Mitigating Threats in XDR Stories - Add Target to Blocklist

This article discusses how to mitigate a threat in an XDR story by Adding a Target to your blocklist from the story Overview in the Stories Workbench.

For more about XDR and the Stories Workbench, see the following articles:

Overview

XDR stories sometimes relate to suspicious activity originating with a Target (FQDN or IP address). For example, if a device is communicating with a suspected phishing domain. The story Overview page in the Stories Workbench lets you mitigate these types of threats by adding the suspicious Target to a Container which you can include in your blocklist policies. This ensures that no users connected to Cato can access the Target.

Containers are user-defined categories that help you manage groups of items such as IP addresses or FQDNs. Once you create a Container it can be added to a Firewall rule with the Block action.

Suspicious Targets are only blocked once the Container is included in a firewall rule. When you mitigate a threat from an XDR story, you can add a Target to an existing container or create a new one. Users can still access Targets that are added to a Container but not included in a firewall rule.

Use Case - Malware Attack

A security analyst investigates an XDR story in the Overview page and identifies an IP address associated with malware. After additional investigation, the analyst confirms that this is an attack originating from a known malicious actor.

The analyst adds the Target to the company's suspicious IP address Container that is included in an Internet firewall rule with a Block action.

The threat is contained as no other users are able to access the IP address.

Adding a Target to a Blocklist in an XDR Story

In the story Overview page, add a Target to a blocklist from the Actions menu.

Placeholder.png

To add a Target to a blocklist:

  1. In the story Overview, click the Actions button.

  2. Click Add Target to Blocklist.

    The Add Target to Blocklist panel opens.

  3. Select a Target to mitigate and either select an existing Container you want to add it to, or click Create New to create a new Container.

  4. (Optional) Add a note explaining the reason for adding the Target to the blocklist.

  5. Click Add Target

  6. Ensure the Container is included in a firewall rule.

Reviewing Mitigation Actions in the Action Center

The Action Center tab in the Home > Detection & Response Policy page lets you review the XDR mitigation actions taken in your account.

The Action Center shows the following information for each mitigation action:

  • Time - Timestamp for when the mitigation action was sent

  • Action - Description of the mitigation action

  • Subject - The user the action was performed on

  • Status - Status of the action. For the Add Target to Blocklist action, these are the Status values:

    • Success - The request to revoke the session was sent to the Cato user service

    • Failure - There was an issue with the request to revoke the session

  • Author - Admin who performed the action

  • Trigger - The Story ID for the story from which the action was sent. Click to open the Overview page for the story

  • Note - Optional note entered by the admin

Known Limitations

  • There may be a short delay between adding a container to a block firewall rule and the target being blocked

Was this article helpful?

0 out of 0 found this helpful

0 comments