We have, many times, received alerts with cryptic names like heuristic.agb.4477 or heuristic.b.346. Imho, creating a support case and waiting for a response is inefficient. Also, expecting us to blindly accept the support engineer response on whether that is a FP or not is not acceptable. Additionally, sometimes, we work with developers and our in-house applications get flagged. We can't advice developers on how to alter the behavior of their applications if we don't have enough information. Further, in our experience, support is not always as useful as expected. Sometimes the support engineer answer is more cryptic than the alert itself. Sometimes, explaining the issue takes too much back-and-forth discussions that take too much time and effort.
Therefore, we digged a bit deeper into the logs and found out that we can read for ourselves what these cryptic names mean. To find out, download the alert data to your machine, then open the file Logs\trapsd.log. In that file, search for the cryptic alert name and you will be able to read the description of what it means. For example, one alert had the following description
a heuristic behavior that process created an exe file inside a system directory which isn't a subdir,copied itself,process relaunched itself,unsigned process was created,process launched external cmd. Another alert meant "suspicious Powershell AMSI string", and so on.
We are considering making our own internal DB of these descriptions so investigators can immediately take action, instead of waiting for PAN support responses.
I am sharing this with the community because I saw multiple questions about this and most answers were a variation of "talk to support".
My name is Or from the XDR product management team.
It's actually available in the UI too with a lot more data.
Click on the alert icon on top of the process and scroll down.
The text you saw is a join of all the 'behavior description', and you also have two more useful things - MITRE tags and the actual description per behavior we saw (hover over the description field, text is a bit log there).
If you have any additional questions please feel free to ping me firstname.lastname@example.org
Thanks @ocohen are there times where perhaps the section you show where MITRE items would not show for a BTP?
On a Behavioral Threat I am seeing recently (Behavioral threat detected (rule: heuristic.agb.5637)) I am not seeing the "MITRE Attack" section of the blackbar your reflecting here. Only the first two rows. Am I just not clicking the right area perhaps?
Running on Cortex XDR V2.8
Is there a list of these published somewhere? With Analytics, Analytics BIOC, and BIOCs there are published lists that enable us to pre-classify the alerts in XSOAR. So far I have not found a list of BTP rules which has caused some FP or FN when choosing to automatically isolate via XSOAR because we don't know ahead of time what rules are going to come through.
For example, there are BIOCs for DCSync attacks which trigger isolation but there is also at least one BTP rule for DCSync which we did not know about so isolation was not activated.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!