https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/incident-question-svchost-without-signature/m-p/511254#M2495 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/190671">@RFeyertag</a>&nbsp;</P> <P>&nbsp;</P> <P>Please open a TAC case in order for this to be investigated properly as it seems there are some miss matches between the XQL results and the alert info.&nbsp;</P> Mon, 08 Aug 2022 14:54:09 GMT SilviuMihailDascalu 2022-08-08T14:54:09Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/incident-question-svchost-without-signature/m-p/511159#M2480 <P>Hello dear community,&nbsp;</P> <P>&nbsp;</P> <P>you know how to handle this svchost.exe without signature? In my opinion it is FP, but why?</P> <P>Isn't it possible for the cortex agent to read the signature from svchost.exe in this case?</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="RFeyertag_0-1659806957154.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/43027iEE4F53365AD89FC3/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="RFeyertag_0-1659806957154.png" alt="RFeyertag_0-1659806957154.png" /></span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="RFeyertag_3-1659807299644.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/43030iB458B1E6B0AFB415/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="RFeyertag_3-1659807299644.png" alt="RFeyertag_3-1659807299644.png" /></span></P> <P>I tweaked the alert and gave it medium severity and some more applications.&nbsp;</P> <P>&nbsp;</P> <P>BR</P> <P>&nbsp;</P> <P>Rob</P> <P>&nbsp;</P> Sat, 06 Aug 2022 17:36:47 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/incident-question-svchost-without-signature/m-p/511159#M2480 RFeyertag 2022-08-06T17:36:47Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/incident-question-svchost-without-signature/m-p/511235#M2486 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/190671">@RFeyertag</a>,</P> <P>&nbsp;</P> <P>It's a little odd that svchost.exe doesn't have a digital signature and I would like to ask you if you can run an XQL query against this endpoint and identify if the svchost.exe on that endpoint is indeed unsigned or not (please see the query below)?</P> <P>&nbsp;</P> <P>dataset = xdr_data <BR />| filter agent_hostname = "&lt;endpoint_hostname&gt;" and causality_actor_process_image_name="svchost.exe"<BR />| fields causality_actor_process_image_name, actor_process_signature_vendor, actor_process_signature_status</P> <P>&nbsp;</P> <P>Thanks,</P> <P>Silviu</P> Mon, 08 Aug 2022 13:05:02 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/incident-question-svchost-without-signature/m-p/511235#M2486 SilviuMihailDascalu 2022-08-08T13:05:02Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/incident-question-svchost-without-signature/m-p/511253#M2494 <P>Hello Silviu,&nbsp;</P> <P>&nbsp;</P> <P>yes, I get a few results. See screenshot below. I get these incidents on another computer too and on another pc with explorer.exe.&nbsp;</P> <P>In summary there are 3 incidents and I need to know, if this is a FP or not.&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="RFeyertag_0-1659969799695.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/43047i473B89CAEBFCDBF7/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="RFeyertag_0-1659969799695.png" alt="RFeyertag_0-1659969799695.png" /></span></P> <P>BR</P> <P>&nbsp;</P> <P>Rob</P> Mon, 08 Aug 2022 14:45:45 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/incident-question-svchost-without-signature/m-p/511253#M2494 RFeyertag 2022-08-08T14:45:45Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/incident-question-svchost-without-signature/m-p/511254#M2495 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/190671">@RFeyertag</a>&nbsp;</P> <P>&nbsp;</P> <P>Please open a TAC case in order for this to be investigated properly as it seems there are some miss matches between the XQL results and the alert info.&nbsp;</P> Mon, 08 Aug 2022 14:54:09 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/incident-question-svchost-without-signature/m-p/511254#M2495 SilviuMihailDascalu 2022-08-08T14:54:09Z