topic Re: A question from the Malware Pack v2 webinar: Misclassification rate in Cortex XSOAR Discussions https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/a-question-from-the-malware-pack-v2-webinar-misclassification/m-p/523503#M1502 <P><SPAN>A reply by:&nbsp;@ssokolovich &amp; <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/163552">@bkatzir</a></SPAN></P> <P><SPAN>The investigation flow is not only relying on sandbox/VT information but also on additional activities that occurred in the environment, such as additional alerts, hunting queries, etc. Moreover, all this information is populated to the incident layout for the analyst to review before determining if the alert is False/True positive.</SPAN></P> Wed, 07 Dec 2022 15:59:01 GMT rtsedaka 2022-12-07T15:59:01Z A question from the Malware Pack v2 webinar: Misclassification rate https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/a-question-from-the-malware-pack-v2-webinar-misclassification/m-p/523502#M1501 <P><SPAN>How do you address the extremely high misclassification rate of both file detonation (any semi-sophisticated malware won't divulge any information in a sandbox) as well as the high misclassification by Virustotal (both FP and TP)?</SPAN></P> <P>&nbsp;</P> <P><SPAN>Note: This question was asked as part of <A id="link_9" class="page-link lia-link-navigation lia-custom-event" href="https://live.paloaltonetworks.com/t5/customer-success-webinars/cortex-xsoar-customer-success-webinar-malware-investigation-amp/ta-p/523004" target="_blank">Cortex XSOAR Customer Success Webinar: Malware Investigation &amp; Response V2&nbsp;</A></SPAN></P> Wed, 07 Dec 2022 15:56:53 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/a-question-from-the-malware-pack-v2-webinar-misclassification/m-p/523502#M1501 rtsedaka 2022-12-07T15:56:53Z Re: A question from the Malware Pack v2 webinar: Misclassification rate https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/a-question-from-the-malware-pack-v2-webinar-misclassification/m-p/523503#M1502 <P><SPAN>A reply by:&nbsp;@ssokolovich &amp; <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/163552">@bkatzir</a></SPAN></P> <P><SPAN>The investigation flow is not only relying on sandbox/VT information but also on additional activities that occurred in the environment, such as additional alerts, hunting queries, etc. Moreover, all this information is populated to the incident layout for the analyst to review before determining if the alert is False/True positive.</SPAN></P> Wed, 07 Dec 2022 15:59:01 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/a-question-from-the-malware-pack-v2-webinar-misclassification/m-p/523503#M1502 rtsedaka 2022-12-07T15:59:01Z