I have not found a clear answer on this.
When we get alerts on devices that have a file path of Users/<username>/Library/Logs/DiagnosticReports/XProtectRemediatorXXXX.diag
Are we supposed to download that log and open it to figure out what XProtect found? Or is the XXXX in the file name the malware/virus name that was found by XProtect?
I am having users download Malwarebytes to install and run to see if that finds anything. Does that sound like a good 1st step?