Interpreting alerts on XDR

M.Almosawi — Thu, 06 Feb 2025 07:28:03 GMT

Hi, The alerts on XDR and very much rigid and not readable even to the support personnel, whenever I raise a case they keep checking with other teams teams and higher support levels to get details, for example how to interpret the below, it says suspicious DLL detected, however many of these DLL's are part of known applications and are intact, how to identify the reason XDR is saying suspicious.

27/01/2025 09:01:04.000 XABCN N/A Medium No XDR Agent Detected (Scanned) Malware Local Analysis Malware Suspicious DLL detected N/A N/A N/A D:\FNFC Data\Desktop\P1\Example.dll No No DS:PANW/XDR Agent, EG:-

Thanks

Re: Interpreting alerts on XDR

Fm12345 — Sat, 08 Feb 2025 14:59:16 GMT

From the alert info you provided. It seems the dll is detected scanned means it was either found during periodic scan or user initiated scan. since it is a dll it wont be quarantined. It is detected by the Local analysis module so if you want to allow this dll when it is actually loaded into a process then you can either add its hash to allow list or add a legacy agent exception on pe and dll examination module and then selecting either the signer of the dll or the dll path. You can also add a disable prevention rule so that you get the alert but the dll is still allowed to run on the endpoint.

Also since it is scanned the alert will have many empty fields. When You run the relevant application and this dll is loaded then it would provide all details such as causality graph, the signers and api calls performed and so on on the causality view. Hope I covered few things that could help.

topic Re: Interpreting alerts on XDR in Cortex XDR Discussions

Interpreting alerts on XDR

Re: Interpreting alerts on XDR