%3CLINGO-SUB%20id%3D%22lingo-sub-1684757%22%20slang%3D%22en-US%22%3EWhat's%20new%3A%20Analytics%20FileHash%20entity%20hits%20GA!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1684757%22%20slang%3D%22en-US%22%3E%3CP%3E%3CEM%3EThis%20installment%20is%20part%20of%20a%20broader%20series%20to%20keep%20you%20up%20to%20date%20with%20the%20latest%20features%20in%20Azure%20Sentinel.%20The%20installments%20will%20be%20bite-sized%20to%20enable%20you%20to%20easily%20digest%20the%20new%20content.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EFile%20hash%20is%20a%20unique%20value%20that%20corresponds%20to%20the%20content%20of%20a%20file%20computed%20by%20using%20a%20specified%20hash%20algorithm.%20%3C%2FSPAN%3EUsing%20hashes%2C%20you%20can%20determine%20if%20two%20different%20files%20have%20exactly%20the%20same%20content.%20Files%20with%20identical%20hash%20values%20share%20identical%20contents.%20You%20can%20also%20use%20hashes%20to%20verify%20if%20file%20data%20has%20been%20modified%2C%20tampered%20with%2C%20or%20corrupted.%20In%20cybersecurity%2C%20one%20of%20the%20most%20common%20use%20cases%20of%20file%20hash%20is%20to%20share%20Indicators%20of%20Compromise%2C%20a%20valuable%20resource%20to%20SOC%20analysts%2C%20security%20researchers%2C%20and%20threat%20hunters.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EUp%20until%20now%2C%20different%20types%20of%20entity%20such%20as%20IP%2C%20Account%2C%20Host%2C%20URL%20have%20been%20made%20available%20in%20different%20areas%20in%20Azure%20Sentinel.%20We%20are%20delighted%20to%20announce%20that%20FileHash%20entity%20has%20been%20added%20to%20the%20Analytics%20and%20generally%20available!%20Let%20us%20look%20at%20an%20example%20of%20where%20and%20how%20you%20can%20start%20leveraging%20this%20great%20addition%20today.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3E%3CSPAN%3E%3CSTRONG%3EAnalytic%20Rule%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EFile%20hash%20can%20be%20used%20for%20entity%20mapping%20in%20a%20scheduled%20analytic%20rule.%20Under%20%3CSTRONG%3ESet%20Rule%20Logic%3C%2FSTRONG%3E%20view%20of%20the%20scheduled%20analytic%20rule%20wizard%2C%20you%20can%20select%20any%20relevant%20field%20of%20a%20table%20defined%20in%20the%20rule%20query%20and%20map%20to%20the%20FileHash%20entity.%20A%20new%20column%20called%20FileHashCustomEntity%20will%20then%20be%20automatically%20created%20in%20the%20query%2C%20and%20this%20column%20name%20can%20be%20customized.%20If%20you%20identify%20a%20malicious%20file%20on%20a%20machine%20and%20want%20to%20scan%20your%20entire%20environment%20for%20existence%20of%20that%20file%2C%20you%20can%20assign%20that%20specific%20hash%20value%20to%20the%20FileHashCustomEntity%20field.%3C%2FSPAN%3E%20%3CSPAN%3EThis%20enables%20Azure%20Sentinel%20to%20recognize%20this%20entity%20that%20is%20part%20of%20the%20alerts%20for%20further%20analysis.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22filehash%20rule%20screenshot.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F219609iEA0C5EA38FEFACB1%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22filehash%20rule%20screenshot.png%22%20alt%3D%22filehash%20rule%20screenshot.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%221%202%203%204%205%206%207%22%3E%3CSPAN%3E%3CEM%3EFigure1.%20FileHash%20in%20Analytic%20Rule%3C%2FEM%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3E%3CSPAN%3E%3CSTRONG%3EInvestigation%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EIf%20Azure%20Sentinel%20detects%20any%20matches%20for%20a%20known%20hash%20value%20from%20a%20detection%20rule%20you%20already%20set%20up%2C%20incidents%20with%20an%20entity%20type%20of%20FileHash%20will%20be%20created.%20You%20can%20then%20leverage%20the%20full%20incident%20view%20and%20Investigation%20graph%20to%20analyze%20the%20potentially%20anomalous%20activity%20based%20on%20this%20hash%20information.%20The%20Investigation%20view%20provides%20the%20relevant%20information%20including%20hash%20value%2C%20hash%20algorithm%20such%20as%20SHA256%2C%20MD5%2C%20etc.%2C%20and%20its%20friendly%20name.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22investigation%20graph%20(2).png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F219654i094117C3EC8EACC5%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22investigation%20graph%20(2).png%22%20alt%3D%22investigation%20graph%20(2).png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%221%202%203%204%205%206%207%22%3E%3CSPAN%3E%3CEM%3EFigure2.%20FileHash%20sample%20in%20Investigation%20Graph%3C%2FEM%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ELeveraging%20the%20power%20of%20KQL%20in%20Log%20Analytics%2C%20you%20can%20also%20query%20the%20matches%20across%20your%20environment%20to%20perform%20further%20analysis.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22log%20query.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F219655i15AA6FFA3EA47621%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22log%20query.png%22%20alt%3D%22log%20query.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%221%202%203%204%205%206%207%22%3E%3CSPAN%3E%3CEM%3EFigure3.%20FileHash%20sample%20in%20query%20results%3C%2FEM%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%224%22%3E%3CSTRONG%3EGet%20started%20today!%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20encourage%20you%20to%20explore%20the%20FileHash%20entity%20in%20Azure%20Sentinel%20for%20threat%20detection%20and%20investigation%20in%20your%20environment.%3C%2FP%3E%0A%3CP%3ETry%20it%20out%2C%20and%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fbd-p%2FAzureSentinel%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3E%26nbsp%3Blet%20us%20know%3C%2FA%3E%26nbsp%3Bwhat%20you%20think!%3C%2FP%3E%0A%3CP%3EYou%20can%20also%20contribute%20new%20connectors%2C%20workbooks%2C%20analytics%20and%20more%20in%20Azure%20Sentinel.%20Get%20started%20now%20by%20joining%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fthreathunters%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Sentinel%20Threat%20Hunters%20GitHub%20community%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1684757%22%20slang%3D%22en-US%22%3E%3CP%3EFileHash%20entity%20is%20now%20generally%20available%20in%20Azure%20Sentinel!%20But%20where%20and%20how%20to%20use%20it%3F%20Read%20on...%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1684757%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Sentinel%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWhat's%20new%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1700842%22%20slang%3D%22en-US%22%3ERe%3A%20What's%20new%3A%20Analytics%20FileHash%20entity%20hits%20GA!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1700842%22%20slang%3D%22en-US%22%3E%3CP%3ENice!%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWould%20love%20to%20see%20custom%20and%20unlimited%20entities%20at%20some%20time%20in%20the%20future.%20Some%20organisations%20use%20Analytics%20rules%20to%20trigger%20Playbooks%20(LogicApps)%20to%20integrate%20with%20their%20ticketing%20systems.%20Having%20only%20pre-defined%20entities%20limits%20the%20amount%20of%20information%20one%20can%20get%20to%20these%20outside%20systems.%20There%20is%20a%20workaround%20to%20re-run%20the%20query%20and%20extract%20the%20fields%20within%20the%20LogicApp%2C%20but%20I%20wish%20it%20was%20handled%20in%20the%20Analytics%20rule%20instead.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1724990%22%20slang%3D%22en-US%22%3ERe%3A%20What's%20new%3A%20Analytics%20FileHash%20entity%20hits%20GA!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1724990%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F527156%22%20target%3D%22_blank%22%3E%40kakoytovasya%3C%2FA%3E%26nbsp%3BThanks%20for%20the%20great%20feedback.%20This%20feature%20is%20currently%20in%20Private%20Preview%2C%20so%20please%20stay%20tuned%20%3A).%20You%20can%20join%20the%20%3CA%20title%3D%22Private%20Preview%20program%22%20href%3D%22https%3A%2F%2Faka.ms%2Fazuresentinelprp%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EPrivate%20Preview%20program%3C%2FA%3E%20to%20try%20out%20the%20feature.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

