logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Carbon Black Cloud: How to locate a File Hash using EEDR?

Carbon Black Cloud: How to locate a File Hash using EEDR?

Environment

Carbon Black Cloud Console: All Supported Versions
  • Enterprise EDR (Formerly CB ThreatHunter)

Objective

 How to locate a File Hash using EEDR?

Resolution

  1. Navigate to the Investigate page, Enriched Events Tab, Events.
  2. Search for EXE or script.
  3. For Type select "Filemod"
  4. Open side panel row for matching file. 
  5. Hash "SHA-256" will be listed in the filemod section.

Additional Notes

Filemod will be triggered when the file was copied to the system so you may need to include longer time frame to cover that modification.  
Sometime an alert will include the in-memory hash for a file and not the actual hash, this method will provide the actual hash.

Related Content


Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎08-25-2022
Views:
1392
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.