Build the 1 Minute QuickstartGet the Latest ReleaseSee the CHANGELOGCreate a Feature Request / Bug ReportJoin the Conversation
HomeGuidesRecipes
Build the 1 Minute QuickstartGet the Latest ReleaseSee the CHANGELOGCreate a Feature Request / Bug ReportJoin the Conversation
Guides

Hash

Suggest Edits

Hash processes data by applying hash functions.

Interpretation Methods

The processor supports these interpretation methods:

  • object
  • data

Options

FieldTypeDescriptionRequired
algorithmstringthe hashing algorithm applied to the data.

must be one of:
- md5
- sha256		Yes

Use Cases

Track Activity Using Common Hashes

Concatenating and hashing values from event data is a well-documented technique for tracking activity of interest (e.g, imphash from Mandiant, JA3 from Salesforce, Community ID from Corelight). Use this processor to create custom common hashes for tracking activity across any event log:

{"a":"b","c":"d"}

{"a":"b","c":"d","id":"b0fad96f655e1b943b834b391df30589"}

There are two recommended ways to create common hashes:

  • Hash an array of values (["b","d"]) by selecting arrays or multipaths
  • Hash concatenated values ("b,d") by piping the Join processor into the Hash processor

Updated over 1 year ago