Investigating a file

You can use Chronicle to search your data for a specific file based on its MD5, SHA-1, or SHA-256 hash value. Make sure you are ingesting and normalizing data from devices on your network, such as EDR data. You can open Hash view as follows:

  • View a file in Hash view directly

  • Navigating to Hash view from Asset view

View a file in Hash view directly

To open Hash view directly, enter the hash value in the Chronicle search field and click Search.

Hash View Hash view

Chronicle provides additional information about the file, including the following:

  • Partner Engines Detecting—Other security vendors who have detected the file

  • Properties/Metadata—Known properties of the file

  • VT Submitted/ITW File Names—Matching filenames submitted to VirusTotal

You can also navigate to Hash view while investigating an asset in Asset view by completing the following steps:

  1. Select an asset and view it within Asset view.

  2. In the TIMELINE to the left, scroll down to any event tied to a process or file modification, such as process_start, childproc, or proc.

    Selecting a Process in Asset View Selecting a process in Asset view

  3. Click Current Process, Parent Process, or Target file to investigate the file.

  4. You can open Hash view for the file by clicking the hash value in Asset view.