How to handle data not registered in IOC
Genian Insights E enables Threat Detection & Response to known threats using IOC (Indicators of Compromise) Database. The IOC Database is updated regularly, but provides the Custom IOC Management function, which allows users to register and detect unknown malicious programs or malicious IPs. The malicious program can be detected by registering the MD5 Hash value.
Through Genian Insights E Settings, you can check the MD5 HASH value for the program from the information collected during agent installation.
How to check MD5 Hash value
- Go to Discovery > Endpoint menu, the process information collected by the agent is displayed, and double-click the list of files to register.
- Among the selectable field items, you can check MD5 Hash information.
You can check how to register a hash value with the verified information by moving to the corresponding list below.
Malware Hash
- Go to Policy > Custom IOC Management > Malware Hashes menu, and click the Add button at the top.
- Enter the hash value as required and click the Save button after entering other necessary information.
Item | Description |
---|---|
Response-Detection Only | When Malware Hashes is detected, only relevant information tags are displayed in the Analysis tab corresponding column of the Users page, and no special action is performed on the user's PC. |
Response-Detection and Response | When Malware Hashes is detected, related information, tags, and Actions (Users custom tag) set in Genian NAC are performed in the Analysis tab corresponding column of the Users page. Response settings follow the Threat Detector plugin settings. |
Response-Prevention | If the agent has data registered as Malware Hashes and a file with the same hash is executed, it is immediately blocked and a blocking notification message is displayed on the user PC. |
Fix Malware Hashes
- Go to Policy > Custom IOC Management > Malware Hashes and click the value of the hash list to modify.
- You can edit any information except hash value.
- If you click the external link button on the hash edit page, you can inquire information about the hash value from the pre-registered search site.
Delete Malware Hashes
- Go to Policy > Custom IOC Management > Malware Hashes menu and select the checkbox of the hash list to delete. Click the button when it becomes active.
- A confirmation pop-up window appears, click the OK button.
Malicious IP
Add Malicious IP
- Go to Policy > Custom IOC Management > Malicious IP menu and click the Add button at the top.
- Separation allows you to select single, subnet, or address range. Enter the IP as required and click the Save button after entering other necessary information.
Item | Description |
---|---|
Response-detection Only | When Malicious IP is detected, only relevant information is displayed in the corresponding column of the Analysis tab of the Users page, and no special action is performed on the user's PC. |
Response-Detection and Response | When Malicious IP is detected, related information, tags, and Actions (Users custom tag) are executed in the corresponding column of the Analysis tab of the Users page. Response settings follow the Threat Detector plugin settings. |
Malicious IP fix
- Go to Policy > Custom IOC Management > Malicious IP menu and click the IP list to be modified.
- You can edit any information except IP.
Delete Malicious IP
- Go to Policy > Custom IOC Management > Malicious IP menu and select the checkbox of the IP list to be deleted. Click the button when it becomes active.
- A confirmation pop-up window appears, click the OK button.
Goodware Hash
If it is registered and detected in IOC (Indicator of Compromise), but it is judged to be a normal file, but a false positive occurs because the IOC Database is not updated. Users can directly register related information to handle exceptions.
Add Goodware Hashes
- Go to Policy > Custom IOC Management > Goodware Hashes menu and click the Add button at the top.
- Enter the hash(MD5) value as required and click the Save button after entering other necessary information.
Fix Goodware Hashes
- Go to Policy > Custom IOC Management > Goodware Hashes menu and click the MD5 hash list to edit.
- Information except hash(MD5) value can be modified.
- If you click the external link button on the Goodware Hashes edit page, you can inquire information about the corresponding MD5 hash value from the pre-registered search site.
Delete Goodware Hashes
- Go to Policy > Custom IOC Management > Goodware Hashes menu and select the checkbox of the MD5 hash list to delete. Click the button when it becomes active.
- A confirmation pop-up window appears, click the OK button.
Good IP
Add Good IPs
- Go to Policy > Custom IOC Management > Good IPs menu and click the ‘Add’ button at the top.
- In Classification, you can set Single, Subnet, and Address Range. Single button click. Enter the IP as required and click the Save button after entering other necessary information.
- Also, in case of Network Event, you can add Good IPs by clicking the custom ‘Register as Good IPs’ button in Analysis > Management > Attack Storyline**.
Fix Good IPs
- Go to Policy > Custom IOC Management > Good IPs menu and click the IP list to be modified.
- You can edit any information except IP.
Delete Good IPs
- Go to Policy > Custom IOC Management > Good IPs menu and select the checkbox of the IP list to be deleted. Click the button when it becomes active.
- A confirmation pop-up window appears, click the OK button.