https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/wildfire-malware-alert/m-p/563094#M5423 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/317230">@nithin.k</a>&nbsp;,</P> <P>&nbsp;</P> <P>This is to be expected given the deduplication period, which is the amount of time Cortex XDR waits before raising another warning for the same activity or behavior in order to prevent an alert overload. As a result, the alert triggered displays the frequency of comparable activity or alert triggering.</P> <P>&nbsp;</P> <P>I'm also sending this screenshot in case it helps. In this instance, the alert system highlights the relevant alerts from the previous hour rather than raising 85 alarms because those 85 warnings were for the same file, activity, or conduct.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="dbahuguna_0-1698224144381.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/54665iE766F0CE81759C54/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="dbahuguna_0-1698224144381.png" alt="dbahuguna_0-1698224144381.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Hope this helps!</P> <P>&nbsp;</P> <P>Please mark the response as "Accept as Solution" if it answers your query.</P> Wed, 25 Oct 2023 10:04:52 GMT dbahuguna 2023-10-25T10:04:52Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/wildfire-malware-alert/m-p/562375#M5382 <P>Hi,</P> <P>&nbsp;</P> <P>For testing purpose, i triggered an incident by trying to execute a malicious file. The execution was successfully blocked and a "Wildfire Malware" alert was created in XDR.</P> <P>&nbsp;</P> <P>I tried executing the file once more. The execution was blocked again, but this time alert was not created in XDR.</P> <P>&nbsp;</P> <P>What could be the reason?</P> <P>&nbsp;</P> <P>I checked the "Events" section under the XDR agent tray icon in the endpoint. There i am able to see an event for the execution. But in XDR alert is not generating.</P> <P>&nbsp;</P> <P>Kindly help.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>Nithin</P> Thu, 19 Oct 2023 09:03:25 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/wildfire-malware-alert/m-p/562375#M5382 nithin.k 2023-10-19T09:03:25Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/wildfire-malware-alert/m-p/562408#M5385 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/317230">@nithin.k</a>&nbsp;,</P> <P>&nbsp;</P> <P>This is the functionality of Cortex XDR, it will not generate a new incident for the same alert type or file run from the same location. However, you will see another alert added to the same incident generated.</P> <P>&nbsp;</P> <P><SPAN>Moreover, as this is with respect to an incident handling with which if you require more assistance or in order to investigate it further, as this is a public discussion forum my suggestion would be to refer to your Customer Success team or TAC by opening a ticket through our&nbsp;<A href="https://support.paloaltonetworks.com/Support/Index" target="_blank" rel="nofollow noopener noreferrer">support portal</A></SPAN></P> <P>&nbsp;</P> <P>Feel free to write back if you have further query.</P> <P>&nbsp;</P> <P>Hope this helps!</P> <P>Please mark the response as "Accept as Solution" if it answers your query.</P> Thu, 19 Oct 2023 12:49:41 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/wildfire-malware-alert/m-p/562408#M5385 dbahuguna 2023-10-19T12:49:41Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/wildfire-malware-alert/m-p/562426#M5387 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/317230">@nithin.k</a>&nbsp;</P> <P>&nbsp;</P> <P>Similar query was posted on LC few days back and as shared by&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/221362">@dbahuguna</a>&nbsp;this is because of deduplication XDR won't<SPAN>&nbsp;not generate a new incident for the same alert type or file run from the same location</SPAN>.</P> <P>&nbsp;</P> <P>You may refer to this <A href="https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/malware-scan-results-vs-alerts-created/m-p/561259#M5318" target="_self">Post</A> for info around the same.</P> <P>&nbsp;</P> <P>Feel free to write back if you have further query.</P> <P>&nbsp;</P> <P>Hope this helps!</P> <P>Please mark the response as "Accept as Solution" if it answers your query.</P> Thu, 19 Oct 2023 13:56:32 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/wildfire-malware-alert/m-p/562426#M5387 PiyushKohli 2023-10-19T13:56:32Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/wildfire-malware-alert/m-p/562517#M5389 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/221362">@dbahuguna</a>&nbsp;,</P> <P>&nbsp;</P> <P>I didn't ask about incident.</P> <P>&nbsp;</P> <P>If you can see my query again, i was asking about alerts. The second time execution of the same malware file didn't trigger an alert in XDR. That is my query.</P> <P>&nbsp;</P> <P>The execution was successfully blocked by XDR agent but alert was not generated in XDR. That is the problem here.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>Nithin</P> Fri, 20 Oct 2023 05:57:20 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/wildfire-malware-alert/m-p/562517#M5389 nithin.k 2023-10-20T05:57:20Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/wildfire-malware-alert/m-p/563094#M5423 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/317230">@nithin.k</a>&nbsp;,</P> <P>&nbsp;</P> <P>This is to be expected given the deduplication period, which is the amount of time Cortex XDR waits before raising another warning for the same activity or behavior in order to prevent an alert overload. As a result, the alert triggered displays the frequency of comparable activity or alert triggering.</P> <P>&nbsp;</P> <P>I'm also sending this screenshot in case it helps. In this instance, the alert system highlights the relevant alerts from the previous hour rather than raising 85 alarms because those 85 warnings were for the same file, activity, or conduct.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="dbahuguna_0-1698224144381.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/54665iE766F0CE81759C54/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="dbahuguna_0-1698224144381.png" alt="dbahuguna_0-1698224144381.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Hope this helps!</P> <P>&nbsp;</P> <P>Please mark the response as "Accept as Solution" if it answers your query.</P> Wed, 25 Oct 2023 10:04:52 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/wildfire-malware-alert/m-p/563094#M5423 dbahuguna 2023-10-25T10:04:52Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/wildfire-malware-alert/m-p/563101#M5425 <P>Thank you&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/221362">@dbahuguna</a>&nbsp;</P> Wed, 25 Oct 2023 10:14:40 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/wildfire-malware-alert/m-p/563101#M5425 nithin.k 2023-10-25T10:14:40Z