How to Query WildFire Malware Prevention Events Not Generated as Issues

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to Query WildFire Malware Prevention Events Not Generated as Issues

L1 Bithead

Hello

We are currently operating approximately 4,800 agents. During the initial deployment, a large number of false positives were generated by WildFire Malware events, so we applied an exception to prevent these events from being generated as Issues.

However, we have recently received user reports of cases suspected to be blocked by this policy, but the related events are not visible in Issues or Alerts.
In addition, we are unable to find the relevant events when querying with XQL using conditions such as dataset = issues or dataset = alerts.

Re-enabling WildFire Malware event detection as Issues may result in a significant increase in false positives and create operational management challenges. Therefore, we would like to know if there is a way to maintain the current configuration while still being able to review the block history or related events.

Could you please advise whether there is a specific dataset or query method available to identify WildFire Malware Prevention events that were not promoted to Issues or Alerts?

1 REPLY 1

L5 Sessionator

Hello @.522643 ,

 

Greetings for the day.

 

When WildFire Malware events are suppressed using Alert Exclusions, they are hidden from the Alerts and Issues tables, but the agent continues to block the threat. These events can still be queried from the xdr_data dataset using XQL.

Note:
If a Legacy Agent Exception is used, the detection may not be generated at all, so no event will be available in any dataset.
 

WildFire Module IDs:

  • 38 – WildFire Malware Prevention (Portable Executables and DLLs)
  • 294 – WildFire analysis for Scripts, macOS, and Linux files
  • 298 – WildFire Post-Detection events

Sample XQL Query:

dataset = xdr_data 
| filter event_type = 1 // AgentSecurityEvent
| filter moduleId in (38, 294, 298)
| filter action_file_wildfire_verdict = 1 // 1 indicates a Malware verdict
| fields _time, agent_hostname, action_file_name, action_file_path, action_file_sha256, moduleId, action_file_wildfire_verdict
| sort desc _time
 

Alternative:

You can also review Agent Audit Logs for Terminate Process or Quarantine actions related to WildFire.

 

If No Results Are Returned:

  • Verify the event falls within your data retention period.
  • Confirm that a Legacy Agent Exception was not used, as it may prevent the event from being generated entirely.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

 

Thanks & Regards,
S. Subashkar Sekar

  • 33 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!