Carbon Black Cloud: How to locate a File Hash using EEDR?
search cancel

Carbon Black Cloud: How to locate a File Hash using EEDR?

book

Article ID: 284995

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

 How to locate a File Hash using EEDR?

Environment

Carbon Black Cloud Console: All Supported Versions
  • Enterprise EDR (Formerly CB ThreatHunter)

Resolution

  1. Navigate to the Investigate page, Enriched Events Tab, Events.
  2. Search for EXE or script.
  3. For Type select "Filemod"
  4. Open side panel row for matching file. 
  5. Hash "SHA-256" will be listed in the filemod section.

Additional Information

Filemod will be triggered when the file was copied to the system so you may need to include longer time frame to cover that modification.  
Sometime an alert will include the in-memory hash for a file and not the actual hash, this method will provide the actual hash.