Masquerading - 4203898100

AvinashAddala — Thu, 11 Apr 2024 19:12:23 GMT

Hi Team,

We had received a High incident while running a malware scan, it is Masquerading - 4203898100, where the filezilla.exe application is detected as malicious and is blocked by the XDR. We observed that the endpoint is in disconnected state then also the similar incidents triggered with the same endpoint.

My query is that why it is triggering multiple times, even though the file has been blocked and prevented by XDR, also when the device is in the disconnected state. We already received like 3 duplicate incidents.

Re: Masquerading - 4203898100

jtalton — Tue, 16 Apr 2024 18:34:28 GMT

Hi AvinashAddala,

Each related artifact, even if coming from different hosts, UEBA users or Cloud resources etc. will be used to pull more alerts and add them under the same incident story. The Incident/Alerts are grouped because they share a related artifact or attributes (alert source, type, file hash, or time period).

Cortex uses ML for detection, incident grouping, and causality chaining of alerts that surface key artifacts such as users, IPs, and hosts and applies threat intelligence and malware sandboxing capabilities to understand assets that are impacted, and the context needed for an analyst to take appropriate action. Reference Incidents • Cortex XDR Prevent Administrator Guide

If you feel these malware scan Masquerading findings are a false positive, please generate a TSF file on an endpoint in question and open a support case that an engineer can review.

May I also suggest to bookmark the Cortex XDR Agent Releases TechDoc which provides an overview of new features and known issues per agent release.

Thank you

topic Masquerading - 4203898100 in Cortex XDR Discussions

Masquerading - 4203898100

Re: Masquerading - 4203898100