This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Malware Scan Results Vs Alerts Created

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Malware Scan Results Vs Alerts Created

Go to solution
Bojan-Totic
L1 Bithead

‎10-10-2023 03:33 PM

Hi,

I'm just wondering if someone can help me understand, why  the results of a malware scan (i.e. 19 malicious files found) doesn't reflect the amount of alerts created. I'd assume there would be 19 malicious files as stated, with an alert for each?

 

As you can see in the example below, the scan yielded 19 malicious files in the results:

BojanTotic_1-1696977019013.png

When I click on show alerts, it takes me to the below screenshot.. but all I see is 8 alerts about 7 files.

Should there be more alerts specific to each malicious files found? And if not, where would I ensure that all 19 files are accounted for in a trigger?

BojanTotic_2-1696977165798.png

 

Thanks for the help in advance!

Bojan

 

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
PiyushKohli
L4 Transporter

‎10-11-2023 04:13 AM

Hi @Bojan-Totic 

 

This is expected, because of deduplication period i.e. The amount of time in which additional alerts for the same activity or behavior are suppressed before Cortex XDR raises another alert and this is avoid flooding with so many alerts. Therefore in the alert triggered it shows number of time similar activity/alert triggered. As can be seen from your screenshot +4, +6 and +2.

 

Likewise, sharing this screenshot for reference. In this case since those 85 alerts were for the same file/activity/behavior, hence instead of triggering 85 alerts it mentions about the related alerts from the last hour.

PiyushKohli_0-1697022546894.png

 

Hope this helps!

 

Please mark the response as "Accept as Solution" if it answers your query.

View solution in original post

4 REPLIES 4

Go to solution
abdrahman
L3 Networker

‎10-10-2023 06:47 PM

Hello @Bojan-Totic 

 

Thank you for reaching out to the Live Community. I see in the second screenshot there is a filter applied, could you please try to change search field as host and see if you are able to see all the alerts for 19 files as seen in the first screenshot? Please let us know if this resolves our issue. Thank you. 

 

If you feel this has answered your query, please let us know by clicking on "mark this as a Solution". Thank you.

0 Likes Likes

Go to solution
PiyushKohli
L4 Transporter

‎10-11-2023 04:13 AM

Hi @Bojan-Totic 

 

This is expected, because of deduplication period i.e. The amount of time in which additional alerts for the same activity or behavior are suppressed before Cortex XDR raises another alert and this is avoid flooding with so many alerts. Therefore in the alert triggered it shows number of time similar activity/alert triggered. As can be seen from your screenshot +4, +6 and +2.

 

Likewise, sharing this screenshot for reference. In this case since those 85 alerts were for the same file/activity/behavior, hence instead of triggering 85 alerts it mentions about the related alerts from the last hour.

PiyushKohli_0-1697022546894.png

 

Hope this helps!

 

Please mark the response as "Accept as Solution" if it answers your query.

Go to solution
Bojan-Totic
L1 Bithead
In response to PiyushKohli

‎10-11-2023 07:04 AM

Oh okay, thank you that helps!

Do you see any pitfalls of not being able to see all referenced 19 malicious files in that moment, although they somehow share similar behavior/characteristics? My worry is essentially not getting the full picture during the response/remediation phase.

 

Kind Regards,

Bojan

0 Likes Likes

Go to solution
Bojan-Totic
L1 Bithead
In response to abdrahman

‎10-11-2023 07:12 AM

Hey Abraham,

 

Thanks for the response. Clearing the filter and adding the host does not show all 19 files. I believe the deduplication period that Piyush mentioned makes sense!

Appreciate your time.

 

Kind Regards,

Bojan

0 Likes Likes
  • 1 accepted solution
  • 987 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks