question

KrabmanEXE avatar image
0 Votes"
KrabmanEXE asked vipulsparsh-MSFT answered

Hashes for executables and other files uploaded to teams/sharepoint

Is there a way to view hashes in the "New executable via Office FileUploaded Operation" rule? I know that generally, uploading executables is frowned upon... but I guess we allow it.

I've tried adding FileHash as an entity in the Analytic Rule Wizard, but there is no option for FileHash in the value dropdown. I'm guessing we would have to create something to generate the hash of the file so that we can view it.

microsoft-sentinel
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

vipulsparsh-MSFT avatar image
0 Votes"
vipulsparsh-MSFT answered

@KrabmanEXE Thanks for reaching out.

Do you see the File hash being shown up in the logs. As the file information should come up from the office Activity logs if you talk about teams/sharepoint.
If the Hash is flowing up with other information you can certainly use it to find an correlate other files.
SecurityEvent for example does have file hash from windows infra for files.

You can then add a custom Analytic Rule like this which allows you to add a File Hash Entity with its Value and Algorithm if you want.


113015-image.png



If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.



image.png (70.3 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.