Hello @richard.wing ,
we are aware of this issue and are working on a solution. Hopefully we will provide Cloud IOC exclusions soon. Today I cannot share any ETA for this, but you may ping your Cisco representative for details.

Until we provide this feature, please open a TAC case, so we can add an appropriate exclusion to the backend detection engine.
Greetings, Thorsten

At the moment there is no way to create exclusions for Cloud IOC events. As mentioned by others the only thing you can do is create a TAC Case and provide them with as much information about the event as possible, e.g. filename, SHA-256 value, command line arguments etc. so they can reach out the development team to tune the events which happen globally... Yes, you heard correct. Cisco is unable to provide any kind of tuning or exclusion specifically for your organization, whatever they do back-end affects all Secure Endpoint customers globally.

I have a customer that develops powershell scripts that are run on their servers with Secure Endpoint installed. Almost any type of script is triggering a new Cloud IOC even though it's relatively harmless, one of the scripts would collect health information from the server.. I think we're on TAC Case number three for having Cisco tune these Cloud IOCs which seems pointless as they keep triggering a new event every time they create a new script. It typically takes Cisco weeks to do and all the cases we have opened always receive an initial response from the engineer saying exclusions are not possible. Not sure if they just can't be bothered and think they can get the case closed faster or maybe they simply don't now..