Hash types & watchlists

%3CLINGO-SUB%20id%3D%22lingo-sub-3293892%22%20slang%3D%22en-US%22%3EHash%20types%20%26amp%3B%20watchlists%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3293892%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%26nbsp%3B%20when%20creating%20watchlists%2C%20up%20to%20this%20point%2C%20if%20I%20have%20an%20IOC%20filename%20%26amp%3B%20the%20MD5%2C%20SHA1%20%26amp%3B%20SHA256%20hashes%2C%20I%20would%20add%20all%20entries%20onto%20the%20watchlist.%3C%2FP%3E%3CP%3EI%20recently%20discovered%20that%20in%20365%20defender%2C%20there%20is%20no%20need%20to%20add%20all%203%20as%20only%20the%20longest%20will%20be%20obeyed.%3C%2FP%3E%3CP%3ETherefore%20what's%20the%20best%20practice%20for%20Sentinel%3F%20Should%20I%5Cdo%20I%20need%20to%20add%20all%203%20hash%20versions%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3293892%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EDetection%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESIEM%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EThreat%20Intelligence%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Contributor

Hi,  when creating watchlists, up to this point, if I have an IOC filename & the MD5, SHA1 & SHA256 hashes, I would add all entries onto the watchlist.

I recently discovered that in 365 defender, there is no need to add all 3 as only the longest will be obeyed.

Therefore what's the best practice for Sentinel? Should I\do I need to add all 3 hash versions? 

0 Replies