How to confirm hash values added to EDR blocklist are getting blocked.

book

Article ID: 212872

calendar_today

Updated On:

Products

Advanced Threat Protection Platform Endpoint Detection and Response Endpoint Protection with Endpoint Detection and Response

Issue/Introduction

Is there any report from EDR end or SEPM end with which we can get the list of hash values blocked - which are present in the EDR blocklist?

 

Cause

- Endpoint Detection and Response (EDR) 4.6 UI contains three reports, "Executive Report", "Incident Details Report", and "Exports Report"
- Between Search>Database>Events and "Exports Report", EDR 4.6 UI contains features that permit checking effectiveness of a Deny list entry.

Resolution

To confirm blocks of a single item on the EDR Deny list

  1. On Policies> Deny, click the clipboard symbol next to the hash where you seek to check whether blocks have occurred.
    This action copies the hash to the clipboard.

  2. On Search>Database>Events, right click on the Search... line, then click Paste.
  3. Click the magnifying glass to start the search.
  4. Once results occur, you can export those results. To the right of the number of results, click the downward pointing caret, then click Export.
  5. On the dialog box that appears, either type a unique name for the Report or paste the SHA256 hash into the Report name field.
  6. Click OK.
  7. On the Reports page, hover the mouse over the Exports Report, then click View.
  8. On the list of Reports, click the Report name to highlight the row.
  9. Follow the highlighted row to the right and click on the Download icon to download the report.

 

Additional Information

To search for blocks of all items on the EDR Deny list

  1. On Search>Database>Events, click on the Search... line, then type: rule_id: BlacklistRule-MD5 OR rule_id: BlacklistRule-SHA256
  2. Click the magnifying glass to start the search.
  3. Once results occur, you can export those results. To the right of the number of results, click the downward pointing caret, then click Export.
  4. On the dialog box that appears, either type a unique name for the Report or paste the SHA256 hash into the Report name field.
  5. Click OK.
  6. On the Reports page, hover the mouse over the Exports Report, then click View.
  7. On the list of Reports, click the Report name to highlight the row.
  8. Follow the highlighted row to the right and click on the Download icon to download the report.