The Cortex XDR – Analytics Malware alert indicates that a file has been identified as malware.
5 successful Pathfinder scans of the entire network.
Traffic logs or (optional) Traps agents installed on endpoints.
A file has been identified by Palo Alto Networks WildFire as malware.
Malware is detected by Traps agents installed on endpoints, or by Pathfinder analyzing network traffic.
If Traps is not installed, one of several symptoms caused Pathfinder to scan an endpoint for malicious software. Anomalous network activity might have caused Pathfinder to automatically scan the endpoint. Other symptoms such as threat intelligence received by your network security team might have caused some member of your team to run a manual scan of the endpoint. As a result of the scan, Pathfinder discovered a suspicious file. Consequently, Pathfinder sent either the file or a file signature to Palo Alto Networks WildFire for analysis. WildFire has responded that the file is malware.
If a Traps agent is installed on endpoints, activity logged by Traps has been identified by Cortex XDR – Analytics as possibly generated by malware and can be verified in WildFire.
Pathfinder will not send the file to WildFire for analysis if you turned that option off in the Pathfinder configuration page.
If the malware is already known to WildFire, the malware name is identified in the alert. See the Malware detection bullet under Alert Description for this information. If the malware was not previously known to WildFire, WildFire uses Sandbox to indicate that it identified the file as malware by exercising the file locally.
Malware is malicious software used by attackers for a variety of purposes. It is often used for automated, broad, non-targeted attacks. It can also be controlled remotely so that the attacker can use it to enable his goals in any stage of the attack lifecycle.
- Read through the WildFire report to discover details about the malware.
- Use the endpoint profile to look for suspicious artifacts indicative of malware activity.
- Investigate site traffic generated by the detected malware with Cortex XDR – Investigation and Response.
- In the Triage page, look for other endpoints that are showing this alert, and investigate them as well for a possible malware infection.
Grayware The Cortex XDR – Analytics Grayware alert indicates that an endpoint on your network contains grayware (riskware). Synopsis Detection Frequency 10 minutes. Learning Period 5 ...
Cortex XDR – Analytics Pathfinder Page
The app’s Pathfinder page allows you to configure Pathfinder options. ...
Run a Manual Pathfinder Scan
Run a Manual Pathfinder Scan Pathfinder™ is a virtual machine that you install on your network. It is used to interrogate your endpoints for suspicious ...
Cortex XDR – Analytics Pathfinder Status
Cortex XDR – Analytics Pathfinder tab provides information about your Pathfinder installation(s) and activities. ...
View on-going and queued Pathfinder scans, Pathfinder scan history, and suspicious devices undergoing N2PA monitoring. ...
Cortex XDR – Analytics's Coverage of the Attack Lifecycle
Cortex XDR – Analytics Coverage of the Attack Tactics Network attacks follow predictable patterns. If you interfere with any portion of this pattern, the attack will ...
Cortex XDR – Analytics Data Sources
Cortex XDR – Analytics detectors require data to operate. Usually this data is found in specific next-generation log files. ...