02-28-2024 06:51 AM
Hi team
Cortex XDR keeps generates hundreds of alerts due to suspicious macro detected in my network.
Severity : High
Alert Source : XDR Agent
Action : Detected (Post Detected)
Seems Cortex deletes all kind of files that has macros , but in reality those are not malicious.
"alerts_table": {
"alert_json": {
"action_country": [
"UNKNOWN"
],
"action_file_extension": [
".xls"
],
"action_file_name": [
"5406272E.xls"
],
"action_file_path": [
"C:\\Users\\XXXXX\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.MSO\\5406272E.xls"
],
"action_file_sha256": [
"b765f574a58676191bfdd5876ba7fc41d749197b9b8d1d48381bd8b057a8aa40"
],
"action_process_signature_status": [
"SIGNATURE_UNAVAILABLE"
],
"actor_effective_username": [
"N/A"
],
"actor_process_signature_status": [
"SIGNATURE_UNAVAILABLE"
],
"agent_data_collection_status": false,
"agent_device_domain": "XXXX",
"agent_fqdn": "XXXXXX",
"agent_hostname": "XXXXXX",
"agent_id": "9d0d8ee73cfc4be39ce6a3dde57ddfcb",
"agent_ip_addresses": [
],
"agent_is_vdi": false,
"agent_os_sub_type": "10.0.19045",
"agent_os_type": "AGENT_OS_WINDOWS",
"agent_version": "8.2.1.47908",
"alert_action_status": "POST_DETECTED",
"alert_category": "Malware",
"alert_description": "Suspicious macro detected",
"alert_ingest_status": "READY",
"alert_is_fp": false,
"alert_name": "WildFire Malware",
"alert_source": "TRAPS",
"alert_type": "Unclassified",
"association_strength": [
50
],
