05-05-2021 03:24 PM
We have, many times, received alerts with cryptic names like heuristic.agb.4477 or heuristic.b.346. Imho, creating a support case and waiting for a response is inefficient. Also, expecting us to blindly accept the support engineer response on whether that is a FP or not is not acceptable. Additionally, sometimes, we work with developers and our in-house applications get flagged. We can't advice developers on how to alter the behavior of their applications if we don't have enough information. Further, in our experience, support is not always as useful as expected. Sometimes the support engineer answer is more cryptic than the alert itself. Sometimes, explaining the issue takes too much back-and-forth discussions that take too much time and effort.
Therefore, we digged a bit deeper into the logs and found out that we can read for ourselves what these cryptic names mean. To find out, download the alert data to your machine, then open the file Logs\trapsd.log. In that file, search for the cryptic alert name and you will be able to read the description of what it means. For example, one alert had the following description
a heuristic behavior that process created an exe file inside a system directory which isn't a subdir,copied itself,process relaunched itself,unsigned process was created,process launched external cmd. Another alert meant "suspicious Powershell AMSI string", and so on.
We are considering making our own internal DB of these descriptions so investigators can immediately take action, instead of waiting for PAN support responses.
I am sharing this with the community because I saw multiple questions about this and most answers were a variation of "talk to support".