There are instances where it would be beneficial to support regular expressions for hashes, but this is currently not supported. The scenario is where something like Sysmon is in use to collect hashes of binaries at process start time, but there are times when for whatever reason, Sysmon fails to collect this data and the hash is null.
When using IOC to scan this data set for unknown binaries, it would be helpful to be able to exclude null valued hashes. One way of doing this would be to set the hash field expression to a match condition where the field matches .+... alternatively, some ability to exclude nulls would work, but everything we've tried thus far fails (e.g. '', "", null).
There are instances where it would be beneficial to support regular expressions for hashes, but this is currently not supported. The scenario is where something like Sysmon is in use to collect hashes of binaries at process start time, but there are times when for whatever reason, Sysmon fails to collect this data and the hash is null.
When using IOC to scan this data set for unknown binaries, it would be helpful to be able to exclude null valued hashes. One way of doing this would be to set the hash field expression to a
matchcondition where the field matches.+... alternatively, some ability to exclude nulls would work, but everything we've tried thus far fails (e.g.'',"",null).