Wildfire Malware Alert

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Wildfire Malware Alert

L1 Bithead

Hi,

 

For testing purpose, i triggered an incident by trying to execute a malicious file. The execution was successfully blocked and a "Wildfire Malware" alert was created in XDR.

 

I tried executing the file once more. The execution was blocked again, but this time alert was not created in XDR.

 

What could be the reason?

 

I checked the "Events" section under the XDR agent tray icon in the endpoint. There i am able to see an event for the execution. But in XDR alert is not generating.

 

Kindly help.

 

Thanks,

Nithin

1 accepted solution

Accepted Solutions

Hi @nithin.k ,

 

This is to be expected given the deduplication period, which is the amount of time Cortex XDR waits before raising another warning for the same activity or behavior in order to prevent an alert overload. As a result, the alert triggered displays the frequency of comparable activity or alert triggering.

 

I'm also sending this screenshot in case it helps. In this instance, the alert system highlights the relevant alerts from the previous hour rather than raising 85 alarms because those 85 warnings were for the same file, activity, or conduct.

 

dbahuguna_0-1698224144381.png

 

 

Hope this helps!

 

Please mark the response as "Accept as Solution" if it answers your query.

View solution in original post

5 REPLIES 5

L2 Linker

Hi @nithin.k ,

 

This is the functionality of Cortex XDR, it will not generate a new incident for the same alert type or file run from the same location. However, you will see another alert added to the same incident generated.

 

Moreover, as this is with respect to an incident handling with which if you require more assistance or in order to investigate it further, as this is a public discussion forum my suggestion would be to refer to your Customer Success team or TAC by opening a ticket through our support portal

 

Feel free to write back if you have further query.

 

Hope this helps!

Please mark the response as "Accept as Solution" if it answers your query.

L4 Transporter

Hi @nithin.k 

 

Similar query was posted on LC few days back and as shared by @dbahuguna this is because of deduplication XDR won't not generate a new incident for the same alert type or file run from the same location.

 

You may refer to this Post for info around the same.

 

Feel free to write back if you have further query.

 

Hope this helps!

Please mark the response as "Accept as Solution" if it answers your query.

Hi @dbahuguna ,

 

I didn't ask about incident.

 

If you can see my query again, i was asking about alerts. The second time execution of the same malware file didn't trigger an alert in XDR. That is my query.

 

The execution was successfully blocked by XDR agent but alert was not generated in XDR. That is the problem here.

 

Thanks,

Nithin

Hi @nithin.k ,

 

This is to be expected given the deduplication period, which is the amount of time Cortex XDR waits before raising another warning for the same activity or behavior in order to prevent an alert overload. As a result, the alert triggered displays the frequency of comparable activity or alert triggering.

 

I'm also sending this screenshot in case it helps. In this instance, the alert system highlights the relevant alerts from the previous hour rather than raising 85 alarms because those 85 warnings were for the same file, activity, or conduct.

 

dbahuguna_0-1698224144381.png

 

 

Hope this helps!

 

Please mark the response as "Accept as Solution" if it answers your query.

Thank you @dbahuguna 

  • 1 accepted solution
  • 2450 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!