When a file is created in the system, whether from a feed, indicator extraction, or manually added, its original value is created as the indicator’s value, while its complementing hashes are saved as fields.
For example, if a SHA256 indicator is extracted from an email and enriched, an indicator with the SHA256 as the value will be created, and any other hash that is found in the enrichment phase (such as MD5, SHA1) will be attributed to it as a field. If, in the future, a file with the then-attributed MD5 is created in the system, Cortex XSOAR automatically identifies it and merges the two indicators together into one.
In a more specific example, the executable cmd.exe’s SHA256 FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5
was found in an incident and extracted. It also went through enrichment, which provided the information that the file’s MD5 is D7AB69FAD18D4A643D84A271DFC0DBDF
.
The file indicator includes:
ID: 1 Type: File Value: FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5 SHA256: FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5 MD5: D7AB69FAD18D4A643D84A271DFC0DBDF
Afterwards, through a custom feed, the cmd.exe’s MD5 D7AB69FAD18D4A643D84A271DFC0DBDF
hash is brought in, and Cortex XSOAR creates an indicator of type File with the MD5 as its value.
A new file indicator is created:
ID: 2 Type: File Value: D7AB69FAD18D4A643D84A271DFC0DBDF MD5: D7AB69FAD18D4A643D84A271DFC0DBDF
The automatic merging flow for the File indicator type identifies that the two indicators are the same file and merges them together.
The final File indicator, consolidating the two, is the same as the first example above:
ID: 1 Type: File Value: FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5 SHA256: FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5 MD5: D7AB69FAD18D4A643D84A271DFC0DBDF