Malware Hash
The Malware Hash page can be used to define a list of malware files and their hash functions. When FortiSIEM monitors a directory, it generates these directory events:
Directory Event | Generated by |
---|---|
PH_DEV_MON_CUST_FILE_CREATE | New file creation |
PH_DEV_MON_CUST_FILE_SCAN | Directory is scanned |
PH_DEV_MON_CUST_FILE_CHANGE_CONTENT | Changes in file content |
When FortiSIEM scans a file and collects its hash, it uses the system rule Malware Hash Check
to check the list of malware hashes, and triggers an alert if a match is found.
The following sections describe about using a Malware Hash: