https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/false-positive-issue-multiple-windows-system-processes-flagged/m-p/1235619#M8635 <P>Hi Yonghui_Yang,&nbsp;</P> <P>&nbsp;</P> <P>there can be several reasons why you get triggered those alerts.&nbsp;</P> <P>&nbsp;</P> <P>Maybe legit executables changed name or location ?&nbsp;</P> <P>Maybe legit execs trying to perform suspicious activity even though they were executed from original legit folder and names, but our analytics detect it as something suspicious.&nbsp;</P> <P>&nbsp;</P> <P>2 things can be done if none of the former.</P> <OL class="lia-list-style-type-upper-alpha"> <LI>&nbsp;</LI> </OL> <OL> <LI>Alert Tunning so you prevent many false positive flooding. I can recommend 2 webinars even though they are a bit aged: <OL> <LI><A href="https://live.paloaltonetworks.com/t5/cortex-xdr-videos/cortex-xdr-customer-success-webinar-series-part-1-alert-tuning/ta-p/584842/redirect_from_archived_page/true" target="_blank">https://live.paloaltonetworks.com/t5/cortex-xdr-videos/cortex-xdr-customer-success-webinar-series-part-1-alert-tuning/ta-p/584842/redirect_from_archived_page/true</A></LI> <LI><A href="https://live.paloaltonetworks.com/t5/cortex-xdr-videos/cortex-xdr-customer-success-webinar-series-part-2-alert-tuning/ta-p/588312" target="_blank">https://live.paloaltonetworks.com/t5/cortex-xdr-videos/cortex-xdr-customer-success-webinar-series-part-2-alert-tuning/ta-p/588312</A></LI> </OL> </LI> <LI>Automated actions as response to alerts, also called simple automation rules:<BR /><A href="https://live.paloaltonetworks.com/t5/cortex-xdr-how-to-videos/cortex-xdr-how-to-video-simple-automation-rules/ta-p/568454" target="_blank">https://live.paloaltonetworks.com/t5/cortex-xdr-how-to-videos/cortex-xdr-how-to-video-simple-automation-rules/ta-p/568454</A></LI> <LI>Open a TAC support case if none of the former works</LI> </OL> <P>If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.</P> <P>&nbsp;</P> <P>KR,</P> <P>Luis</P> Thu, 07 Aug 2025 15:34:55 GMT eluis 2025-08-07T15:34:55Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/false-positive-issue-multiple-windows-system-processes-flagged/m-p/1235586#M8632 <P class="whitespace-normal break-words">Hello everyone,</P> <P class="whitespace-normal break-words">I'm experiencing ongoing false positive alerts with Cortex XDR that are affecting multiple endpoints in our environment. I'm seeking guidance on how to properly address this issue.</P> <P class="whitespace-normal break-words"><STRONG>Environment Information:</STRONG></P> <UL class="[&amp;:not(:last-child)_ul]:pb-1 [&amp;:not(:last-child)_ol]:pb-1 list-disc space-y-1.5 pl-7"> <LI class="whitespace-normal break-words">Cortex XDR Agent Version: 8.6.0.3704</LI> <LI class="whitespace-normal break-words">Operating System: Windows 10 64-bit</LI> <LI class="whitespace-normal break-words">Issue Scope: All endpoints in the environment</LI> </UL> <P class="whitespace-normal break-words"><STRONG>Problem Description:</STRONG> We're getting consistent false positive alerts for the following legitimate Windows system processes across all our Windows 10 machines:</P> <UL class="[&amp;:not(:last-child)_ul]:pb-1 [&amp;:not(:last-child)_ol]:pb-1 list-disc space-y-1.5 pl-7"> <LI class="whitespace-normal break-words">Sihost.exe (Shell Infrastructure Host)</LI> <LI class="whitespace-normal break-words">PhoneExperienceHost.exe</LI> <LI class="whitespace-normal break-words">RuntimeBroker.exe</LI> <LI class="whitespace-normal break-words">StartMenuExperienceHost.exe</LI> <LI class="whitespace-normal break-words">backgroundTaskHost.exe</LI> <LI class="whitespace-normal break-words">SearchApp.exe</LI> <LI class="whitespace-normal break-words">BackgroundTransferHost.exe</LI> <LI class="whitespace-normal break-words">TextInputHost.exe</LI> <LI class="whitespace-normal break-words">HxTsr.exe</LI> </UL> <P class="whitespace-normal break-words">These alerts are occurring continuously and affecting our entire fleet of endpoints.