I just found something totally ridiculous in the SIEM and figured I'd share it. I was looking at events in the SIEM from ePO and noticed the sha1 and sha256 file hashes provided from ePO (mainly from TIE) have a 0x in the front of every value because it is a hexadecimal. Unfortunately, normal STIX feeds along with other data sources (like Cisco Firepower) do not normally have a 0x in front of their values, making correlation impossible without customizing the parser to add a 0x in the sha1 and sha256 fields. Further complicating matters.... ePO events show sha values in mixed or lower case. In feeds like US-CERT, the values imported via the ESM Cyber Threat Feed feature, STIX or TAXII values are provided (without the 0x) and tend to be in upper case. I just tested attempting to find a TIE hash after converting a known TIE file sha1 hash into upper case and failed to find it in the ESM (because the search is case sensative).
This is a big problem because I have several correlation rules looking for hash vales for things like HIDDEN COBRA files, and this effectivly breaks those rules since there is no way in a correlation rule to make things case insensative!
Now we have three issues:
Any BackTrace would miss SHA256 and SHA1 values provided by ePO because they would not have a 0x in the SHA256 or SHA1 fields
If TIE were to see something like a defined HIDDEN COBRA hash, it wouldnt cause the correlation rule to alert because the values defined in the watchlist dont have a 0x in them
Other data sources like a Cisco Firepower IPS (which also displays sha256 values but not in the correct field!) would not properly correlate with TIE events because it doesnt have a 0x in the hash value
In order to fix the issue I have to:
Alter the Firepower Parser to place the SHA256 value in the SHA256 field
Alter the FIrepower Parser to append a 0x before the SHA256 value in the SHA256 filed
Alter all of the values in my various SHA256 and SHA1 watchlists to have a 0x before each line item
Convert all of the values in the SHA256 and SHA1 watchlists to lowercase
Hope that all SHA256 and SHA1 values provided by my data sources (including ePO) are in lowercase
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.