- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-11-2024 12:12 PM
Hi Team,
We had received a High incident while running a malware scan, it is Masquerading - 4203898100, where the filezilla.exe application is detected as malicious and is blocked by the XDR. We observed that the endpoint is in disconnected state then also the similar incidents triggered with the same endpoint.
My query is that why it is triggering multiple times, even though the file has been blocked and prevented by XDR, also when the device is in the disconnected state. We already received like 3 duplicate incidents.
04-16-2024 11:34 AM
Hi AvinashAddala,
Each related artifact, even if coming from different hosts, UEBA users or Cloud resources etc. will be used to pull more alerts and add them under the same incident story. The Incident/Alerts are grouped because they share a related artifact or attributes (alert source, type, file hash, or time period).
Cortex uses ML for detection, incident grouping, and causality chaining of alerts that surface key artifacts such as users, IPs, and hosts and applies threat intelligence and malware sandboxing capabilities to understand assets that are impacted, and the context needed for an analyst to take appropriate action. Reference Incidents • Cortex XDR Prevent Administrator Guide
If you feel these malware scan Masquerading findings are a false positive, please generate a TSF file on an endpoint in question and open a support case that an engineer can review.
May I also suggest to bookmark the Cortex XDR Agent Releases TechDoc which provides an overview of new features and known issues per agent release.
Thank you
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!