Block md5 hashes

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Block md5 hashes

Dear team,

 

is it possible to block IOC based md5 hashes in cortex xdr?

 

 

6 REPLIES 6

L4 Transporter

Hi @Marsooq-Akkaradathil -

 

Yes.  Go to Response > Action Center > Blacklist > New Action.  From there either enter the MD5 entry or import a list of them.

 

dfalcon_0-1594823306787.png

 


David Falcon 
Senior Solutions Architect, Cortex
Palo Alto Networks® 

Hi @dfalcon Still looking for this but I wanted to ask here also.  Is it then possible to change the Alert Severity of the Alert Name = "Administrative Hash Exception" from LOW (which it appears to default to now) to Medium, so that an INCIDENT is created.  Right now it will BLOCK but no Incident is created, as its LOW Severity alert.

Hi @KRisselada-

 

From the alert, what is listed as the source?


David Falcon 
Senior Solutions Architect, Cortex
Palo Alto Networks® 

@dfalcon its Alert Source = XDR Agent, Alert Name = Administrative Hash Exception

Its set as Low, with regard to Severity, I wondered if I could adjust the Sev from the default Low, to say Medium. I wondered if Scoring Rules (within Incident Management) might do that, but does not seem to be, or I am not doing it correctly.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!