In “add threat”, the interface shows you can enter an MD5. Is that the only hash type it will actually accept? I’m wanting to add a threat and have a whole list of hashes, but I only have the SHA2. I’m hoping it’s just labeled incorrectly and will work with multiple hash types.
Only MD5 as it stands unfortunately, as an alternative you could create custom alerts to key off of process start logs if you happen to have Enhanced Endpoint Telemetry as the SHA appears in those log events.
If you have the hashes you could create a custom alert against Endpoint Activity → Process Start Events
Note this example is for a linux machine but we can see the nested JSON contains the sha256
An example query for this machine and 2 hashes would be
where(eu-west-1.compute.internal process.exe_file.hashes.sha256 IN ["d45d0317aeee450fc40b9134457c842eec25bf147b9f90528f3f715b20697613","7bcbf925e9c76b97654810d1887351baf026144e09183fc08e64822fcc417b5a"])
We just got InsightIDR (technically it’s not purchased yet, we are in POC). How would I go about getting to the Enhanced Endpoint Telemetry logs to do that?
I checked your account and Enhanced Endpoint Telemetry is currently enabled, so as long as you have agents installed and running the logs should be flowing into the Endpoint Activity Logset