New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Palo Alto - Cortex XDR (WildFire Malware) #1105
Comments
Are you sure your computer is not infected and RELION binary is not modified by the malware? |
We've tested your project in a new environment and launched the project build, but Cortex still has a blocked library called Fluid. { "original_alert_json": {}, "internal_id": null, "external_id": "bc0e6433249b4b1091bf89952997fd44", "severity": "SEV_030_MEDIUM", "original_severity": "SEV_030_MEDIUM", "matching_status": "UNMATCHABLE", "detection_modules": null, "end_match_attempt_ts": null, "alert_ingest_status": null, "alert_source": "TRAPS", "local_insert_ts": 1712609477537, "last_modified_ts": null, "source_insert_ts": 1712609475704, "has_alert_layout_data": null, "alert_name": "WildFire Malware", "alert_category": "Malware", "alert_description": "Suspicious executable detected", "bioc_indicator": null, "matching_service_rule_id": null, "tim_main_indicator": null, "query_tables": null, "is_xdm": null, "attempt_counter": null, "is_identity": null, "bioc_category_enum_key": null, "alert_action_status": "BLOCKED", "case_id": null, "is_whitelisted": true, "join_next_attempt_time": null, "xdr_additional_info": null, "dispatch_state": null, "is_deleted": null, "is_protected": null, "starred": null, "deduplicate_tokens": null, "filter_rule_id": null, "mitre_technique_id_and_name": [ "" ], "mitre_tactic_id_and_name": [ "" ], "alert_sub_type": null, "agent_id": "332e04e18ba248c98382db616f12040d", "agent_version": "8.3.0.121478", "agent_ip_addresses": [ "10.10.10.10" ], "agent_ip_addresses_v6": null, "agent_hostname": "test", "agent_device_domain": null, "agent_fqdn": "test", "agent_os_type": "AGENT_OS_LINUX", "agent_os_sub_type": "22.04.2", "agent_data_collection_status": true, "mac": "00:00:00:00", "agent_is_vdi": false, "agent_install_type": "STANDARD", "agent_host_boot_time": [ 0 ], "cloud_security_agent_mode": false, "cloud_security_agent_capable": false, "event_sub_type": null, "module_id": [ "WildFire" ], "module_name": [ "COMPONENT_WILDFIRE" ], "association_strength": [ 50 ], "dst_association_strength": null, "story_id": null, "is_disintegrated": null, "from_dml": null, "event_id": null, "event_type": [ 1 ], "event_timestamp": [ 1712609490104 ], "actor_effective_username": [ "jdaniel" ], "actor_process_instance_id": [ "ch8AAMsP5tDdLQUAAAAAAA==" ], "actor_process_image_path": [ "/home/test/relion/external/fltk/fltk/fluid/fluid" ], "actor_process_image_name": [ "fluid" ], "actor_process_command_line": [ "../fluid/fluid -c fast_slow.fl" ], "actor_process_signature_status": null, "actor_process_signature_vendor": null, "actor_process_image_sha256": [ "13217827c4be618fb783b419c19d0439efbf389414ed1ac4f513b8e4e59fed49" ], "actor_process_image_md5": [ "c8380e0da12f5a003decc378c2e4ec92" ], "actor_process_causality_id": [ "HB4AAC+9ysLlBAUAAAAAAA==" ], "actor_causality_id": null, "actor_process_os_pid": [ 8050 ], "actor_thread_thread_id": [ 8041 ], "actor_process_execution_time": [ 1712609489013 ], "causality_actor_process_image_name": [ "sshd" ], "causality_actor_process_command_line": [ "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups" ], "causality_actor_process_image_path": [ "/usr/sbin/sshd" ], "causality_actor_process_instance_id": [ "HB4AAC+9ysLlBAUAAAAAAA==" ], "causality_actor_process_os_pid": [ 7708 ], "causality_actor_process_signature_vendor": null, "causality_actor_process_signature_status": null, "causality_actor_causality_id": [ "HB4AAC+9ysLlBAUAAAAAAA==" ], "causality_actor_process_execution_time": [ 1712609384133 ], "causality_actor_process_image_md5": null, "causality_actor_process_image_sha256": [ "af6e46f16c8b35b6936a43aea24db2197ee3df11817dc0330b8d75b068aa26d2" ], "action_file_path": null, "action_file_name": null, "action_file_md5": null, "action_file_sha256": null, "action_file_macro_sha256": null, "action_registry_data": null, "action_registry_key_name": null, "action_registry_value_name": null, "action_registry_full_key": null, "action_local_ip": null, "action_local_ip_v6": null, "action_local_port": null, "action_remote_ip": null, "action_remote_ip_v6": null, "action_remote_port": null, "action_external_hostname": null, "action_country": null, "action_process_instance_id": null, "action_process_causality_id": null, "action_process_image_name": null, "action_process_image_sha256": null, "action_process_image_command_line": null, "action_process_signature_status": [ "SIGNATURE_UNAVAILABLE" ], "action_process_signature_vendor": null, "action_process_image_path": [ "/home/test/relion/external/fltk/fltk/test/../fluid/fluid" ], "action_process_image_md5": [ "c8380e0da12f5a003decc378c2e4ec92" ], "action_process_os_pid": [ 8050 ], "os_actor_effective_username": null, "os_actor_process_instance_id": null, "os_actor_process_image_path": null, "os_actor_process_image_name": null, "os_actor_process_command_line": null, "os_actor_process_signature_status": null, "os_actor_process_signature_vendor": null, "os_actor_process_image_md5": null, "os_actor_process_image_sha256": null, "os_actor_process_causality_id": null, "os_actor_causality_id": null, "os_actor_process_os_pid": null, "os_actor_thread_thread_id": [ 8041 ], "os_actor_process_execution_time": null, "fw_app_id": null, "fw_interface_from": null, "fw_interface_to": null, "fw_rule": null, "fw_rule_id": null, "fw_device_name": null, "fw_serial_number": null, "fw_url_domain": null, "fw_email_subject": null, "fw_email_sender": null, "fw_email_recipient": null, "fw_app_subcategory": null, "fw_app_category": null, "fw_app_technology": null, "fw_vsys": null, "fw_xff": null, "fw_misc": null, "fw_is_phishing": [ "NOT_AVAILABLE" ], "dst_agent_id": null, "dst_agent_id_single": null, "dst_agent_hostname": null, "dst_agent_os_type": null, "dst_causality_actor_process_execution_time": null, "dst_os_actor_process_image_name": null, "dst_os_actor_process_os_pid": null, "dst_actor_process_image_name": null, "dst_actor_process_os_pid": null, "dns_query_name": null, "dst_action_external_hostname": null, "dst_action_country": null, "dst_action_external_port": null, "is_pcap": false, "contains_featured_host": null, "contains_featured_user": null, "contains_featured_ip": null, "image_name": null, "image_id": null, "container_id": null, "container_name": null, "namespace": null, "cluster_name": null, "referenced_resource": null, "operation_name": null, "identity_sub_type": null, "identity_type": null, "identity_invoked_by_type": null, "project": null, "cloud_provider": null, "resource_type": null, "resource_sub_type": null, "user_agent": null, "identity_name": null, "caller_ip": null, "remote_cid": null, "actor_effective_user_sid": null, "action_process_user_sid": null, "pivot_url": null, "audit_ids": null, "attack_techniques": null, "policy_id": null, "drilldown_query": null, "activity_first_seen_at": null, "activity_last_seen_at": null, "drilldown_min_ts": null, "drilldown_max_ts": null, "alert_type": "Unclassified", "resolution_status": "STATUS_010_NEW", "resolution_status_modified_ts": null, "resolution_comment": null, "forensics_artifact_type": null, "dynamic_fields": null, "asset_service_id": null, "alert_json": null, "xpanse_service_id": null, "xpanse_website_id": null, "xpanse_asset_id": null, "xpanse_primary_asset_id": null, "xpanse_asset_name": null, "xpanse_policy_id": null, "is_xsoar_alert": false, "suggested_playbook_id": null, "playbookId": null, "playbook_suggestion_rule_id": null, "iot_pivot_url": null, "alert_is_fp": false, "family_tags": null, "tags": null, "phone_number": null, "runStatus": null, "xpanse_first_observed": null, "malicious_urls": null, "is_rule_triggering": false, "allow_causality_card": null, "cloud_provider_account_id": null, "cloud_labels": [ null ], "_reception_time": null, "is_excluded": true } |
This is not RELION's problem. I don't know why they decided to call FLTK malware. This should be dealt with by Palo Alto or FLTK developers. |
Hello,
We are unable to start your software as it is considered malicious by our XDR security software.
