ask if anyone has encountered a similar case or has any relevant experience to share.
Currently, I am aware that this can be achieved by configuring Host Firewall Rules, which fulfills the requirement.
Additionally, I have tried using a BIOC Rule to detect and block the specified IP addresses. However, I found that even though detection works, it cannot be directly added to the Restrictions Profile for blocking.
Any suggestions or alternative approaches would be greatly appreciated.
Thank you!
04-28-2025 02:48 AM
Hello @S.Lin576639 ,
Alternative approach here is to use EDL:
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Manage-Exte...
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.
04-28-2025 03:19 AM
Dear @aspatil ,
EDL is provided by Cortex to the PA firewall as one of the ways to share blocked IPs or domains, right? Is it possible for the agent to block directly through EDL? Please let me know if I misunderstood anything. Thank you
04-28-2025 05:13 AM
EDLs: Used by Palo Alto Networks firewalls for network-level blocking
Cortex XDR Agent: Does not consume EDLs directly but can block IPs via host firewall rules and detect threats using BIOC rules.
Domain/URL Blocking: Requires integration with firewalls, as the agent doesn't support this natively.
04-28-2025 07:30 PM
Dear @aspatil,
Thanks for the reply, I know user can block IP address via HostFirewall, how would you recommend setting up the BIOC Rule?
As mentioned earlier, I have tried to create BIOC Rule but it cannot added to the Restrictions Profile, rule details are provided below:
Thanks.
04-28-2025 08:26 PM
Using "Network" instead of "Network Connection" when creating BIOC rules, then you should add this to restriction profile respectively.
05-02-2025 01:52 AM
Dear @SeanDeHarris ,
Thanks for your reply, I used “Network” to recreate the BIOC rules, but it still can't add the restriction profile.
Bioc rule detail:
Network [ action type = all AND remote ip = 14.139.185.60 ]
In addition, User connects to a specific C2 IP by pinging, but I observed it through “Network” and “Network Connection” respectively, and found that the connection record is only found in “Network Connection”.
Please refer to the attached photos for the above screenshots.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