</P> <P class="whitespace-normal break-words"><STRONG>Questions:</STRONG></P> <OL class="[&amp;:not(:last-child)_ul]:pb-1 [&amp;:not(:last-child)_ol]:pb-1 list-decimal space-y-1.5 pl-7"> <LI class="whitespace-normal break-words">Is this a known issue with Agent Version 8.6.0.3704 on Windows 10?</LI> <LI class="whitespace-normal break-words">What's the recommended approach to create exceptions for these legitimate Windows processes?</LI> <LI class="whitespace-normal break-words">Are there any planned updates to address these false positives?</LI> <LI class="whitespace-normal break-words">Should I report this through official support channels as well?</LI> </OL> <P class="whitespace-normal break-words">Any guidance or similar experiences shared would be greatly appreciated. These false positives are creating alert fatigue and potentially masking real threats.</P> <P class="whitespace-normal break-words">Thank you for your assistance.</P> <P class="whitespace-normal break-words"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2025-08-07_150647.jpg" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/68791i2E420643C0441903/image-size/large?v=v2&amp;px=999" role="button" title="2025-08-07_150647.jpg" alt="2025-08-07_150647.jpg" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2025-08-07_150548.jpg" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/68790iE133899E409CED8B/image-size/large?v=v2&amp;px=999" role="button" title="2025-08-07_150548.jpg" alt="2025-08-07_150548.jpg" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2025-08-07_150235.jpg" style="width: 947px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/68789i61A6B7C85ADFFC88/image-size/large?v=v2&amp;px=999" role="button" title="2025-08-07_150235.jpg" alt="2025-08-07_150235.jpg" /></span></P> Thu, 07 Aug 2025 07:43:36 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/false-positive-issue-multiple-windows-system-processes-flagged/m-p/1235586#M8632 Yonghui_Yang 2025-08-07T07:43:36Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/false-positive-issue-multiple-windows-system-processes-flagged/m-p/1235619#M8635 <P>Hi Yonghui_Yang,&nbsp;</P> <P>&nbsp;</P> <P>there can be several reasons why you get triggered those alerts.&nbsp;</P> <P>&nbsp;</P> <P>Maybe legit executables changed name or location ?&nbsp;</P> <P>Maybe legit execs trying to perform suspicious activity even though they were executed from original legit folder and names, but our analytics detect it as something suspicious.&nbsp;</P> <P>&nbsp;</P> <P>2 things can be done if none of the former.</P> <OL class="lia-list-style-type-upper-alpha"> <LI>&nbsp;</LI> </OL> <OL> <LI>Alert Tunning so you prevent many false positive flooding. I can recommend 2 webinars even though they are a bit aged: <OL> <LI><A href="https://live.paloaltonetworks.com/t5/cortex-xdr-videos/cortex-xdr-customer-success-webinar-series-part-1-alert-tuning/ta-p/584842/redirect_from_archived_page/true" target="_blank">https://live.paloaltonetworks.com/t5/cortex-xdr-videos/cortex-xdr-customer-success-webinar-series-part-1-alert-tuning/ta-p/584842/redirect_from_archived_page/true</A></LI> <LI><A href="https://live.paloaltonetworks.com/t5/cortex-xdr-videos/cortex-xdr-customer-success-webinar-series-part-2-alert-tuning/ta-p/588312" target="_blank">https://live.paloaltonetworks.com/t5/cortex-xdr-videos/cortex-xdr-customer-success-webinar-series-part-2-alert-tuning/ta-p/588312</A></LI> </OL> </LI> <LI>Automated actions as response to alerts, also called simple automation rules:<BR /><A href="https://live.paloaltonetworks.com/t5/cortex-xdr-how-to-videos/cortex-xdr-how-to-video-simple-automation-rules/ta-p/568454" target="_blank">https://live.paloaltonetworks.com/t5/cortex-xdr-how-to-videos/cortex-xdr-how-to-video-simple-automation-rules/ta-p/568454</A></LI> <LI>Open a TAC support case if none of the former works</LI> </OL> <P>If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.</P> <P>&nbsp;</P> <P>KR,</P> <P>Luis</P> Thu, 07 Aug 2025 15:34:55 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/false-positive-issue-multiple-windows-system-processes-flagged/m-p/1235619#M8635 eluis 2025-08-07T15:34:55Z