Apr 29 2024 11:32 AM
So, I have set up some playbooks that allow me to add IPs/Domains/File Hashes to the MDE Indicators list, which is awesome to have and saves time when we need to block malicious entities. However, I have not found a great way for Sentinel to give me more information regarding File Hashes.
Really, my main worry with just a list of hashes in an incident is not knowing the file name for each hash, like so:
So, in this case, I am to just assume that both file hashes go to the 'FileCoAuth' file. Easy enough. But, are there ever cases where something like msedge.exe shows up in this list of file hashes? Right now, I feel like in this 'Info' tab, it might be more helpful to have 'File Name', but I might be looking at this all wrong.
I guess, I am just looking for some guidance into this entity so that I don't accidentally block the wrong file and end up breaking systems.
Even if these hashes only ever correspond to the one file entity in the incident, I am still a bit confused at how little data comes over into this. Even for the File entity:
Great, I know the name of the file and the path.. However, over in Defender, I get TONS of info for the file, including all the hashes connected to it, First seen / last seen, basic VirusTotal info, and a bunch of other items. Am I expecting too much by hoping that we wouldn't have to jump over to Defender? We set up Sentinel with the hopes of making it the go-to, but still find ourselves going right back to Defender for investigations and I wasn't sure if there was something that I am missing in this setup, or if there was a way to get more data enrichment without having to pay VirusTotal's insane bill (we are SMB and were quoted 90k per year, minimum). Even then, when Defender has some of the basic VirusTotal info, I was hoping Sentinel would have that and more..