- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-19-2023 02:03 AM
Hi,
For testing purpose, i triggered an incident by trying to execute a malicious file. The execution was successfully blocked and a "Wildfire Malware" alert was created in XDR.
I tried executing the file once more. The execution was blocked again, but this time alert was not created in XDR.
What could be the reason?
I checked the "Events" section under the XDR agent tray icon in the endpoint. There i am able to see an event for the execution. But in XDR alert is not generating.
Kindly help.
Thanks,
Nithin
10-25-2023 01:59 AM - edited 10-25-2023 03:04 AM
Hi @nithin.k ,
This is to be expected given the deduplication period, which is the amount of time Cortex XDR waits before raising another warning for the same activity or behavior in order to prevent an alert overload. As a result, the alert triggered displays the frequency of comparable activity or alert triggering.
I'm also sending this screenshot in case it helps. In this instance, the alert system highlights the relevant alerts from the previous hour rather than raising 85 alarms because those 85 warnings were for the same file, activity, or conduct.
Hope this helps!
Please mark the response as "Accept as Solution" if it answers your query.
10-19-2023 05:49 AM
Hi @nithin.k ,
This is the functionality of Cortex XDR, it will not generate a new incident for the same alert type or file run from the same location. However, you will see another alert added to the same incident generated.
Moreover, as this is with respect to an incident handling with which if you require more assistance or in order to investigate it further, as this is a public discussion forum my suggestion would be to refer to your Customer Success team or TAC by opening a ticket through our support portal
Feel free to write back if you have further query.
Hope this helps!
Please mark the response as "Accept as Solution" if it answers your query.
10-19-2023 06:56 AM
Hi @nithin.k
Similar query was posted on LC few days back and as shared by @dbahuguna this is because of deduplication XDR won't not generate a new incident for the same alert type or file run from the same location.
You may refer to this Post for info around the same.
Feel free to write back if you have further query.
Hope this helps!
Please mark the response as "Accept as Solution" if it answers your query.
10-19-2023 10:57 PM
Hi @dbahuguna ,
I didn't ask about incident.
If you can see my query again, i was asking about alerts. The second time execution of the same malware file didn't trigger an alert in XDR. That is my query.
The execution was successfully blocked by XDR agent but alert was not generated in XDR. That is the problem here.
Thanks,
Nithin
10-25-2023 01:59 AM - edited 10-25-2023 03:04 AM
Hi @nithin.k ,
This is to be expected given the deduplication period, which is the amount of time Cortex XDR waits before raising another warning for the same activity or behavior in order to prevent an alert overload. As a result, the alert triggered displays the frequency of comparable activity or alert triggering.
I'm also sending this screenshot in case it helps. In this instance, the alert system highlights the relevant alerts from the previous hour rather than raising 85 alarms because those 85 warnings were for the same file, activity, or conduct.
Hope this helps!
Please mark the response as "Accept as Solution" if it answers your query.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!