https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/create-a-ioc-without-incident/m-p/1248570#M9148 <P data-start="133" data-end="148">Good morning,</P> <P data-start="155" data-end="485">Today I would like to create a block for two malicious files that I found in our environment. I noticed that I can create an IOC to block paths, file names, IPs, etc. I have already created an IOC using a wildcard for the file name: <STRONG data-start="388" data-end="407">PDFEditor_*.exe</STRONG>, but I would also like to block the process without generating an incident.</P> <P data-start="492" data-end="511">Is that possible?</P> <P data-start="518" data-end="539">Thank you in advance.</P> Thu, 19 Feb 2026 07:37:34 GMT J.MorenoCiudad 2026-02-19T07:37:34Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/create-a-ioc-without-incident/m-p/1248570#M9148 <P data-start="133" data-end="148">Good morning,</P> <P data-start="155" data-end="485">Today I would like to create a block for two malicious files that I found in our environment. I noticed that I can create an IOC to block paths, file names, IPs, etc. I have already created an IOC using a wildcard for the file name: <STRONG data-start="388" data-end="407">PDFEditor_*.exe</STRONG>, but I would also like to block the process without generating an incident.</P> <P data-start="492" data-end="511">Is that possible?</P> <P data-start="518" data-end="539">Thank you in advance.</P> Thu, 19 Feb 2026 07:37:34 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/create-a-ioc-without-incident/m-p/1248570#M9148 J.MorenoCiudad 2026-02-19T07:37:34Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/create-a-ioc-without-incident/m-p/1248584#M9151 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1588122947">@J.MorenoCiudad</a>&nbsp;,</P> <P>&nbsp;</P> <P>Greetings for the day.</P> <P>&nbsp;</P> <DIV class="flex flex-col text-sm pb-25"> <ARTICLE class="text-token-text-primary w-full focus:outline-none [--shadow-height:45px] has-data-writing-block:pointer-events-none has-data-writing-block:-mt-(--shadow-height) has-data-writing-block:pt-(--shadow-height) [&amp;:has([data-writing-block])&gt;*]:pointer-events-auto [content-visibility:auto] supports-[content-visibility:auto]:[contain-intrinsic-size:auto_100lvh] scroll-mt-[calc(var(--header-height)+min(200px,max(70px,20svh)))]" dir="auto" tabindex="-1" data-turn-id="request-WEB:4c8782b3-3c9d-4157-b8cf-d0c7b78cfd7c-0" data-testid="conversation-turn-2" data-scroll-anchor="true" data-turn="assistant"> <DIV class="text-base my-auto mx-auto pb-10 [--thread-content-margin:--spacing(4)] @w-sm/main:[--thread-content-margin:--spacing(6)] @w-lg/main:[--thread-content-margin:--spacing(16)] px-(--thread-content-margin)"> <DIV class="[--thread-content-max-width:40rem] @w-lg/main:[--thread-content-max-width:48rem] mx-auto max-w-(--thread-content-max-width) flex-1 group/turn-messages focus-visible:outline-hidden relative flex w-full min-w-0 flex-col agent-turn" tabindex="-1"> <DIV class="flex max-w-full flex-col grow"> <DIV class="min-h-8 text-message relative flex w-full flex-col items-end gap-2 text-start break-words whitespace-normal [.text-message+&amp;]:mt-1" dir="auto" data-message-author-role="assistant" data-message-id="c2745efd-de2f-4267-b9b3-8b8f944ecfb8" data-message-model-slug="gpt-5-2"> <DIV class="flex w-full flex-col gap-1 empty:hidden first:pt-[1px]"> <DIV class="markdown prose dark:prose-invert w-full wrap-break-word light markdown-new-styling"> <P data-start="0" data-end="222">Yes, it is possible to block these files without generating an incident, but this requires a combination of a <STRONG data-start="110" data-end="133">Restriction Profile</STRONG> for the blocking action and an <STRONG data-start="165" data-end="189">Alert Exclusion rule</STRONG> to suppress incident generation.