Simulating "Respond to Malicious Causality Chain" feature

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Simulating "Respond to Malicious Causality Chain" feature

L0 Member

Hello there,


As the title suggests, we are looking for a test we can simulate the behavior (have kali / attacker / victim test environment). 

Any suggestions?




L4 Transporter

Hello @OnurOnoglu 


Thanks for reaching out to us!

With "Respond to malicious casualty chain" feature enabled Cortex XDR agent identifies a remote network connection that attempts to perform malicious activity—such as encrypting endpoint files. The agent then can automatically block the IP address to close all existing communication and block new connections from this IP address to the endpoint. When Cortex XDR blocks an IP address per endpoint, that address remains blocked throughout all agent profiles and policies, including any host-firewall policy rules. You can view the list of all blocked IP addresses per endpoint from the Action Center, as well as unblock them to re-enable communication as appropriate.

Unfortunately we cannot share any such script or test to simulate such behaviour because this involves a remote host to simulate attack which go through your network and may create other problems for you. 


  • 1 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!