04-21-2025 12:37 AM
Hi,
As the name suggests we have blocked certain hashes on Cortex XDR. However when a some new system runs the blocked hash file(s), they do get blocked a prompt is also shown on the system but there is no incident on Cortex Incident tab. Why is it so and how can i get it to show in incidents?
04-21-2025 05:01 AM - edited 04-21-2025 05:03 AM
When you block a hash in Cortex XDR (via Hash Control Policy or manual blocklist),
The agent blocks the file execution locally on the endpoint
A prompt appears on the endpoint (so the user knows it’s blocked)
BUT — no incident is created automatically in the console
This is by design. Cortex XDR treats hash blocking as a policy enforcement action, not necessarily as a security incident.
Unless the blocked file is associated with another detection (behavioral, exploit, malware module, etc.), it won't generate an incident just because it’s a blocked hash.
And you can create a custom BIOC to generate a Alert like
artifact.file_hash = <your_blocked_hash_value>
AND action.type = "blocked_execution"
04-21-2025 11:05 PM
Thanks for explaining, i am testing out the custom BIOC.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
