FlorianHeigl
commented
7 months ago I think I also just had this, it matches on abuse.ch with some hash I can't even find in their database.
(8.12.2)
honestly, it is crazy how much pops up at 99 criticality.
will triple check to make sure i'm not complaining about a legit issue ;)
I would suggest adding steps to the investigation guideline that validate the alert against the threat intel sources.
Link to rule
threat_intel_indicator_match_hash.toml
Description
This rule currently watches for matches on "imphash" hashes. Unfortunately this may only mean a file was created in a similar manner to a malware sample, but it does not mean the file is inherently malicious. While an imphash may assist with forensics, this is unfortunately causing false positives to the point the rule is exceeding "the maximum alert limit for the rule execution". I am proposing the removal of "imphash" matches due to the infeasibility of investigating and whitelisting hashes based on imphash matches.
Example Data