02-28-2024 06:51 AM
Hi team
Cortex XDR keeps generates hundreds of alerts due to suspicious macro detected in my network.
Severity : High
Alert Source : XDR Agent
Action : Detected (Post Detected)
Seems Cortex deletes all kind of files that has macros , but in reality those are not malicious.
"alerts_table": {
"alert_json": {
"action_country": [
"UNKNOWN"
],
"action_file_extension": [
".xls"
],
"action_file_name": [
"5406272E.xls"
],
"action_file_path": [
"C:\\Users\\XXXXX\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.MSO\\5406272E.xls"
],
"action_file_sha256": [
"b765f574a58676191bfdd5876ba7fc41d749197b9b8d1d48381bd8b057a8aa40"
],
"action_process_signature_status": [
"SIGNATURE_UNAVAILABLE"
],
"actor_effective_username": [
"N/A"
],
"actor_process_signature_status": [
"SIGNATURE_UNAVAILABLE"
],
"agent_data_collection_status": false,
"agent_device_domain": "XXXX",
"agent_fqdn": "XXXXXX",
"agent_hostname": "XXXXXX",
"agent_id": "9d0d8ee73cfc4be39ce6a3dde57ddfcb",
"agent_ip_addresses": [
],
"agent_is_vdi": false,
"agent_os_sub_type": "10.0.19045",
"agent_os_type": "AGENT_OS_WINDOWS",
"agent_version": "8.2.1.47908",
"alert_action_status": "POST_DETECTED",
"alert_category": "Malware",
"alert_description": "Suspicious macro detected",
"alert_ingest_status": "READY",
"alert_is_fp": false,
"alert_name": "WildFire Malware",
"alert_source": "TRAPS",
"alert_type": "Unclassified",
"association_strength": [
50
],
02-29-2024 03:39 AM
Hello All,
Thanks for reaching out on LiveCommunity!
The hit was due to Wildfire Verdict which uses Machine Learning to analyze the file. Our Team has investigated the issue and changed the verdict to Benign: The sample is safe and does not exhibit malicious behavior.
Verdicts that you suspect are either false positives or false negatives can be submitted to the Palo Alto Networks threat team for additional analysis via Support Case or reaching out to SE.
If you feel this has answered your query, please let us know by clicking on "mark this as a Solution". Thank you.
02-28-2024 07:12 AM
HI,
From my part, I have experienced the same issue in various tenants where alerts are triggered by WildFire, as it has classified a malicious macro with the following hash:
9eec5eadef0a1883a2177e016ff2a0ddc9fd3cdb0549554043079b672a181228
I opened a support case this morning, but I have not received a response yet
02-28-2024 07:14 AM
Same here. I opened a case and still waiting for support.
02-28-2024 07:22 AM
Same problem here, we are having this issue from 2 AM and still continue triggering the alerts
02-29-2024 01:54 AM - edited 02-29-2024 01:55 AM
I had the same issue and opened a case. Support told me yesterday that the macro is analysed again and that the verdict for the hash 9eec5eadef0a1883a2177e016ff2a0ddc9fd3cdb0549554043079b672a181228 was changed back to benign. I had no issues since Palo Alto changed the verdict to benign
02-29-2024 03:39 AM
Hello All,
Thanks for reaching out on LiveCommunity!
The hit was due to Wildfire Verdict which uses Machine Learning to analyze the file. Our Team has investigated the issue and changed the verdict to Benign: The sample is safe and does not exhibit malicious behavior.
Verdicts that you suspect are either false positives or false negatives can be submitted to the Palo Alto Networks threat team for additional analysis via Support Case or reaching out to SE.
If you feel this has answered your query, please let us know by clicking on "mark this as a Solution". Thank you.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