Environment:
Error message:
Source:XDR Agent
Category:Malware
Action:Prevented (Blocked)
{
"original_alert_json": {},
"internal_id": null,
"external_id": "4519215e64074a89921582c5c17de96f",
"severity": "SEV_030_MEDIUM",
"original_severity": "SEV_030_MEDIUM",
"matching_status": "UNMATCHABLE",
"detection_modules": null,
"end_match_attempt_ts": null,
"alert_ingest_status": null,
"alert_source": "TRAPS",
"local_insert_ts": 1712585187928,
"last_modified_ts": null,
"source_insert_ts": 1712585185663,
"has_alert_layout_data": null,
"alert_name": "WildFire Malware",
"alert_category": "Malware",
"alert_description": "Suspicious executable detected",
"bioc_indicator": null,
"matching_service_rule_id": null,
"tim_main_indicator": null,
"query_tables": null,
"is_xdm": null,
"attempt_counter": null,
"is_identity": null,
"bioc_category_enum_key": null,
"alert_action_status": "BLOCKED",
"case_id": null,
"is_whitelisted": true,
"join_next_attempt_time": null,
"xdr_additional_info": null,
"dispatch_state": null,
"is_deleted": null,
"is_protected": null,
"starred": null,
"deduplicate_tokens": null,
"filter_rule_id": null,
"mitre_technique_id_and_name": [
""
],
"mitre_tactic_id_and_name": [
""
],
"alert_sub_type": null,
"agent_id": "4ed05c9c394445aea061a0e1b6406dc2",
"agent_version": "8.3.0.121478",
"agent_ip_addresses": [
"172.x.x.x"
],
"agent_ip_addresses_v6": null,
"agent_hostname": "",
"agent_device_domain": "",
"agent_fqdn": "",
"agent_os_type": "AGENT_OS_LINUX",
"agent_os_sub_type": "22.04.4",
"agent_data_collection_status": true,
"mac": "0a:ff:c8:fe:25:47",
"agent_is_vdi": false,
"agent_install_type": "STANDARD",
"agent_host_boot_time": [
0
],
"cloud_security_agent_mode": false,
"cloud_security_agent_capable": false,
"event_sub_type": null,
"module_id": [
"WildFire"
],
"module_name": [
"COMPONENT_WILDFIRE"
],
"association_strength": [
50
],
"dst_association_strength": null,
"story_id": null,
"is_disintegrated": null,
"from_dml": null,
"event_id": null,
"event_type": [
1
],
"event_timestamp": [
1712585200063
],
"actor_effective_username": [
"ubuntu"
],
"actor_process_instance_id": [
"5wsAAEstSs9QNQAAAAAAAA=="
],
"actor_process_image_path": [
"/home/ubuntu/software/relion5/build/bin/relion"
],
"actor_process_image_name": [
"relion"
],
"actor_process_command_line": [
"relion"
],
"actor_process_signature_status": null,
"actor_process_signature_vendor": null,
"actor_process_image_sha256": [
"a60b8c12aa8822bb399e9db2d0743b6e4fe112456b943a780ffd4d24d0bd3216"
],
"actor_process_image_md5": [
"bb98971c5c61557c3900239451857dd7"
],
"actor_process_causality_id": [
"xwsAAJba/cHFKQAAAAAAAA=="
],
"actor_causality_id": null,
"actor_process_os_pid": [
3047
],
"actor_thread_thread_id": [
3015
],
"actor_process_execution_time": [
1712585199406
],
"causality_actor_process_image_name": [
"bash"
],
"causality_actor_process_command_line": [
"bash"
],
"causality_actor_process_image_path": [
"/bin/bash"
],
"causality_actor_process_instance_id": [
"xwsAAJba/cHFKQAAAAAAAA=="
],
"causality_actor_process_os_pid": [
3015
],
"causality_actor_process_signature_vendor": null,
"causality_actor_process_signature_status": null,
"causality_actor_causality_id": [
"xwsAAJba/cHFKQAAAAAAAA=="
],
"causality_actor_process_execution_time": [
1712585169847
],
"causality_actor_process_image_md5": null,
"causality_actor_process_image_sha256": [
"59474588a312b6b6e73e5a42a59bf71e62b55416b6c9d5e4a6e1c630c2a9ecd4"
],
"action_file_path": null,
"action_file_name": null,
"action_file_md5": null,
"action_file_sha256": null,
"action_file_macro_sha256": null,
"action_registry_data": null,
"action_registry_key_name": null,
"action_registry_value_name": null,
"action_registry_full_key": null,
"action_local_ip": null,
"action_local_ip_v6": null,
"action_local_port": null,
