03-21-2024 11:04 PM
Hi All,
Hope you all are doing good.
Can anyone help me to understand the possibilities of url and application-level blocking in XDR?
Following are my scenarios,
1. Blocking of URLs in XDR.
2. Blocking of execution/installation of specific applications in XDR.
3. Blocking of applications running without installation.(eg. anydesk application running directly by double clicking the .exe file).
Support will be very much appreciated.
Aneesh
03-26-2024 12:53 AM
Hello @Aneesh ,
Thanks for reaching out on LiveCommunity!
For URL blocking you can take the help of EDL blocking:
For point 2 and three you can configure a custom prevention rule for a BIOC Process event, apply it to the Restrictions profile with an action mode set to Block.
If you feel this has answered your query, please let us know by clicking on "mark this as a Solution". Thank you.
12-13-2024 08:39 AM
This is just pointing a firewall to an EDL that's managed in the cortex tenant. What if the user takes their laptop home and is no longer behind the corporate firewall? Is there a method of blocking access to a URL by cortex XDR itself?
12-14-2024 03:35 PM
Indeed, EDL can't be helpful without firewall. All the mentioned restrictions can be achieved using BIOC rules assigned to restriction profile.
Example of BIOC for blocking URL:
dataset = xdr_data
| filter event_type = ENUM.NETWORK and action_external_hostname in ("facebook.com", "instagram.com", "linkedin.com", "x.com")
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
