This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Endpoint Blocked IP Addresses - visibility

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Endpoint Blocked IP Addresses - visibility

Go to solution
DennisHager
L0 Member

‎06-10-2025 08:10 AM

We observed the cortex XDR setting "respond to malicious causality chain" in action, blocking a local IP while pentesting. A new entry appeared in the action center under "Endpoint Blocked IP Addresses".

 

My question is, how do we know that this action took place while analyzing an incident?
There is no info in the incident
There is no info in the alert
There is no entry under under prevented action in causality chain.

There is no timeline entry or similar.

 

Our customer had trouble continuing work, to connect to the target host, after we resolved the incident. Thats when we realized, XDR added the IP to the blocklist.

How do we know, that we have to unblock this IP in case of an False-Positive.

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
jmazzeo
L5 Sessionator

‎06-10-2025 08:38 AM

Hi @DennisHager,

 

You should see a "Block" icon in the causalty chain investigation card, close to the IP address.

jmazzeo_1-1749569747835.png

 

You can create an Exception for this IP using the Legacy Agent Exceptions:

 

jmazzeo_2-1749569917202.png

 

If this post answers your question, please mark it as the solution.

JM

View solution in original post

0 Likes Likes
2 REPLIES 2

Go to solution
jmazzeo
L5 Sessionator

‎06-10-2025 08:38 AM

Hi @DennisHager,

 

You should see a "Block" icon in the causalty chain investigation card, close to the IP address.

jmazzeo_1-1749569747835.png

 

You can create an Exception for this IP using the Legacy Agent Exceptions:

 

jmazzeo_2-1749569917202.png

 

If this post answers your question, please mark it as the solution.

JM
0 Likes Likes

Go to solution
DennisHager
L0 Member

‎06-11-2025 01:54 AM

DennisHager_1-1749631688446.png

 

Thanks for the reply
I expected to see an icon like this, but there is none.
In all of the seven alerts. I might have to contact TAC for this.

0 Likes Likes
  • 1 accepted solution
  • 243 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks