Palo Alto Cortex XDR malware alert detected on multiple hosts

This rule is part of a beta feature. To learn more, contact Support.
palo-alto-cortex-xdr

Classification:

attack

Tactic:

TA0002-execution

Technique:

T1204-user-execution

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when Palo Alto Cortex XDR raises similar alerts across multiple hosts.

Strategy

Monitor and notify on multiple alerts reported by Palo Alto Cortex XDR across multiple hosts. See Triage Alerts in the Cortex Help Center for more information.

Triage and response

  1. Review the data shown in the alert such as the command-line arguments (CMD) and process information.
  2. Analyze the chain of execution in the Causality View.
  3. Review the Timeline View of the sequence of events over time.
  4. If deemed malicious, consider responding by isolating the endpoint from the network.
  5. Remediate the endpoint and return the endpoint from isolation.
  6. Inspect the information again to identify any behavioral details that you can use to create a BIOC rule and create a correlation rule.