This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Block md5 hashes

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Block md5 hashes

Marsooq-Akkaradathil
L1 Bithead

‎06-25-2020 02:17 AM

Dear team,

 

is it possible to block IOC based md5 hashes in cortex xdr?

 

 

0 Likes Likes
6 REPLIES 6

dfalcon
L4 Transporter

‎07-15-2020 07:29 AM

Hi @Marsooq-Akkaradathil -

 

Yes.  Go to Response > Action Center > Blacklist > New Action.  From there either enter the MD5 entry or import a list of them.

 

dfalcon_0-1594823306787.png

 


David Falcon 
Senior Solutions Architect, Cortex
Palo Alto Networks® 

KRisselada
L2 Linker
In response to dfalcon

‎03-04-2021 07:47 PM

Hi @dfalcon Still looking for this but I wanted to ask here also.  Is it then possible to change the Alert Severity of the Alert Name = "Administrative Hash Exception" from LOW (which it appears to default to now) to Medium, so that an INCIDENT is created.  Right now it will BLOCK but no Incident is created, as its LOW Severity alert.

0 Likes Likes

dfalcon
L4 Transporter
In response to KRisselada

‎03-09-2021 01:44 PM

Hi @KRisselada-

 

From the alert, what is listed as the source?


David Falcon 
Senior Solutions Architect, Cortex
Palo Alto Networks® 
0 Likes Likes

KRisselada
L2 Linker
In response to dfalcon

‎03-09-2021 01:51 PM

@dfalcon its Alert Source = XDR Agent, Alert Name = Administrative Hash Exception

Its set as Low, with regard to Severity, I wondered if I could adjust the Sev from the default Low, to say Medium. I wondered if Scoring Rules (within Incident Management) might do that, but does not seem to be, or I am not doing it correctly.

0 Likes Likes

QDSupportUser
L0 Member
In response to dfalcon

‎03-11-2021 12:46 AM

actually SHA256 only. there is no provision for providing and MD5 hash that we can see. And even if we try to add an MD5, the system doesn't accept any MD5 hashes

0 Likes Likes

KRisselada
L2 Linker
In response to QDSupportUser

‎03-11-2021 04:51 PM

Thanks @QDSupportUser actually I didn't come up with the subject line that indicated MD5.  But the goal (via SHA256) was close.  Essentially was looking to have an Incident created from an alert named Administrative Hash Exception, which seems to be by default set to LOW.  I was looking to make that an Incident.  

So to restate here was looking to:

  • add Hash to Block list, have Alert generated (done, this works👍)
  • Have that alert create an Incident (does not do that now 👎, I believe because the Severity of the alert is set to Low)
    • I also don't wish to have EVERY Low Sev alert become an Incident, just the "Administrative Hash Exception" alerts

Hope that helps.

0 Likes Likes
  • 5604 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks