You can obtain an event's process SHA-256 hash on the Observations tab of the Investigate page.
Procedure
- On the left navigation pane, click Investigate and click the Observations tab.
- Search for an event; you can use the Process filter in the left pane to narrow the search results.
- In the View by dropdown menu above the search results table, select Process.
The process hash displays in the second column of the search results table.
- There are three ways in which you can copy (obtain) the process hash:
- Hover over the truncated process hash. The full hash value displays: select the hash value and then press Ctrl-C to copy the hash.
- Click the truncated process hash and then press Ctrl-C to copy the hash.
- Click the carat icon at the right side of the event. The Event Details pane opens. Scroll down to the Process section and click Show all. Select the hash value and then press Ctrl-C to copy the hash.