Cortex XDR flagged malicious macros

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Cortex XDR flagged malicious macros

L0 Member


Hi team
Cortex XDR keeps generates hundreds of alerts due to suspicious macro detected in my network. 
Severity : High
Alert Source : XDR Agent
Action : Detected (Post Detected)

Category : Malware
Extensions : .xls .tmp .xlt  .xar

Seems Cortex deletes all kind of files that has macros , but in reality those are not malicious. 

"alerts_table": {
"alert_json": {
"action_country": [
"UNKNOWN"
],
"action_file_extension": [
".xls"
],
"action_file_name": [
"5406272E.xls"
],
"action_file_path": [
"C:\\Users\\XXXXX\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.MSO\\5406272E.xls"
],
"action_file_sha256": [
"b765f574a58676191bfdd5876ba7fc41d749197b9b8d1d48381bd8b057a8aa40"
],
"action_process_signature_status": [
"SIGNATURE_UNAVAILABLE"
],
"actor_effective_username": [
"N/A"
],
"actor_process_signature_status": [
"SIGNATURE_UNAVAILABLE"
],
"agent_data_collection_status": false,
"agent_device_domain": "XXXX",
"agent_fqdn": "XXXXXX",
"agent_hostname": "XXXXXX",
"agent_id": "9d0d8ee73cfc4be39ce6a3dde57ddfcb",
"agent_ip_addresses": [

],
"agent_is_vdi": false,
"agent_os_sub_type": "10.0.19045",
"agent_os_type": "AGENT_OS_WINDOWS",
"agent_version": "8.2.1.47908",
"alert_action_status": "POST_DETECTED",
"alert_category": "Malware",
"alert_description": "Suspicious macro detected",
"alert_ingest_status": "READY",
"alert_is_fp": false,
"alert_name": "WildFire Malware",
"alert_source": "TRAPS",
"alert_type": "Unclassified",
"association_strength": [
50
],

1 accepted solution

Accepted Solutions

L4 Transporter

Hello All,

Thanks for reaching out on LiveCommunity!

 

The hit was due to Wildfire Verdict which uses Machine Learning to analyze the file. Our Team has investigated the issue and changed the verdict to Benign: The sample is safe and does not exhibit malicious behavior.

 

Verdicts that you suspect are either false positives or false negatives can be submitted to the Palo Alto Networks threat team for additional analysis via Support Case or reaching out to SE.

 

If you feel this has answered your query, please let us know by clicking on "mark this as a Solution". Thank you.

 

Ashutosh Patil

View solution in original post

5 REPLIES 5

L0 Member

HI,

From my part, I have experienced the same issue in various tenants where alerts are triggered by WildFire, as it has classified a malicious macro with the following hash:

9eec5eadef0a1883a2177e016ff2a0ddc9fd3cdb0549554043079b672a181228

I opened a support case this morning, but I have not received a response yet

 

Same here. I opened a case and still waiting for support. 

L0 Member

Same problem here, we are having this issue from 2 AM and still continue triggering the alerts

L2 Linker

I had the same issue and opened a case. Support told me yesterday that the macro is analysed again and that the verdict for the hash 9eec5eadef0a1883a2177e016ff2a0ddc9fd3cdb0549554043079b672a181228 was changed back to benign. I had no issues since Palo Alto changed the verdict to benign

L4 Transporter

Hello All,

Thanks for reaching out on LiveCommunity!

 

The hit was due to Wildfire Verdict which uses Machine Learning to analyze the file. Our Team has investigated the issue and changed the verdict to Benign: The sample is safe and does not exhibit malicious behavior.

 

Verdicts that you suspect are either false positives or false negatives can be submitted to the Palo Alto Networks threat team for additional analysis via Support Case or reaching out to SE.

 

If you feel this has answered your query, please let us know by clicking on "mark this as a Solution". Thank you.

 

Ashutosh Patil
  • 1 accepted solution
  • 976 Views
  • 5 replies
  • 4 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!