Filter data in Hash view

Hash view enables you to search and investigate files based on their hash value.

Open Hash view

You can open Hash view the following ways:

  • Search for the file hash directly
  • Pivot to Hash view when viewing a process- or file-based event in Asset view

Search for the file hash directly

To open Hash view directly:

  1. Enter the hash value in the Chronicle search field. Click SEARCH.

    Search for a hash Search for hash from the landing page

  2. Select the hash value from the HASHES drop-down menu.

    Hash search autodetect menu Chronicle search autodetect menu

  3. Hash view is displayed.

    Hash view Hash view

You can also navigate to Hash view while investigating an asset in Asset view.

  1. Search for an asset and view it in Asset view.

    Search for an asset Search for asset from the landing page

  2. Asset view is displayed.

    Asset view Asset view

  3. From the TIMELINE tab to the left, scroll down to any event tied to a process or file modification, such as PROCESS_LAUNCH.

    Increase the time range in asset view Increase the time range to find events

  4. Expand the file to view details and investigate.

    Find a process or file related event Find a process or file-related event

  5. You can open Hash view for the file by clicking the hash value in Asset view.

    Click the hash value to open Hash view Hash value link in Asset view

  6. Hash view is displayed.

    Hash view Hash view

Filter options in Hash view

The following Procedural Filtering options are available in Hash view:

  • ASSETS
  • EVENT TYPE
  • LOG SOURCE
  • PID
  • PROCESS NAME

Filter Options Hash view filtering options