Hash [7.2]
The hash value (for example, MD5 or SHA256) of a file, process, or object. The value is independent of the algorithm. Only the resulting hash is stored in this field.
Only three hash types are in common usage: MD5, SHA1, and SHA256.
This field is not available in LogRhythm versions earlier than 7.2.1.
Data Type
Alphanumeric string (0-512 characters, 64 average characters)
Aliases
| Use | Alias |
|---|---|
Client Console Full Name | Hash |
Client Console Short Name | Hash |
Web Console Tab/Name | Hash |
Elasticsearch Field Name | hash |
Rule Builder Column Name | Hash |
Regex Pattern | <hash> |
NetMon Name | Not applicable |
Field Relationships
Object, Process, and Object Name fields. This is the hash for the process identified in process.
Common Applications
- IDS/IPS
- Vulnerability scanners
- Endpoint monitoring (for example, Cbresponse)
- Threat Intelligence feeds
- Antivirus
Use Case
Mapping hash value to threat feeds and known Indictators of Compromise (IOCs).
MPE/Data Masking Manipulations
Not applicable.
Usage Standards
- Priority if there are multiple hashes is MD5 > SHA1 > SHA256, until strongly typed fields available.
- Make it as easy as possible to match to most common threat feeds.
- Do not include the hash type in the field (for example, remove MD5:).
Examples
- Cylance log sample
Sample - 05 09 2016 21:40:29 1.1.1.1 <SLOG:WARN> 1 2016-05-10T02:40:19.2905167Z sysloghost CylancePROTECT - - - Event Type: AppControl, Event Name: pechange, Device Name: US-JNTJKV1, IP Address: (1.1.1.1, 1.1.1.1,), Action: Deny, Action Type: PE File Change, File Path: C:\Users\Public\TechTools\Host65, SHA256: 8050FE3DCA43D594611492AA149AF09FC9669149602BB2945AFEA4148A24B175
Parse the hash removing the algorithm header SHA256.
- Cb Response log sample
Sample - 05 13 2016 20:56:15 1.1.1.1 <USER:NOTE> LEEF:1.0|CB|CB|5.1|watchlist.hit.binary|cb_server=cbserver cb_version=511 company_name=Microsoft Corporation copied_mod_len=11616 digsig_issuer=Microsoft Windows Production PCA 2011 digsig_prog_name=Microsoft Windows digsig_publisher=Microsoft Corporation digsig_result=Signed digsig_result_code=0 digsig_sign_time=2015-10-30T12:32:00Z digsig_subject=Microsoft Windows endpoint=[" USABLDRRECFLOW01"] file_desc=recordflow console file_version=10.0.10.0 (th2_release.151029-1700) group=["Testing"] host_count=1 internal_name=recflowcon is_64bit=true is_executable_image=false last_seen=2016-05-14T03:42:10.709Z legal_copyright=© Record Flow LLC. All rights reserved. md5=59E0D058686BD35B0D5C02A4FD8BD0E0observed_filename=["c:\\windows\\system32\\downlevel\\api-ms-win-core-stringansi-l1-1-0.dll"] orig_mod_len=11616 original_filename=apisetstub os_type=Windows product_name=Microsoft® Windows® Operating System product_version=10.0.10586.0 server_added_timestamp=2016-05-14T03:42:10.709Z server_name=USABLDRRECFLOW01 signed=Signed timestamp=2016-05-14T03:42:10.709Z type=watchlist.hit.binary watchlist_id=4 watchlist_name=Newly Loaded Modules
Parse the hash removing the type md5=.