03-21-2024 11:04 PM
Hi All,
Hope you all are doing good.
Can anyone help me to understand the possibilities of url and application-level blocking in XDR?
Following are my scenarios,
1. Blocking of URLs in XDR.
2. Blocking of execution/installation of specific applications in XDR.
3. Blocking of applications running without installation.(eg. anydesk application running directly by double clicking the .exe file).
Support will be very much appreciated.
Aneesh
03-26-2024 12:53 AM
Hello @Aneesh ,
Thanks for reaching out on LiveCommunity!
For URL blocking you can take the help of EDL blocking:
For point 2 and three you can configure a custom prevention rule for a BIOC Process event, apply it to the Restrictions profile with an action mode set to Block.
If you feel this has answered your query, please let us know by clicking on "mark this as a Solution". Thank you.
12-13-2024 08:39 AM
This is just pointing a firewall to an EDL that's managed in the cortex tenant. What if the user takes their laptop home and is no longer behind the corporate firewall? Is there a method of blocking access to a URL by cortex XDR itself?
12-14-2024 03:35 PM
Indeed, EDL can't be helpful without firewall. All the mentioned restrictions can be achieved using BIOC rules assigned to restriction profile.
Example of BIOC for blocking URL:
dataset = xdr_data
| filter event_type = ENUM.NETWORK and action_external_hostname in ("facebook.com", "instagram.com", "linkedin.com", "x.com")
02-04-2025 03:38 AM
Unfortunately for some reason the proposed BIOC can't be assigned to restriction profile.
02-04-2025 11:42 AM
To configure a BIOC rule as a prevention rule:
In the BIOC Rule table, from the Source field, filter and locate a user-defined rule you want to apply as a custom prevention rule. You can only apply a BIOC rule that you created either from scratch or a Cortex XDR global rule template that meets the following criteria.
The user-defined BIOC rule does not include the following field configurations.
All Events—Host Name
File Event—Device Type, Device Serial Number
Process Event—Device Type, Device Serial Number
Network Event—Country, Raw Packet
BIOC rules with OS scope definitions must align with the Restrictions profile OS.
When defining the Process criteria for a user-defined BIOC rule event type, you can select to run only on actor, causality, and OS actor on Windows, and causality and OS actor on Linux and Mac.
From the doc: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Documentation/Create-a-BIOC-rule
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
