Skip to main content
Question

VT action

  • November 19, 2025
  • 5 replies
  • 39 views
MikelSA
Forum|alt.badge.img+8

Hi,

I’m encountering a scalability issue with our malware playbook after the recent Cortex XDR integration update.

The problem is the following:

  • Cortex XDR now generates a separate Issue for each file detected as malicious during periodic scans.

  • All malicious files are also stored under Key Assets & Artifacts in Cortex.

  • In Google SecOps, each XDR Issue becomes one Alert associated with the same Case.

  • However, each Alert contains all existing Artifacts, not only the ones related to that specific Issue

When the malware playbook runs on each alert, it sends one VirusTotal request per hash.
Since the Case contains 27 alerts, and each alert includes the same 48 artifacts, the playbook ends up sending:

27 alerts × 48 artifacts = 1,296 VirusTotal API requests

Most of these requests are redundant, because the artifacts are identical across alerts.
We only need to submit 48 VirusTotal lookups, not 1,296.

This behavior causes unnecessary API consumption and may lead to quota exhaustion or delays.

 

Is there a way to avoid duplicate VT lookups across alerts within the same Case?

 

Thanks a lot!

5 replies

vaskenh
Staff
Forum|alt.badge.img+13
  • vaskenh
  • Staff
  • November 19, 2025

Hi ​@MikelSA .  In this scenario, is the behavior you describe (the excessive, multiplicative API queries) directly subsequent to the integration update? It sounds like it based on your post but I just want to verify that there was indeed no precedent for this beforehand.

 

If this is the case and the behavior is tied to the actual platform integration update I would suggest opening a support case to highlight this behavior and include your above analysis. 

cmorris
Staff
Forum|alt.badge.img+10
  • cmorris
  • Staff
  • November 19, 2025

Can you use the Find First Alert action under Tools and then only operate on that first alert? Also see here - 

 

vaskenh
MikelSA
Forum|alt.badge.img+8
  • MikelSABronze 2
  • Author
  • Bronze 2
  • November 20, 2025

Hi ​@MikelSA .  In this scenario, is the behavior you describe (the excessive, multiplicative API queries) directly subsequent to the integration update? It sounds like it based on your post but I just want to verify that there was indeed no precedent for this beforehand.

 

If this is the case and the behavior is tied to the actual platform integration update I would suggest opening a support case to highlight this behavior and include your above analysis. 

Hi ​@vaskenh yep, since the update this behavior is, so I might open a support case. Anyways, in the meantime have a “solution”

MikelSA
Forum|alt.badge.img+8
  • MikelSABronze 2
  • Author
  • Bronze 2
  • November 20, 2025

Can you use the Find First Alert action under Tools and then only operate on that first alert? Also see here - 

 

I will take a look, thanks!

I mean the grouping is good, the problem is the incoming alerts

ylandovskyy
Staff
Forum|alt.badge.img+16
  • ylandovskyy
  • Staff
  • November 20, 2025

Hey ​@MikelSA,

The Cortex XDR connector can either work as 1 XDR Incident = 1 SecOps Alert or  1 XDR Alert = 1 SecOps Alert. This logic is determined by “Split Incident Alerts” parameter in the connector.

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.