000033009 - How to index the SHA and MD5 File Hash Values seen in Investigator into RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000033009
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Security Analytics Appliance / Security Analytics UI / Malware Analysis
RSA Version/Condition: 10.X
Platform: CentOS
 
IssueHow to get the MD5 and SHA file hash values seen in the investigator modules into meta keys.
When investigating packet traffic in Security Analytics it is possible to see MD5 and SHA1 hashes for files generated as below:
User-added image
ResolutionThese hash values are calculated on the fly by the investigator component in Security Analytics and are not available in metakeys.
If you want to generate Hash values then a Security Analytics Malware appliance is necessary. This can be configured to send CEF formatted syslog messages containing the hash values of files that have been analysed.
See the article https://sadocs.emc.com/0_en-us/088_SA106/120_AppSerCon/MaCon/20_AddProc/CrtAlertCEFFor that explains how to create such a CEF formatted syslog message.
 

Attachments

    Outcomes