- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-10-2023 03:33 PM
Hi,
I'm just wondering if someone can help me understand, why the results of a malware scan (i.e. 19 malicious files found) doesn't reflect the amount of alerts created. I'd assume there would be 19 malicious files as stated, with an alert for each?
As you can see in the example below, the scan yielded 19 malicious files in the results:
When I click on show alerts, it takes me to the below screenshot.. but all I see is 8 alerts about 7 files.
Should there be more alerts specific to each malicious files found? And if not, where would I ensure that all 19 files are accounted for in a trigger?
Thanks for the help in advance!
Bojan
10-11-2023 04:13 AM
Hi @Bojan-Totic
This is expected, because of deduplication period i.e. The amount of time in which additional alerts for the same activity or behavior are suppressed before Cortex XDR raises another alert and this is avoid flooding with so many alerts. Therefore in the alert triggered it shows number of time similar activity/alert triggered. As can be seen from your screenshot +4, +6 and +2.
Likewise, sharing this screenshot for reference. In this case since those 85 alerts were for the same file/activity/behavior, hence instead of triggering 85 alerts it mentions about the related alerts from the last hour.
Hope this helps!
Please mark the response as "Accept as Solution" if it answers your query.
10-10-2023 06:47 PM
Hello @Bojan-Totic
Thank you for reaching out to the Live Community. I see in the second screenshot there is a filter applied, could you please try to change search field as host and see if you are able to see all the alerts for 19 files as seen in the first screenshot? Please let us know if this resolves our issue. Thank you.
If you feel this has answered your query, please let us know by clicking on "mark this as a Solution". Thank you.
10-11-2023 04:13 AM
Hi @Bojan-Totic
This is expected, because of deduplication period i.e. The amount of time in which additional alerts for the same activity or behavior are suppressed before Cortex XDR raises another alert and this is avoid flooding with so many alerts. Therefore in the alert triggered it shows number of time similar activity/alert triggered. As can be seen from your screenshot +4, +6 and +2.
Likewise, sharing this screenshot for reference. In this case since those 85 alerts were for the same file/activity/behavior, hence instead of triggering 85 alerts it mentions about the related alerts from the last hour.
Hope this helps!
Please mark the response as "Accept as Solution" if it answers your query.
10-11-2023 07:04 AM
Oh okay, thank you that helps!
Do you see any pitfalls of not being able to see all referenced 19 malicious files in that moment, although they somehow share similar behavior/characteristics? My worry is essentially not getting the full picture during the response/remediation phase.
Kind Regards,
Bojan
10-11-2023 07:12 AM
Hey Abraham,
Thanks for the response. Clearing the filter and adding the host does not show all 19 files. I believe the deduplication period that Piyush mentioned makes sense!
Appreciate your time.
Kind Regards,
Bojan
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!