https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/repeated-false-incidents-with-unknown-verdicts/m-p/1232311#M8468 <P data-start="186" data-end="198">Hi everyone,<BR /><BR /></P> <P data-start="200" data-end="330">I’m currently facing an issue with Cortex XDR where I regularly receive incidents flagged as suspicious,</P> <P>&nbsp;</P> <P data-start="384" data-end="410">This particular one shows:</P> <UL data-start="411" data-end="490"> <LI data-start="411" data-end="449"> <P data-start="413" data-end="449"><STRONG data-start="413" data-end="438">WF (WildFire) Verdict</STRONG>: <CODE data-start="440" data-end="449">Unknown</CODE></P> </LI> <LI data-start="450" data-end="490"> <P data-start="452" data-end="490"><STRONG data-start="452" data-end="471">VT (VirusTotal)</STRONG>: <CODE data-start="473" data-end="479">0/64</CODE> detections</P> </LI> </UL> <P data-start="492" data-end="844">Every week, I keep seeing similar incidents, often related to legitimate services or vendors (e.g., Tata CLiQ Luxury in this case), with no solid indication of malicious behavior. Since WildFire gives an "Unknown" verdict, I can't report it for reanalysis. And as the detection rate in VirusTotal is 0/64, there’s no strong indication of threat either.</P> <P data-start="846" data-end="862"><STRONG data-start="846" data-end="862">My concerns:</STRONG></P> <OL data-start="863" data-end="1226"> <LI data-start="863" data-end="958"> <P data-start="866" data-end="958">Is there a better way to handle these rather than manually creating exceptions for each one?</P> </LI> <LI data-start="959" data-end="1041"> <P data-start="962" data-end="1041">Can we automate the trust for such low-risk alerts based on certain conditions?</P> </LI> <LI data-start="1042" data-end="1155"> <P data-start="1045" data-end="1155">Are there any best practices that can help in reducing noise from such recurring false positives?</P> </LI> </OL> Mon, 23 Jun 2025 05:32:30 GMT V.R800240 2025-06-23T05:32:30Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/repeated-false-incidents-with-unknown-verdicts/m-p/1232311#M8468 <P data-start="186" data-end="198">Hi everyone,<BR /><BR /></P> <P data-start="200" data-end="330">I’m currently facing an issue with Cortex XDR where I regularly receive incidents flagged as suspicious,</P> <P>&nbsp;</P> <P data-start="384" data-end="410">This particular one shows:</P> <UL data-start="411" data-end="490"> <LI data-start="411" data-end="449"> <P data-start="413" data-end="449"><STRONG data-start="413" data-end="438">WF (WildFire) Verdict</STRONG>: <CODE data-start="440" data-end="449">Unknown</CODE></P> </LI> <LI data-start="450" data-end="490"> <P data-start="452" data-end="490"><STRONG data-start="452" data-end="471">VT (VirusTotal)</STRONG>: <CODE data-start="473" data-end="479">0/64</CODE> detections</P> </LI> </UL> <P data-start="492" data-end="844">Every week, I keep seeing similar incidents, often related to legitimate services or vendors (e.g., Tata CLiQ Luxury in this case), with no solid indication of malicious behavior. Since WildFire gives an "Unknown" verdict, I can't report it for reanalysis. And as the detection rate in VirusTotal is 0/64, there’s no strong indication of threat either.</P> <P data-start="846" data-end="862"><STRONG data-start="846" data-end="862">My concerns:</STRONG></P> <OL data-start="863" data-end="1226"> <LI data-start="863" data-end="958"> <P data-start="866" data-end="958">Is there a better way to handle these rather than manually creating exceptions for each one?</P> </LI> <LI data-start="959" data-end="1041"> <P data-start="962" data-end="1041">Can we automate the trust for such low-risk alerts based on certain conditions?</P> </LI> <LI data-start="1042" data-end="1155"> <P data-start="1045" data-end="1155">Are there any best practices that can help in reducing noise from such recurring false positives?</P> </LI> </OL> Mon, 23 Jun 2025 05:32:30 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/repeated-false-incidents-with-unknown-verdicts/m-p/1232311#M8468 V.R800240 2025-06-23T05:32:30Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/repeated-false-incidents-with-unknown-verdicts/m-p/1232347#M8472 <P>Hi&nbsp;V.R800240,</P> <P>&nbsp;</P> <P>There has to be a reason why SF did not answer with a verdict.&nbsp;</P> <P>Maybe there was a problem when trying to load the sample into sandbox, or sandbox could not execute the file....&nbsp;</P> <P>Further investigations should be make so please feel free to open a TAC support case.&nbsp;</P> <P>&nbsp;</P> <P>In the meantime you can add the hash to allow list to prevent the incidents to be opened, after TAC gives you a final solution, remember to clean your allow list from temporary hashes.&nbsp;</P> <P>&nbsp;</P> <DIV id="bodyDisplay_1" class="lia-message-body lia-component-message-view-widget-body lia-component-body-signature-highlight-escalation lia-component-message-view-widget-body-signature-highlight-escalation"> <DIV class="lia-message-body-content"> <P>Feel free to click on like the answer if this helped you.&nbsp;</P> <P>&nbsp;</P> <P>If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.</P> <P>&nbsp;</P> <P>KR,&nbsp;</P> <P>Luis</P> </DIV> </DIV> <DIV class="lia-rating-metoo lia-component-me-too-solution lia-component-message-view-widget-me-too-solution">&nbsp;</DIV> Mon, 23 Jun 2025 13:47:03 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/repeated-false-incidents-with-unknown-verdicts/m-p/1232347#M8472 eluis 2025-06-23T13:47:03Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/repeated-false-incidents-with-unknown-verdicts/m-p/1232443#M8477 <P>Ok. Thanks for the update. I'll create a TAC case.</P> Tue, 24 Jun 2025 03:54:51 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/repeated-false-incidents-with-unknown-verdicts/m-p/1232443#M8477 V.R800240 2025-06-24T03:54:51Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/repeated-false-incidents-with-unknown-verdicts/m-p/1232478#M8479 <P>Hi again,&nbsp;</P> <P>I could not find on our labs a case in which we have unknown verdict.&nbsp;</P> <P>When you go to unknown verdict could you tweak it as grayware ? and then wait for a response from our analysts ?</P> <P>That might work too if you have the possibility while TAC is working on this</P> <DIV id="bodyDisplay_1" class="lia-message-body lia-component-message-view-widget-body lia-component-body-signature-highlight-escalation lia-component-message-view-widget-body-signature-highlight-escalation"> <DIV class="lia-message-body-content"> <P>Feel free to click on like the answer if this helped you.&nbsp;</P> <P>&nbsp;</P> <P>If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.</P> <P>&nbsp;</P> <P>KR,&nbsp;</P> <P>Luis</P> </DIV> </DIV> <DIV class="lia-rating-metoo lia-component-me-too-solution lia-component-message-view-widget-me-too-solution">&nbsp;</DIV> Tue, 24 Jun 2025 13:13:02 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/repeated-false-incidents-with-unknown-verdicts/m-p/1232478#M8479 eluis 2025-06-24T13:13:02Z