Palo Alto Cortex XDR malware alert detected on multiple hosts

This rule is part of a beta feature. To learn more, contact Support.
palo-alto-cortex-xdr

Classification:

attack

Tactic:

TA0002-execution

Technique:

T1204-user-execution

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect when Palo Alto Cortex XDR raises similar alerts across multiple hosts.

Strategy

Monitor and notify on multiple alerts reported by Palo Alto Cortex XDR across multiple hosts. See Triage Alerts in the Cortex Help Center for more information.

Triage and response

  1. Review the data shown in the alert such as the command-line arguments (CMD) and process information.
  2. Analyze the chain of execution in the Causality View.
  3. Review the Timeline View of the sequence of events over time.
  4. If deemed malicious, consider responding by isolating the endpoint from the network.
  5. Remediate the endpoint and return the endpoint from isolation.
  6. Inspect the information again to identify any behavioral details that you can use to create a BIOC rule and create a correlation rule.