The Cortex XDR – Analytics Grayware alert indicates that an endpoint on your network contains grayware (riskware).


10 minutes.
5 successful Pathfinder scans of the entire network.
Traffic logs or (optional) Traps agents installed on endpoints.


A file has been identified by Palo Alto Networks WildFire as grayware (sometimes known as riskware) based on WildFire analysis.
Grayware is detected by Traps agents installed on endpoints, or by Pathfinder analyzing network traffic.
If Traps is not installed, one of several symptoms caused Pathfinder to scan an endpoint for malicious software. Anomalous network activity might have caused Pathfinder to automatically scan the endpoint. Other symptoms such as threat intelligence received by your network security team might have caused some member of your team to run a manual scan of the endpoint.
As a result of the scan, Pathfinder discovered a suspicious file. Consequently, Pathfinder sent either the file or a signature of that file to Palo Alto Networks WildFire for analysis. WildFire has responded that the file is grayware.
If a Traps agent is installed on an endpoint, activity logged by Traps has been identified by Cortex XDR – Analytics as grayware.

Attacker's Goals

Grayware is software that could be malicious, depending on the context in which it is used. For example, adware and spyware could be used by an attacker to export sensitive information so it is classified as grayware. Some IT tools that potentially have legitimate usage in your enterprise is classified as grayware because it might be used by attackers for lateral movements on your network.

Investigative Actions

  • Read through the WildFire report to discover details about the grayware.
  • Identify and examine the software flagged as grayware to determine if it is being used for malicious purposes. Investigate traffic generated by the grayware further in Cortex XDR™ – Investigation and Response.
  • Use the endpoint profile to look for suspicious artifacts indicative of malware activity.
  • In the Triage page, look for other endpoints that are showing this alert, and investigate them as well for a possible malware infection.

Related Documentation