03-25-2026 12:37 AM
Hello,
I have been receiving alerts related to a file named MyPDFSwitch_8173674.exe, where the filename ends with random numbers.
I created an IOC with the following pattern:
MyPDFSwitch*.exe
However, today I received another alert related to this file, so I suspect that the IOC is not working properly.
Could you please advise what might be happening? We need to block this type of file in our environment.
Thank you in advance.
03-27-2026 06:18 AM
Hello @J.MorenoCiudad ,
Greetings for the day.
The Indicator of Compromise (IOC) rule you created is likely not working as intended for two primary reasons: IOC rules are strictly detection-based mechanisms and do not support wildcard patterns for execution control.
1. IOC Rules are Detection Only
Custom IOC rules in Cortex XDR are designed for visibility and alerting rather than prevention. Even if your security policy is set to "Block," alerts triggered by IOC rules (whether based on file names, hashes, or IPs) will appear as "Detected (Reported)" or "Reported" because the IOC engine does not have an inherent enforcement mechanism.
2. Wildcard Limitations in IOCs
IOC rules are static and simple. Modifying a filename (for example, by adding random numbers) will break the matching for a static indicator, as IOCs are intended to match the exact string provided.
3. Understanding the "New" Alert (Backward Scans)
The alert you received today may not indicate a real-time execution. When a new IOC rule is created or edited, Cortex XDR automatically performs a backward scan of historical data in the xdr_data dataset, typically covering the last 30 days.
To verify if the alert is retroactive, check the JSON output of the alert (Alt + Right-click > Debug Alert) for the following fields:
"matching_status": "BACKWARDS_SCANNED""is_backwards": trueRecommended Solution: Restriction Profiles
To actively block files based on a naming pattern (wildcards) when the hash is random, you should use Restriction Profiles. Restriction Profiles allow for flexible execution control based on file attributes rather than static hashes.
Configuration Steps:
*MyPDFSwitch*.exe) and set the ACTION to Block.Alternative: BIOC Rule with BTP Action
If the file name is highly unpredictable or naming-based blocks are easily bypassed, create a custom Behavioral IOC (BIOC) rule. You can base this rule on consistent attributes like the digital signer, internal product name, or specific behaviors (for example, unusual command-line arguments). Once created, add the BIOC to a Restriction Profile and set it to a Block or Terminate Process action via the Behavioral Threat Prevention (BTP) module.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
