Managing File Hashes and Known File Occurrences
  • 06 Mar 2023
  • 4 Minutes to read
  • Dark
    Light

Managing File Hashes and Known File Occurrences

  • Dark
    Light

Overview

A File Indicator represents a unique file hash (MD5, SHA1, and SHA256) or series of hashes. On a File Indicator’s Details screen, you can view and manage the Indicator’s hashes, size (in bytes), and known File Occurrences.

Before You Start

Minimum Role(s)Organization role of Standard User
PrerequisitesA File Indicator

Managing File Hash Details

New Details Screen

  1. Navigate to the Details screen for a File Indicator.
  2. Scroll down to view the File Hash Details card on the left side of the screen (Figure 1). The File Hash Information section of this card displays the File Indicator’s hashes and size.

    Graphical user interface, text, application, email  Description automatically generated

     

    Note
    If file hash information exists in CAL™ for the Indicator, a CAL™ File Hash Information section will be displayed on the File Hash Details card. See the “Viewing CAL Data for an Indicator” section of ThreatAssess and CAL for more information on the CAL™ File Hash Information section.
  3. Click EditIcon  Description automatically generatedat the top right of the File Hash Details card, or click on any of the fields in the File Hash Information section. The File Hash Information section will now be editable (Figure 2).

    Graphical user interface, text, application, email  Description automatically generated

     

    • MD5, SHA1, and SHA256:
      • If the File Indicator does not contain the respective hash, a text box in which you can enter the hash will be displayed.
      • If the File Indicator contains the respective hash, a DeleteIcon  Description automatically generatedbutton will be displayed to the right of the hash. Click this button to delete the hash. Note that if a File Indicator contains only one hash, you will not be able to delete the hash.
    • Size (bytes): Enter the File Indicator’s size, in bytes.
    • Click Confirmat the top right of the File Hash Details card to save your changes to the File Indicator’s hashes and size.

If you add a new hash to an existing File Indicator and a File Indicator containing that hash exists in the same owner, the Merge File Indicators window will be displayed. Click the Merge button to merge the two File Indicators into a single File Indicator that contains both hashes and each Indicator’s Attributes, Security Labels, and Tags.

Important
You can merge only File Indicators containing different file hash types. For example, you can merge a File Indicator containing an MD5 hash with a File Indicator containing a SHA1 hash, but you cannot merge two File Indicators containing MD5 hashes.

Legacy Details Screen

  1. Navigate to the legacy Details screen for a File Indicator.
  2. Scroll down to view the Hashes card on the left side of the screen (Figure 3). This card displays the File Indicator’s hashes and size.

    Graphical user interface, text, application, email  Description automatically generated

     

    • MD5, SHA-1, and SHA-256:
      • If the File Indicator does not contain the respective hash, a Click here to add one. link will be displayed. Click this link to display the Add Hash window, which is where you can enter the hash.
      • If the File Indicator contains the respective hash, a DeleteIcon  Description automatically generatedicon will be displayed to the right of the hash. Click this button to delete the hash. Note that a File Indicator must contain at least two hashes in order for the DeleteIcon  Description automatically generatedicon to be displayed.
    • Size (bytes): Click Editto display a text box where you can enter the File Indicator’s size, in bytes. After entering the size in the text box, click Save.

If you add a new hash to an existing File Indicator and a File Indicator containing that hash exists in the same owner, the Add Hash window will display a Merge Hashes checkbox (Figure 4).

Graphical user interface, text, application, email  Description automatically generated

 

Select this checkbox and then click the SAVE button to merge the two File Indicators into a single File Indicator that contains both hashes and each Indicator’s Attributes, Security Labels, and Tags.

Important
You can merge only File Indicators containing different file hash types. For example, you can merge a File Indicator containing an MD5 hash with a File Indicator containing a SHA1 hash, but you cannot merge two File Indicators containing MD5 hashes.

Known File Occurrences

Known File Occurrences provide a record of the various file names being used for the File Indicator you are investigating.

New Details Screen

Creating File Occurrences

  1. Navigate to the Details screen for a File Indicator.
  2. Scroll down to view the Known File Occurrences card on the right side of the screen (Figure 5).

    Graphical user interface, application  Description automatically generated

     

  3. Click AddIcon  Description automatically generatedat the upper-right corner of the Known File Occurrences card. The Add File Occurrence window will be displayed (Figure 6).

    Graphical user interface, text, application, email  Description automatically generated

     

    • File Name: Enter the file name of the File Occurrence.
    • Date: Select the date of the File Occurrence.
    • Run Path: Enter the run path of the File Occurrence.
    • Click the Save button.

Managing File Occurrences

Click EditIcon  Description automatically generatedor DeleteIcon  Description automatically generatedin the rightmost column for a File Occurrence to edit or delete it, respectively.

Legacy Details Screen

Creating File Occurrences

  1. Navigate to the legacy Details screen for a File Indicator.
  2. Scroll down to view the Known File Occurrences card on the left side of the screen (Figure 7).

    A picture containing shape  Description automatically generated

     

  3. Click Add New OccurrenceIcon  Description automatically generatedat the upper-right corner of the Known File Occurrences card. Fields for entering the File Occurrence’s details will be displayed (Figure 8).

    Graphical user interface, text, application  Description automatically generated

     

    • File Name: Enter the file name of the File Occurrence.
    • Run Path: Enter the run path of the File Occurrence.
    • Date: Select the date of the File Occurrence.
    • Click the SAVE button.

Managing File Occurrences

Click Editor DeleteIcon  Description automatically generatedto the right of a File Occurrence to edit or delete it, respectively.


ThreatConnect® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.

20148-01 v.01.A


Was this article helpful?