000033009 - How to index the SHA and MD5 File Hash Values seen in Investigator into RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on May 3, 2019
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000033009
Applies ToRSA Product Set: NetWitness Logs & Packets
RSA Product/Service Type: Security Analytics Appliance / Security Analytics UI / Malware Analysis
RSA Version/Condition: 10.4.x, 10.5.x, 10.6.x
Platform: CentOS
O/S Version: EL6
IssueHow to get the MD5 and SHA file hash values seen in the investigator modules into meta keys.

When investigating packet traffic in Security Analytics it is possible to see MD5 and SHA1 hashes for files generated as below:

User-added image
ResolutionThese hash values are calculated on the fly by the investigator component in Security Analytics and are not available in metakeys.

If you want to generate Hash values then a Security Analytics Malware appliance is necessary. This can be configured to send CEF formatted syslog messages containing the hash values of files that have been analyzed.