This installment is part of a broader series to keep you up to date with the latest features in Azure Sentinel. The installments will be bite-sized to enable you to easily digest the new content.

 

 

File hash is a unique value that corresponds to the content of a file computed by using a specified hash algorithm. Using hashes, you can determine if two different files have exactly the same content. Files with identical hash values share identical contents. You can also use hashes to verify if file data has been modified, tampered with, or corrupted. In cybersecurity, one of the most common use cases of file hash is to share Indicators of Compromise, a valuable resource to SOC analysts, security researchers, and threat hunters.

 

Up until now, different types of entity such as IP, Account, Host, URL have been made available in different areas in Azure Sentinel. We are delighted to announce that FileHash entity has been added to the Analytics and generally available! Let us look at an example of where and how you can start leveraging this great addition today.

 

Analytic Rule

 

File hash can be used for entity mapping in a scheduled analytic rule. Under Set Rule Logic view of the scheduled analytic rule wizard, you can select any relevant field of a table defined in the rule query and map to the FileHash entity. A new column called FileHashCustomEntity will then be automatically created in the query, and this column name can be customized. If you identify a malicious file on a machine and want to scan your entire environment for existence of that file, you can assign that specific hash value to the FileHashCustomEntity field. This enables Azure Sentinel to recognize this entity that is part of the alerts for further analysis.

 

filehash rule screenshot.png

Figure1. FileHash in Analytic Rule

 

Investigation

 

If Azure Sentinel detects any matches for a known hash value from a detection rule you already set up, incidents with an entity type of FileHash will be created. You can then leverage the full incident view and Investigation graph to analyze the potentially anomalous activity based on this hash information. The Investigation view provides the relevant information including hash value, hash algorithm such as SHA256, MD5, etc., and its friendly name.

 

investigation graph (2).png

Figure2. FileHash sample in Investigation Graph

 

Leveraging the power of KQL in Log Analytics, you can also query the matches across your environment to perform further analysis.

 

log query.png

Figure3. FileHash sample in query results

 

Get started today!

 

We encourage you to explore the FileHash entity in Azure Sentinel for threat detection and investigation in your environment.

Try it out, and let us know what you think!

You can also contribute new connectors, workbooks, analytics and more in Azure Sentinel. Get started now by joining the Azure Sentinel Threat Hunters GitHub community.

 

2 Comments
Established Member

Nice! 

 

Would love to see custom and unlimited entities at some time in the future. Some organisations use Analytics rules to trigger Playbooks (LogicApps) to integrate with their ticketing systems. Having only pre-defined entities limits the amount of information one can get to these outside systems. There is a workaround to re-run the query and extract the fields within the LogicApp, but I wish it was handled in the Analytics rule instead.

Microsoft

@kakoytovasya Thanks for the great feedback. This feature is currently in Private Preview, so please stay tuned :). You can join the Private Preview program to try out the feature.