1. Expel Help Center
  2. Auto Remediations
  3. Block Bad Hashes

Elastic Security: Block Bad Hashes

This guide is the first step of a larger process to enable auto remediations. After completing the steps on this page, you will be instructed to return to the Enable an Auto Remediation in Workbench guide to finish your setup.

This guide helps you set up your Elastic Security device so that you can enable the Block Bad Hashes auto remediation in Workbench. During the setup process, you will grant Expel all necessary permissions for the remediation to work.

How It Works

If our SOC identifies a hash that must be blocked, Workbench completes the action automatically unless it is specifically called out as a "Never block" asset (these hashes must be added as context and then configured in Workbench; see Step 2).

Quick Links

  1. Allow Appropriate Permissions in Your EDR Console
  2. Update Your Context
  3. Return to the Main Setup Guide

Step 1: Allow Appropriate Permissions In Your EDR Console

  1. Make sure you assign all necessary API permissions in the Elastic Elasticsearch Setup for Workbench guide.

  2. Elevate the Expel user to an Admin Level User Role to allow for blocking of hashes.

    image-2021-09-16-12-22-56-927.png

  3. Enable blocking of hashes on execution and write.

    • On the Elastic home screen, select the Settings page.

      Endgame Home Screen.png
    • Enable the permissions for On Execution and On Write.
      Screen Shot 2021-09-16 at 12.47.33 PM-20210916-170918.png
    • Enable the On Execution and On Write permissions for the Prevent and Quarantine category.
      Screen Shot 2021-09-16 at 12.48.02 PM.png
    • Select a user policy and select Blocklist.

Step 2: Update Your Context

If you do not want to specify any hashes for a "do not block" list, skip to Step 3.

Working with your engagement manager, add any hashes that should be on the "do not block" list as context for your environment. You will then be able to select those hashes as "Never block" assets when you enable the auto remediation in Workbench. 

Note

If our SOC identifies a hash that must be blocked, any hashes added as "Never block" assets are assigned to you as actions rather than being blocked automatically.

Step 3: Return to the Main Setup Guide

Your Elastic Security device is now ready for the Block Bad Hashes auto remediation. You should now do one of the following:

  • If you do not need to set up any other devices for this auto remediation, you can return to the Enable an Auto Remediation in Workbench guide to finish Step 2 of the process.
  • If you need to set up additional devices for this auto remediation, or wish to use this device with multiple auto remediations, be sure to complete those setup guides as well before returning to the Enable an Auto Remediation in Workbench guide to finish Step 2 of the process. Make sure to follow the setup guide that is specific to your auto remediation, as device setup instructions are unique to each auto remediation and device.

Related articles