In “add threat”, the interface shows you can enter an MD5. Is that the only hash type it will actually accept? I’m wanting to add a threat and have a whole list of hashes, but I only have the SHA2. I’m hoping it’s just labeled incorrectly and will work with multiple hash types.
Brian
Only MD5 as it stands unfortunately, as an alternative you could create custom alerts to key off of process start logs if you happen to have Enhanced Endpoint Telemetry as the SHA appears in those log events.
David
Update: sorry, misread your reply. We do have EET, so possibly I can use that info.
No, I only have the reported hashes from a symantec report. Thank you for the reply.
Brian
If you have the hashes you could create a custom alert against Endpoint Activity → Process Start Events
Note this example is for a linux machine but we can see the nested JSON contains the sha256
An example query for this machine and 2 hashes would be
where(eu-west-1.compute.internal process.exe_file.hashes.sha256 IN ["d45d0317aeee450fc40b9134457c842eec25bf147b9f90528f3f715b20697613","7bcbf925e9c76b97654810d1887351baf026144e09183fc08e64822fcc417b5a"])
David
We just got InsightIDR (technically it’s not purchased yet, we are in POC). How would I go about getting to the Enhanced Endpoint Telemetry logs to do that?
LOL, I was posting at same time to ask how. Thank you.
I checked your account and Enhanced Endpoint Telemetry is currently enabled, so as long as you have agents installed and running the logs should be flowing into the Endpoint Activity Logset
David
Perfect! Thank you again.
Brian