</P> <P data-start="0" data-end="222">&nbsp;</P> <P data-start="224" data-end="373">Native Indicator of Compromise (IOC) rules are designed for detection and alerting only and do not inherently support prevention or blocking actions.</P> <HR data-start="375" data-end="378" /> <H4 data-start="380" data-end="456">To achieve a “silent block” for your malicious files, follow these steps:</H4> <H5 data-start="458" data-end="514">1. Create a Restriction Profile to Block by Filename</H5> <P data-start="516" data-end="683">While the global <STRONG data-start="533" data-end="547">Block List</STRONG> in the Action Center only supports SHA256 hashes, you can use a <STRONG data-start="612" data-end="635">Restriction Profile</STRONG> to block execution based on filename wildcards.</P> <P data-start="685" data-end="697">Navigate to:</P> <P data-start="699" data-end="756"><STRONG data-start="699" data-end="756">Endpoints &gt; Policy Management &gt; Prevention &gt; Profiles</STRONG></P> <OL data-start="758" data-end="980"> <LI data-start="758" data-end="786"> <P data-start="761" data-end="786">Click <STRONG data-start="767" data-end="784">+ Add Profile</STRONG></P> </LI> <LI data-start="787" data-end="830"> <P data-start="790" data-end="830">Select the relevant OS (e.g., Windows)</P> </LI> <LI data-start="831" data-end="879"> <P data-start="834" data-end="879">Choose <STRONG data-start="841" data-end="857">Restrictions</STRONG> as the profile type</P> </LI> <LI data-start="880" data-end="949"> <P data-start="883" data-end="949">In the profile settings, locate the <STRONG data-start="919" data-end="939">Executable files</STRONG> section</P> </LI> <LI data-start="950" data-end="980"> <P data-start="953" data-end="980">Add your wildcard pattern</P> </LI> </OL> <P data-start="982" data-end="1064">To ensure the file is blocked regardless of its directory, use a leading wildcard:</P> <DIV class="contain-inline-size rounded-2xl corner-superellipse/1.1 relative bg-token-sidebar-surface-primary"> <DIV class="sticky top-[calc(var(--sticky-padding-top)+9*var(--spacing))]"> <DIV class="absolute end-0 bottom-0 flex h-9 items-center pe-2"> <DIV class="bg-token-bg-elevated-secondary text-token-text-secondary flex items-center gap-4 rounded-sm px-2 font-sans text-xs">&nbsp;</DIV> </DIV> </DIV> <DIV class="overflow-y-auto p-4" dir="ltr"><CODE class="whitespace-pre!"><SPAN><SPAN class="hljs-emphasis">*PDFEditor_*</SPAN>.exe </SPAN></CODE></DIV> </DIV> <OL start="6" data-start="1092" data-end="1194"> <LI data-start="1092" data-end="1113"> <P data-start="1095" data-end="1113">Save the profile</P> </LI> <LI data-start="1114" data-end="1194"> <P data-start="1117" data-end="1194">Ensure it is assigned to a <STRONG data-start="1144" data-end="1159">Policy Rule</STRONG> applied to your target endpoints</P> </LI> </OL> <HR data-start="1196" data-end="1199" /> <H4 data-start="1201" data-end="1248">2. Suppress Incidents Using Alert Exclusion</H4> <P data-start="1250" data-end="1427">By default, a block action will trigger a prevention alert and generate an incident. To prevent this, create an <STRONG data-start="1362" data-end="1381">Alert Exclusion</STRONG> rule to suppress the resulting notifications.