Hello everyone,
I just created a Threat in Detection Rules->Community Threat in InsightIDR for testing purposes. I generated a md5sum for a file that schouldn’t land on Clients PC and added it as a Indicator in my Threat. Unfortunately InsightIDR doesn’t create an Alert when this file lands on a Clients PC. Hope you can give me tips on how to solve this.
Thank you
The hash would only trigger an alert if it was found within the logs somewhere. Typically speaking the hash of a file is never recorded in any logs. Usually the way hashes are ingested into IDR are from processes monitored by the Insight Agent. So a process hash that matched would trigger an alert but a file existing shouldn’t trigger anything.
This sounds more like an AV type of solution.
Hello John, thank you for your answer. I’m trying to understand how would this look like in a real life scenario, when you want do detect a malicious file on your PC. Is it possible to detect that kind of file with InsightIDR?
I also added an URL in the threat, that shouldn’t be visited by a user. InsightIDR didn’t detect that either.
The Insight Agent doesn’t specifically monitor for that. If you wanted an alert within IDR for a malicious file we would need logs from a separate tool that monitors files to send us a log that keys in on that. Typically speaking that is an AV action. If you look in the data collection page and check under the Virus Scan event sources you can see a list of AV solutions that we already have default parsers for.
Otherwise you could essentially use any tool that captures hashes of files and have that tool send the logs to IDR.
For the URL portion, this would need to be captured from your DNS event source or Web Proxy logs. Essentially the same thing as the malicious hash, the URL would need to exist within the logs so it is dependent on that URL coming from an existing event source. For example, if it was just a workstation that’s not connected to your network navigating to that URL then your DNS logs wouldn’t have a record of it.
However, if you can show that the logs exists in IDR for an asset navigating to that URL and we did not alert on it, that is a different scenario and would require a support ticket to determine why there was no action on that event.