IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Threat Intel IP Address Indicator Match Threat Intel Windows Registry Indicator Match »
Elastic Docs Elastic Security Solution [8.9] Downloadable rule update v8.9.1

Threat Intel Hash Indicator Match

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Threat Intel Hash Indicator Match

edit

This rule is triggered when a hash indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains file hashes, such as antivirus alerts, process creation, library load, and file operation events.

Rule type: threat_match

Rule indices:

  • auditbeat-*
  • endgame-*
  • filebeat-*
  • logs-*
  • winlogbeat-*

Severity: critical

Risk score: 99

Runs every: 1h

Searches indices from: now-65m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • OS: Windows
  • Data Source: Elastic Endgame
  • Rule Type: Indicator Match

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
file.hash.*:* or file.pe.imphash:*  or process.hash.*:* or process.pe.imphash:* or dll.hash.*:* or dll.pe.imphash:*
« Threat Intel IP Address Indicator Match Threat Intel Windows Registry Indicator Match »