https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/block-md5-hashes/m-p/389283#M578 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/47142">@dfalcon</a>&nbsp;Still looking for this but I wanted to ask here also.&nbsp; Is it then possible to change the Alert Severity of the Alert Name = "Administrative Hash Exception" from LOW (which it appears to default to now) to Medium, so that an INCIDENT is created.&nbsp; Right now it will BLOCK but no Incident is created, as its LOW Severity alert.</P> Fri, 05 Mar 2021 03:47:10 GMT KRisselada 2021-03-05T03:47:10Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/block-md5-hashes/m-p/335238#M186 <P>Dear team,</P><P>&nbsp;</P><P>is it possible to block IOC based md5 hashes in cortex xdr?</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 25 Jun 2020 09:17:04 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/block-md5-hashes/m-p/335238#M186 Marsooq-Akkaradathil 2020-06-25T09:17:04Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/block-md5-hashes/m-p/338682#M196 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/133144">@Marsooq-Akkaradathil</a>&nbsp;-</P><P>&nbsp;</P><P>Yes.&nbsp; Go to Response &gt; Action Center &gt; Blacklist &gt; New Action.&nbsp; From there either enter the MD5 entry or import a list of them.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="dfalcon_0-1594823306787.png" style="width: 858px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/26790i840E8255D07B1CB4/image-dimensions/858x429/is-moderation-mode/true?v=v2" width="858" height="429" role="button" title="dfalcon_0-1594823306787.png" alt="dfalcon_0-1594823306787.png" /></span></P><P>&nbsp;</P> Wed, 15 Jul 2020 14:29:17 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/block-md5-hashes/m-p/338682#M196 dfalcon 2020-07-15T14:29:17Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/block-md5-hashes/m-p/389283#M578 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/47142">@dfalcon</a>&nbsp;Still looking for this but I wanted to ask here also.&nbsp; Is it then possible to change the Alert Severity of the Alert Name = "Administrative Hash Exception" from LOW (which it appears to default to now) to Medium, so that an INCIDENT is created.&nbsp; Right now it will BLOCK but no Incident is created, as its LOW Severity alert.</P> Fri, 05 Mar 2021 03:47:10 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/block-md5-hashes/m-p/389283#M578 KRisselada 2021-03-05T03:47:10Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/block-md5-hashes/m-p/390123#M585 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/166820">@KRisselada</a>-</P><P>&nbsp;</P><P>From the alert, what is listed as the source?</P> Tue, 09 Mar 2021 21:44:39 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/block-md5-hashes/m-p/390123#M585 dfalcon 2021-03-09T21:44:39Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/block-md5-hashes/m-p/390130#M586 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/47142">@dfalcon</a>&nbsp;its Alert Source = XDR Agent, Alert Name = Administrative Hash Exception</P><P>Its set as Low, with regard to Severity, I wondered if I could adjust the Sev from the default Low, to say Medium. I wondered if Scoring Rules (within Incident Management) might do that, but does not seem to be, or I am not doing it correctly.</P> Tue, 09 Mar 2021 21:51:46 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/block-md5-hashes/m-p/390130#M586 KRisselada 2021-03-09T21:51:46Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/block-md5-hashes/m-p/390473#M594 <P>actually SHA256 only. there is no provision for providing and MD5 hash that we can see. And even if we try to add an MD5, the system doesn't accept any MD5 hashes</P> Thu, 11 Mar 2021 08:46:23 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/block-md5-hashes/m-p/390473#M594 QDSupportUser 2021-03-11T08:46:23Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/block-md5-hashes/m-p/390803#M604 <P>Thanks&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/39193">@QDSupportUser</a>&nbsp;actually I didn't come up with the subject line that indicated MD5.&nbsp; But the goal (via SHA256) was close.&nbsp; Essentially was looking to have an Incident created from an alert named&nbsp;<SPAN>Administrative Hash Exception, which seems to be by default set to LOW.&nbsp; I was looking to make that an Incident.&nbsp;&nbsp;<BR /><BR />So to restate here was looking to:<BR /></SPAN></P><UL><LI><SPAN>add Hash to Block list, have Alert generated (done, this works<span class="lia-unicode-emoji" title=":thumbs_up:">👍</span>)</SPAN></LI><LI><SPAN>Have that alert create an Incident (does not do that now <span class="lia-unicode-emoji" title=":thumbs_down:">👎</span>, I believe because the Severity of the alert is set to Low)</SPAN><UL><LI><SPAN>I also don't wish to have EVERY Low Sev alert become an Incident, just the "Administrative Hash Exception" alerts</SPAN></LI></UL></LI></UL><P><SPAN>Hope that helps.</SPAN></P> Fri, 12 Mar 2021 00:51:41 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/block-md5-hashes/m-p/390803#M604 KRisselada 2021-03-12T00:51:41Z