"action_remote_ip": null,
"action_remote_ip_v6": null,
"action_remote_port": null,
"action_external_hostname": null,
"action_country": null,
"action_process_instance_id": null,
"action_process_causality_id": null,
"action_process_image_name": null,
"action_process_image_sha256": null,
"action_process_image_command_line": null,
"action_process_signature_status": [
"SIGNATURE_UNAVAILABLE"
],
"action_process_signature_vendor": null,
"action_process_image_path": [
"/home/ubuntu/software/relion5/build/bin/relion"
],
"action_process_image_md5": [
"bb98971c5c61557c3900239451857dd7"
],
"action_process_os_pid": [
3047
],
"os_actor_effective_username": null,
"os_actor_process_instance_id": null,
"os_actor_process_image_path": null,
"os_actor_process_image_name": null,
"os_actor_process_command_line": null,
"os_actor_process_signature_status": null,
"os_actor_process_signature_vendor": null,
"os_actor_process_image_md5": null,
"os_actor_process_image_sha256": null,
"os_actor_process_causality_id": null,
"os_actor_causality_id": null,
"os_actor_process_os_pid": null,
"os_actor_thread_thread_id": [
3015
],
"os_actor_process_execution_time": null,
"fw_app_id": null,
"fw_interface_from": null,
"fw_interface_to": null,
"fw_rule": null,
"fw_rule_id": null,
"fw_device_name": null,
"fw_serial_number": null,
"fw_url_domain": null,
"fw_email_subject": null,
"fw_email_sender": null,
"fw_email_recipient": null,
"fw_app_subcategory": null,
"fw_app_category": null,
"fw_app_technology": null,
"fw_vsys": null,
"fw_xff": null,
"fw_misc": null,
"fw_is_phishing": [
"NOT_AVAILABLE"
],
"dst_agent_id": null,
"dst_agent_id_single": null,
"dst_agent_hostname": null,
"dst_agent_os_type": null,
"dst_causality_actor_process_execution_time": null,
"dst_os_actor_process_image_name": null,
"dst_os_actor_process_os_pid": null,
"dst_actor_process_image_name": null,
"dst_actor_process_os_pid": null,
"dns_query_name": null,
"dst_action_external_hostname": null,
"dst_action_country": null,
"dst_action_external_port": null,
"is_pcap": false,
"contains_featured_host": null,
"contains_featured_user": null,
"contains_featured_ip": null,
"image_name": null,
"image_id": null,
"container_id": null,
"container_name": null,
"namespace": null,
"cluster_name": null,
"referenced_resource": null,
"operation_name": null,
"identity_sub_type": null,
"identity_type": null,
"identity_invoked_by_type": null,
"project": null,
"cloud_provider": null,
"resource_type": null,
"resource_sub_type": null,
"user_agent": null,
"identity_name": null,
"caller_ip": null,
"remote_cid": null,
"actor_effective_user_sid": null,
"action_process_user_sid": null,
"pivot_url": null,
"audit_ids": null,
"attack_techniques": null,
"policy_id": null,
"drilldown_query": null,
"activity_first_seen_at": null,
"activity_last_seen_at": null,
"drilldown_min_ts": null,
"drilldown_max_ts": null,
"alert_type": "Unclassified",
"resolution_status": "STATUS_010_NEW",
"resolution_status_modified_ts": null,
"resolution_comment": null,
"forensics_artifact_type": null,
"dynamic_fields": null,
"asset_service_id": null,
"alert_json": null,
"xpanse_service_id": null,
"xpanse_website_id": null,
"xpanse_asset_id": null,
"xpanse_primary_asset_id": null,
"xpanse_asset_name": null,
"xpanse_policy_id": null,
"is_xsoar_alert": false,
"suggested_playbook_id": null,
"playbookId": null,
"playbook_suggestion_rule_id": null,
"iot_pivot_url": null,
"alert_is_fp": false,
"family_tags": null,
"tags": null,
"phone_number": null,
"runStatus": null,
"xpanse_first_observed": null,
"malicious_urls": null,
"is_rule_triggering": false,
"allow_causality_card": null,
"cloud_provider_account_id": "471112864883",
"cloud_labels": [
null
],
"_reception_time": null,
"is_excluded": true
}
The text was updated successfully, but these errors were encountered: