Breadcrumbs

Hash [7.2]


The hash value (for example, MD5 or SHA256) of a file, process, or object. The value is independent of the algorithm. Only the resulting hash is stored in this field.

Only three hash types are in common usage: MD5, SHA1, and SHA256.

This field is not available in LogRhythm versions earlier than 7.2.1.

Data Type

Alphanumeric string (0-512 characters, 64 average characters) 

Aliases

Use

Alias

Client Console Full Name

Hash

Client Console Short Name

Hash

Web Console Tab/Name

Hash

Elasticsearch Field Name

hash

Rule Builder Column Name

Hash

Regex Pattern

<hash>

NetMon Name

Not applicable

Field Relationships

Object, Process, and Object Name fields. This is the hash for the process identified in process.

Common Applications

  • IDS/IPS

  • Vulnerability scanners

  • Endpoint monitoring (for example, Cbresponse)

  • Threat Intelligence feeds

  • Antivirus

Use Case

Mapping hash value to threat feeds and known Indictators of Compromise (IOCs).

MPE/Data Masking Manipulations

Not applicable.

Usage Standards

  • Priority if there are multiple hashes is MD5 > SHA1 > SHA256, until strongly typed fields available.

  • Make it as easy as possible to match to most common threat feeds.

  • Do not include the hash type in the field (for example, remove MD5:).

Examples

  • Cylance log sample

Sample - 05 09 2016 21:40:29 1.1.1.1 <SLOG:WARN> 1 2016-05-10T02:40:19.2905167Z sysloghost CylancePROTECT - - - Event Type: AppControl, Event Name: pechange, Device Name: US-JNTJKV1, IP Address: (1.1.1.1, 1.1.1.1,), Action: Deny, Action Type: PE File Change, File Path: C:\Users\Public\TechTools\Host65, SHA256: 8050FE3DCA43D594611492AA149AF09FC9669149602BB2945AFEA4148A24B175

Parse the hash removing the algorithm header SHA256.

  • Cb Response log sample

Sample - 05 13 2016 20:56:15 1.1.1.1 <USER:NOTE> LEEF:1.0|CB|CB|5.1|watchlist.hit.binary|cb_server=cbserver    cb_version=511    company_name=Microsoft Corporation    copied_mod_len=11616    digsig_issuer=Microsoft Windows Production PCA 2011    digsig_prog_name=Microsoft Windows    digsig_publisher=Microsoft Corporation    digsig_result=Signed    digsig_result_code=0    digsig_sign_time=2015-10-30T12:32:00Z    digsig_subject=Microsoft Windows    endpoint=[" USABLDRRECFLOW01"]    file_desc=recordflow console    file_version=10.0.10.0 (th2_release.151029-1700)    group=["Testing"]    host_count=1    internal_name=recflowcon    is_64bit=true    is_executable_image=false    last_seen=2016-05-14T03:42:10.709Z    legal_copyright=© Record Flow LLC. All rights reserved.    md5=59E0D058686BD35B0D5C02A4FD8BD0E0observed_filename=["c:\\windows\\system32\\downlevel\\api-ms-win-core-stringansi-l1-1-0.dll"]    orig_mod_len=11616    original_filename=apisetstub    os_type=Windows    product_name=Microsoft® Windows® Operating System    product_version=10.0.10586.0    server_added_timestamp=2016-05-14T03:42:10.709Z    server_name=USABLDRRECFLOW01 signed=Signed    timestamp=2016-05-14T03:42:10.709Z    type=watchlist.hit.binary    watchlist_id=4    watchlist_name=Newly Loaded Modules

Parse the hash removing the type md5=.