</P> <P data-start="1429" data-end="1441">Navigate to:</P> <P data-start="1443" data-end="1498"><STRONG data-start="1443" data-end="1498">Configuration &gt; Incident &amp; Alerts &gt; Alert Exclusion</STRONG></P> <OL data-start="1500" data-end="1596"> <LI data-start="1500" data-end="1535"> <P data-start="1503" data-end="1535">Click <STRONG data-start="1509" data-end="1533">+ Add Exclusion Rule</STRONG></P> </LI> <LI data-start="1536" data-end="1596"> <P data-start="1539" data-end="1596">Define the exclusion criteria to match the block events</P> </LI> </OL> <P data-start="1598" data-end="1616">You can filter by:</P> <UL data-start="1618" data-end="1719"> <LI data-start="1618" data-end="1658"> <P data-start="1620" data-end="1658"><STRONG data-start="1620" data-end="1630">Field:</STRONG> Action Process Image Name</P> </LI> <LI data-start="1659" data-end="1685"> <P data-start="1661" data-end="1685"><STRONG data-start="1661" data-end="1674">Operator:</STRONG> wildcard</P> </LI> <LI data-start="1686" data-end="1719"> <P data-start="1688" data-end="1719"><STRONG data-start="1688" data-end="1698">Value:</STRONG> <CODE data-start="1699" data-end="1717">*PDFEditor_*.exe</CODE></P> </LI> </UL> <P data-start="1721" data-end="1816">Alternatively, you can filter by the specific <STRONG data-start="1767" data-end="1780">Rule Name</STRONG> defined in the Restriction Profile.</P> <OL start="3" data-start="1818" data-end="1836"> <LI data-start="1818" data-end="1836"> <P data-start="1821" data-end="1836">Save the rule</P> </LI> </OL> <P data-start="1838" data-end="1968">This will globally suppress alerts and incidents matching these criteria while allowing the agent to continue enforcing the block.</P> <HR data-start="1970" data-end="1973" /> <H4 data-start="1975" data-end="2002">Important Considerations:</H4> <P data-start="2004" data-end="2176"><STRONG data-start="2004" data-end="2024">IOC Limitations:</STRONG><BR data-start="2024" data-end="2027" />Standard IOC rules are primarily used for threat hunting and post-execution visibility; they do not function as a pre-execution prevention mechanism.</P> <P data-start="2004" data-end="2176">&nbsp;</P> <P data-start="2178" data-end="2350"><STRONG data-start="2178" data-end="2197">Bypassing Risk:</STRONG></P> <P data-start="2178" data-end="2350"><BR data-start="2197" data-end="2200" />Blocking by filename or wildcard is less reliable than hash-based blocking, as an attacker can easily rename the executable to bypass the restriction.</P> <P data-start="2178" data-end="2350">&nbsp;</P> <P data-start="2352" data-end="2482" data-is-last-node="" data-is-only-node="">If the hashes are known, adding them to the global <STRONG data-start="2403" data-end="2417">Block List</STRONG> via the Action Center is the recommended security best practice.</P> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </ARTICLE> </DIV> <P>&nbsp;</P> <P>If you feel this has answered your query, please let us know by clicking like and on&nbsp;<STRONG>"mark this as a Solution".</STRONG></P> <P>&nbsp;</P> <P>Thanks &amp; Regards,<BR />S. Subashkar Sekar</P> Thu, 19 Feb 2026 13:19:37 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/create-a-ioc-without-incident/m-p/1248584#M9151 susekar 2026-02-19T13:19:37Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/create-a-ioc-without-incident/m-p/1248634#M9159 <P data-start="98" data-end="106">Hello,</P> <P data-start="113" data-end="301">Thank you for your answer. However, I have a doubt about it. What is the difference between creating the block using step 1 that you described and creating an IOC based on the file name?</P> <P data-start="308" data-end="402">On the other hand, I have followed step 2 to suppress the incident using an alert exclusion.</P> <P data-start="409" data-end="429">Thank you very much.</P> Fri, 20 Feb 2026 06:47:51 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/create-a-ioc-without-incident/m-p/1248634#M9159 J.MorenoCiudad 2026-02-20T06:47:51Z