https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-blocked-hashes-on-newer-systems-do-not-show-in/m-p/1227017#M8241 <P>Thanks for explaining, i am testing out the custom BIOC.</P> Tue, 22 Apr 2025 06:05:15 GMT Abdullah-Tariq 2025-04-22T06:05:15Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-blocked-hashes-on-newer-systems-do-not-show-in/m-p/1226955#M8238 <P>Hi,</P> <P>&nbsp;</P> <P>As the name suggests we have blocked certain hashes on Cortex XDR. However when a some new system runs the blocked hash file(s), they do get blocked a prompt is also shown on the system but there is no incident on Cortex Incident tab. Why is it so and how can i get it to show in incidents?</P> Mon, 21 Apr 2025 07:37:21 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-blocked-hashes-on-newer-systems-do-not-show-in/m-p/1226955#M8238 Abdullah-Tariq 2025-04-21T07:37:21Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-blocked-hashes-on-newer-systems-do-not-show-in/m-p/1226971#M8239 <P class="" data-start="191" data-end="283">When you <STRONG data-start="200" data-end="216">block a hash</STRONG> in Cortex XDR (via <STRONG data-start="236" data-end="259">Hash Control Policy</STRONG> or manual blocklist),</P> <UL data-start="284" data-end="501"> <LI class="" data-start="284" data-end="353"> <P class="" data-start="286" data-end="353"><STRONG data-start="286" data-end="333">The agent blocks the file execution locally</STRONG> on the endpoint&nbsp;</P> </LI> <LI class="" data-start="354" data-end="429"> <P class="" data-start="356" data-end="429"><STRONG data-start="356" data-end="392">A prompt appears on the endpoint</STRONG> (so the user knows it’s blocked)&nbsp;</P> </LI> <LI class="" data-start="430" data-end="501"> <P class="" data-start="432" data-end="501"><STRONG data-start="432" data-end="439">BUT</STRONG> — <STRONG data-start="442" data-end="468">no incident is created</STRONG> automatically in the console&nbsp;</P> </LI> </UL> <P class="" data-start="503" data-end="639">This is <EM data-start="511" data-end="522">by design</EM>. Cortex XDR treats <STRONG data-start="542" data-end="559">hash blocking</STRONG> as a <STRONG data-start="565" data-end="594">policy enforcement action</STRONG>, not necessarily as a <STRONG data-start="617" data-end="638">security incident</STRONG>.</P> <P class="" data-start="641" data-end="818">Unless the blocked file is <STRONG data-start="668" data-end="749">associated with another detection (behavioral, exploit, malware module, etc.)</STRONG>, it <STRONG data-start="754" data-end="784">won't generate an incident</STRONG> just because it’s a blocked hash.</P> <P class="" data-start="641" data-end="818">&nbsp;</P> <P class="" data-start="641" data-end="818">And you can create a custom BIOC to generate a Alert like</P> <P class="" data-start="641" data-end="818">&nbsp;artifact.file_hash = &lt;your_blocked_hash_value&gt; <BR />AND action.type = "blocked_execution"</P> Mon, 21 Apr 2025 12:03:24 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-blocked-hashes-on-newer-systems-do-not-show-in/m-p/1226971#M8239 Mudhireddy 2025-04-21T12:03:24Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-blocked-hashes-on-newer-systems-do-not-show-in/m-p/1227017#M8241 <P>Thanks for explaining, i am testing out the custom BIOC.</P> Tue, 22 Apr 2025 06:05:15 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-blocked-hashes-on-newer-systems-do-not-show-in/m-p/1227017#M8241 Abdullah-Tariq 2025-04-22T06:05:15Z