What is the best method to block a malicious IP address involved in command-and-control (C2) traffic without changing the firewall configuration?

To effectively block a malicious IP address associated with command-and-control (C2) traffic without altering the permanent settings of the firewall, utilizing an External Dynamic List (EDL) is the most suitable approach.

EDLs can dynamically hold IP addresses that are considered malicious and can be referenced by firewall rules without needing to directly edit the firewall's configuration. When XSOAR automatically adds an IP address to an EDL, it allows the firewall to reference this list and block traffic from these addresses in real-time. This method is beneficial because it enables quick responses to emerging threats while maintaining flexibility, since EDLs can be updated automatically without requiring manual changes or downtime in the firewall configuration.

In contrast, the other options involve more direct and potentially longer-term changes to the firewall configuration or require escalation processes that may delay the response to a threat. Adding an IP address to a deny rule directly changes firewall settings. Using a threat intelligence management list, while informative, may not actively enforce the block unless the firewall is specifically set to act on that list. Creating a NetOps ticket introduces additional steps that could slow down the response, making EDLs the most effective choice for immediate action against malicious IP addresses.