You can use md5 function in your queries or with
eval commands to filter the log data that has the hash masked
Typically, when you create a log source and define hash masks to mask specific
fields, then the resultant log data will have the hash of the fields that you can use
for filtering. To extract those log records that contain the hash masked information of
the fields, use the md5 function in your queries or with
For example, consider the following log data:
Jul 1,2018 23:43:23 severe jack User logged in Jul 2,2018 02:43:12 warning jack User logged out Jul 2,2018 05:23:43 info jane User logged in
When the user name information is hash masked, then the log records will be as follows:
Jul 1,2018 23:43:23 severe 241fcf33eaa2ea61285f36559116cbad User logged in Jul 2,2018 02:43:12 warning 241fcf33eaa2ea61285f36559116cbad User logged out Jul 2,2018 05:23:43 info 8fb2f1187c72aab28236d54f0193a203 User logged in
jane will have the following hash values:
- Use md5 function in your search query: Specify the query
* | search md5(jack)to filter the hash masked records corresponding to the user
- Use the hash with where and eval commands: To extract the log records corresponding to the user
jack, you can use the hash of the user name in the search string
* | where user = "241fcf33eaa2ea61285f36559116cbad".
- Use md5 function with where and eval commands: You can avoid using the hash
for the specific user name, and instead, specify the hash mask used. For example, to
extract the log records corresponding to the user
jack, you can provide the search string
* | where user = md5("jack").
This enables you to search when you know the possible values you are searching for. It's not possible to reverse the hash string back into a readable string. You can only perform the search if you happen to know what value you are looking for that you know was hashed.
Similar to md5, you can use other hash functions such as sha1, sha256, and sha512 for hash masking.