You can use Google Security Operations to search your data for a specific file based on
its MD5, SHA-1, or SHA-256 hash value.
If additional information is available for a file hash found within a customer's
Google SecOps account, this additional information is added to the
associated UDM events automatically. You can search for these UDM events
manually using UDM Search or by using rules.
View a file hash
To view a file hash, you can:
View a file in File hash view directly
Navigate to File hash view from another view
View a file in File hash view directly
To open File hash view directly, enter the hash value in the
Google SecOps search field and click Search.
Google SecOps provides additional information about the file, including the
following:
Partner engines detecting: Other security vendors who have detected the
file.
Properties/metadata: Known properties of the file.
VT submitted/ITW filenames: Known malicious in-the-wild (ITW) malware
submitted to VirusTotal.
Navigate to File hash view from another view
You can also navigate to File hash view while investigating an asset in an
another view (for example, Asset view) by completing the following steps:
Open an investigation view. For example, select an asset to view it within
Asset view.
In the Timeline to the left, scroll to any event tied to a process or
file modification, such as Network Connection.
Selecting an Event in Asset view
Open the Raw Log and UDM viewer by clicking the open icon in the Timeline.
You can open File hash view for the file by clicking the hash value (for
example, principal.process.file.md5) within the displayed UDM event.
Considerations
Hash view has the following limitations:
You can only filter events that are displayed in this view.
Only DNS, EDR, Webproxy, and Alert event types are populated in this view.
The first seen and last seen information populated in this view is also limited
to these event types.
Generic events don't appear in any of the curated views. They appear only in
raw log and UDM searches.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eGoogle Security Operations allows searching for files using their MD5, SHA-1, or SHA-256 hash values.\u003c/p\u003e\n"],["\u003cp\u003eAdditional information about file hashes found in a customer's account is automatically added to associated UDM events.\u003c/p\u003e\n"],["\u003cp\u003eFile hashes can be viewed directly by entering the hash value in the search field, or by navigating to the File hash view from another view.\u003c/p\u003e\n"],["\u003cp\u003eGoogle Security Operations provides extra file information like partner detection, properties, and VirusTotal submissions.\u003c/p\u003e\n"],["\u003cp\u003eFile hash view has limitations, such as filtering only the events displayed, limited event types, and a lack of generic events in curated views.\u003c/p\u003e\n"]]],[],null,["# Investigate a file\n==================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n\nYou can use Google Security Operations to search your data for a specific file based on\nits MD5, SHA-1, or SHA-256 hash value.\n\nIf additional information is available for a file hash found within a customer's\nGoogle SecOps account, this additional information is added to the\nassociated UDM events automatically. You can search for these UDM events\nmanually using UDM Search or by using rules.\n\nView a file hash\n----------------\n\nTo view a file hash, you can:\n\n- View a file in **File hash** view directly\n\n- Navigate to **File hash** view from another view\n\nView a file in File hash view directly\n--------------------------------------\n\nTo open **File hash** view directly, enter the hash value in the\nGoogle SecOps search field and click **Search**.\n| **Note:** [UDM search](/chronicle/docs/investigation/udm-search) provides enhanced capabilities that let you conduct more thorough investigatzions of the events and alerts within your Google SecOps instance than is possible using **File hash** view alone. For more information, see [UDM search](/chronicle/docs/investigation/udm-search).\n\nGoogle SecOps provides additional information about the file, including the\nfollowing:\n\n- **Partner engines detecting**: Other security vendors who have detected the\n file.\n\n- **Properties/metadata**: Known properties of the file.\n\n- **VT submitted/ITW filenames**: Known malicious in-the-wild (ITW) malware\n submitted to VirusTotal.\n\nNavigate to File hash view from another view\n--------------------------------------------\n\nYou can also navigate to **File hash** view while investigating an asset in an\nanother view (for example, **Asset** view) by completing the following steps:\n\n1. Open an investigation view. For example, select an asset to view it within\n Asset view.\n\n2. In the **Timeline** to the left, scroll to any event tied to a process or\n file modification, such as **Network Connection**.\n\n\n **Selecting an Event in Asset view**\n3. Open the Raw Log and UDM viewer by clicking the open icon in the **Timeline**.\n\n4. You can open **File hash** view for the file by clicking the hash value (for\n example, principal.process.file.md5) within the displayed UDM event.\n\nConsiderations\n--------------\n\nHash view has the following limitations:\n\n- You can only filter events that are displayed in this view.\n- Only DNS, EDR, Webproxy, and Alert event types are populated in this view. The first seen and last seen information populated in this view is also limited to these event types.\n- Generic events don't appear in any of the curated views. They appear only in raw log and UDM searches.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
Selecting an Event in Asset view