https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/msi-stolen-certificate-alerts/m-p/543117#M4412 <P>HI&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/293537">@MRoberti</a>,</P> <P>&nbsp;</P> <P>Thanks for reaching out on LIVEcommunity.</P> <P>&nbsp;</P> <P data-unlink="true">The BTP rules you've mentioned are not a part of a bug or unintended action of Cortex XDR.&nbsp; With that being said it would not be possible for me to determine if those alerts are false positive or not. They'd need to be investigated thoroughly.&nbsp; I might suggest reaching out to <A href="https://support.paloaltonetworks.com/Support/Index" target="_self">support</A>&nbsp;if you think these alerts are being created in error so they can examine the issue more closely.</P> <P data-unlink="true">&nbsp;</P> <P data-unlink="true">I hope this information helps.&nbsp; Have a great day!</P> Wed, 24 May 2023 01:37:33 GMT anlynch 2023-05-24T01:37:33Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/msi-stolen-certificate-alerts/m-p/543031#M4407 <P>Today we started to get alerts for all our MSI laptops with the reason: "<SPAN class="rule-inner-content">Behavioral threat detected (rule: msi_stolen_certificate.1)". The alerts trigger on the MSI software installed on the latops, like "MSI center", or "One dragon center".</SPAN></P> <P>&nbsp;</P> <P><SPAN class="rule-inner-content">Are these false positives?<BR /></SPAN></P> Tue, 23 May 2023 11:41:39 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/msi-stolen-certificate-alerts/m-p/543031#M4407 MRoberti 2023-05-23T11:41:39Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/msi-stolen-certificate-alerts/m-p/543117#M4412 <P>HI&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/293537">@MRoberti</a>,</P> <P>&nbsp;</P> <P>Thanks for reaching out on LIVEcommunity.</P> <P>&nbsp;</P> <P data-unlink="true">The BTP rules you've mentioned are not a part of a bug or unintended action of Cortex XDR.&nbsp; With that being said it would not be possible for me to determine if those alerts are false positive or not. They'd need to be investigated thoroughly.&nbsp; I might suggest reaching out to <A href="https://support.paloaltonetworks.com/Support/Index" target="_self">support</A>&nbsp;if you think these alerts are being created in error so they can examine the issue more closely.</P> <P data-unlink="true">&nbsp;</P> <P data-unlink="true">I hope this information helps.&nbsp; Have a great day!</P> Wed, 24 May 2023 01:37:33 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/msi-stolen-certificate-alerts/m-p/543117#M4412 anlynch 2023-05-24T01:37:33Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/msi-stolen-certificate-alerts/m-p/543158#M4415 <P>We got the same alert for Intel Arc. Turns out Intel uses a component called Rivatuner in their setup and this is made by MSI. I guess leak of MSI certificates have caused cortex to consider all certificates from MSI as insecure? Would like to know more about this too.</P> Wed, 24 May 2023 09:10:02 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/msi-stolen-certificate-alerts/m-p/543158#M4415 DavidStevens 2023-05-24T09:10:02Z