FortiEDR
FortiEDR automates the protection against advanced threats, pre and post-execution, with real time orchestrated incident response functionality.
dhamadi
Staff
Staff
Article Id 337904
Description This article describes how to retrieve the hash of a process by using Rest-API.
Scope FortiEDR version 5 and above.
Solution

The hash of the process can be viewed from the investigation view:

 

HashFile_eventview.png

 

Some users will be required to get this value via Rest-API for automation and speed-up analysis.

The hash of the process is contained in the Raw Data JSON item. The procedure to get this data is shown below.

 

Recommended Rest-API software tool:

Postman

 

  1. The API call to get the event ID:

https://abc.test.com/management-rest/events/list-events?organization=demo

 

eventID.png

 

  1. Use the event ID to get the Raw event IDs.

    https://abc.test.com/management-rest/events/list-raw-data-items?organization=demo&eventId=764802

     

    RaweventID.png

     

     

  2. The API call to export the raw data items Json which contains the hash:

    https://abc.test.com/management-rest/events/export-raw-data-items-json?organization=demo&rawItemIds=...

     

    Hashfile_API.png

     

Related articles:

Technical Tip: Retrieving Files from Collectors by using Rest-API

Technical Tip: Tips and Tricks with Rest API and Postman