SIEM / EDR pull connectors#
HashWatch is pull-based: your platform polls a feed on a schedule and uses the known-good hashes as an allowlist to suppress false positives or to enrich file events.
| Platform | How |
|---|---|
| Microsoft Sentinel | Threat Intelligence → Add TAXII server. API root https://api.hashwatch.us/taxii2/api/, collection 5f8a1c3e-0b2d-4e6f-8a1b-2c3d4e5f6a7b, no credentials. |
| Splunk | REST/scripted input polling https://api.hashwatch.us/public/feed.json into a lookup. |
| Elastic | Filebeat httpjson on the JSON feed, or the Threat Intel TAXII input on the TAXII root. |
| QRadar / OpenCTI / MISP | Subscribe to the TAXII 2.1 hashwatch-verified collection. |
| Anything | curl the JSON feed on a cron and write a SHA-256 allowlist. |
These are known-good (benign) indicators, not threat IOCs — configure your platform to treat them as allow/suppress, not alert.