https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/malware-scan-results-vs-alerts-created/m-p/561172#M5314 <P>Hi,<BR /><BR />I'm just wondering if someone can help me understand, why&nbsp; the results of a malware scan (i.e. 19 malicious files found) doesn't reflect the amount of alerts created. I'd assume there would be 19 malicious files as stated, with an alert for each?</P> <P>&nbsp;</P> <P><STRONG>As you can see in the example below, the scan yielded 19 malicious files in the results:</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="BojanTotic_1-1696977019013.png" style="width: 869px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/54291iA026EF41E46E3E67/image-dimensions/869x209/is-moderation-mode/true?v=v2" width="869" height="209" role="button" title="BojanTotic_1-1696977019013.png" alt="BojanTotic_1-1696977019013.png" /></span></P> <P><STRONG>When I click on show alerts, it takes me to the below screenshot.. but all I see is 8 alerts about 7 files.</STRONG></P> <P>Should there be more alerts specific to each malicious files found? And if not, where would I ensure that all 19 files are accounted for in a trigger?<BR /><BR /></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="BojanTotic_2-1696977165798.png" style="width: 791px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/54292iC948562C63391440/image-dimensions/791x261/is-moderation-mode/true?v=v2" width="791" height="261" role="button" title="BojanTotic_2-1696977165798.png" alt="BojanTotic_2-1696977165798.png" /></span></P> <P>&nbsp;</P> <P>Thanks for the help in advance!</P> <P>Bojan</P> <P>&nbsp;</P> Tue, 10 Oct 2023 22:33:36 GMT Bojan-Totic 2023-10-10T22:33:36Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/malware-scan-results-vs-alerts-created/m-p/561172#M5314 <P>Hi,<BR /><BR />I'm just wondering if someone can help me understand, why&nbsp; the results of a malware scan (i.e. 19 malicious files found) doesn't reflect the amount of alerts created. I'd assume there would be 19 malicious files as stated, with an alert for each?</P> <P>&nbsp;</P> <P><STRONG>As you can see in the example below, the scan yielded 19 malicious files in the results:</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="BojanTotic_1-1696977019013.png" style="width: 869px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/54291iA026EF41E46E3E67/image-dimensions/869x209/is-moderation-mode/true?v=v2" width="869" height="209" role="button" title="BojanTotic_1-1696977019013.png" alt="BojanTotic_1-1696977019013.png" /></span></P> <P><STRONG>When I click on show alerts, it takes me to the below screenshot.. but all I see is 8 alerts about 7 files.</STRONG></P> <P>Should there be more alerts specific to each malicious files found? And if not, where would I ensure that all 19 files are accounted for in a trigger?<BR /><BR /></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="BojanTotic_2-1696977165798.png" style="width: 791px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/54292iC948562C63391440/image-dimensions/791x261/is-moderation-mode/true?v=v2" width="791" height="261" role="button" title="BojanTotic_2-1696977165798.png" alt="BojanTotic_2-1696977165798.png" /></span></P> <P>&nbsp;</P> <P>Thanks for the help in advance!</P> <P>Bojan</P> <P>&nbsp;</P> Tue, 10 Oct 2023 22:33:36 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/malware-scan-results-vs-alerts-created/m-p/561172#M5314 Bojan-Totic 2023-10-10T22:33:36Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/malware-scan-results-vs-alerts-created/m-p/561178#M5316 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/213553">@Bojan-Totic</a>&nbsp;</P> <P>&nbsp;</P> <P>Thank you for reaching out to the Live Community. I see in the second screenshot there is a filter applied, could you please try to change search field as host and see if you are able to see all the alerts for 19 files as seen in the first screenshot? Please let us know if this resolves our issue. Thank you.&nbsp;</P> <P>&nbsp;</P> <P>If you feel this has answered your query, please let us know by clicking on "mark this as a Solution". Thank you. </P> Wed, 11 Oct 2023 01:47:18 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/malware-scan-results-vs-alerts-created/m-p/561178#M5316 abdrahman 2023-10-11T01:47:18Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/malware-scan-results-vs-alerts-created/m-p/561259#M5318 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/213553">@Bojan-Totic</a>&nbsp;</P> <P>&nbsp;</P> <P>This is expected, because of deduplication period i.e.&nbsp;<SPAN>The amount of time in which additional alerts for the same activity or behavior are suppressed before&nbsp;</SPAN><SPAN class="phrase">Cortex XDR</SPAN><SPAN>&nbsp;raises another alert&nbsp;</SPAN>and this is avoid flooding with so many alerts. Therefore in the alert triggered it shows number of time similar activity/alert triggered. As can be seen from your screenshot +4, +6 and +2.</P> <P>&nbsp;</P> <P>Likewise, sharing this screenshot for reference. In this case since those 85 alerts were for the same file/activity/behavior, hence instead of triggering 85 alerts it mentions about the related alerts from the last hour.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PiyushKohli_0-1697022546894.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/54324iA3244533233072F4/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="PiyushKohli_0-1697022546894.png" alt="PiyushKohli_0-1697022546894.png" /></span></P> <P>&nbsp;</P> <P>Hope this helps!</P> <P>&nbsp;</P> <P>Please mark the response as "Accept as Solution" if it answers your query.</P> Wed, 11 Oct 2023 11:13:47 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/malware-scan-results-vs-alerts-created/m-p/561259#M5318 PiyushKohli 2023-10-11T11:13:47Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/malware-scan-results-vs-alerts-created/m-p/561287#M5319 <P>Oh okay, thank you that helps!<BR /><BR />Do you see any pitfalls of not being able to see all referenced 19 malicious files in that moment, although they somehow share similar behavior/characteristics? My worry is essentially not getting the full picture during the response/remediation phase.</P> <P>&nbsp;</P> <P>Kind Regards,</P> <P>Bojan</P> Wed, 11 Oct 2023 14:04:43 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/malware-scan-results-vs-alerts-created/m-p/561287#M5319 Bojan-Totic 2023-10-11T14:04:43Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/malware-scan-results-vs-alerts-created/m-p/561288#M5320 <P>Hey Abraham,</P> <P>&nbsp;</P> <P>Thanks for the response. Clearing the filter and adding the host does not show all 19 files. I believe the deduplication period that Piyush mentioned makes sense!<BR /><BR />Appreciate your time.</P> <P>&nbsp;</P> <P>Kind Regards,</P> <P>Bojan</P> Wed, 11 Oct 2023 14:12:41 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/malware-scan-results-vs-alerts-created/m-p/561288#M5320 Bojan-Totic 2023-10-11T14:12:41Z