Malware Hash

The Malware Hash page can be used to define a list of malware files and their hash functions. When FortiSIEM monitors a directory, it generates these directory events:

Directory EventGenerated by
PH_DEV_MON_CUST_FILE_CREATENew file creation
PH_DEV_MON_CUST_FILE_SCANDirectory is scanned
PH_DEV_MON_CUST_FILE_CHANGE_CONTENTChanges in file content

When FortiSIEM scans a file and collects its hash, it uses the system rule Malware Hash Check to check the list of malware hashes, and triggers an alert if a match is found. 

The following sections describe about using a Malware Hash: