Masquerading - 4203898100

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Masquerading - 4203898100

L0 Member

Hi Team,

We had received a High incident while running a malware scan, it is Masquerading - 4203898100, where the filezilla.exe application is detected as malicious and is blocked by the XDR. We observed that the endpoint is in disconnected state then also the similar incidents triggered with the same endpoint.

My query is that why it is triggering multiple times, even though the file has been blocked and prevented by XDR, also when the device is in the disconnected state. We already received like 3 duplicate incidents.

1 REPLY 1

L3 Networker

Hi AvinashAddala,

 

Each related artifact, even if coming from different hosts, UEBA users or Cloud resources etc. will be used to pull more alerts and add them under the same incident story. The Incident/Alerts are grouped because they share a related artifact or attributes (alert source, type, file hash, or time period).

 

Cortex uses ML for detection, incident grouping, and causality chaining of alerts that surface key artifacts such as users, IPs, and hosts and applies threat intelligence and malware sandboxing capabilities to understand assets that are impacted, and the context needed for an analyst to take appropriate action. Reference Incidents • Cortex XDR Prevent Administrator Guide 

 

If you feel these malware scan Masquerading findings are a false positive, please generate a TSF file on an endpoint in question and open a support case that an engineer can review.

 

May I also suggest to bookmark the Cortex XDR Agent Releases TechDoc which provides an overview of new features and known issues per agent release. 

 

Thank you

If you found this answer helpful, please select Accept as Solution.
  • 279 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!