Prefer code? There's also an official Python client & CLI:
pip install hashscanner— PyPI · GitHub.
A Cortex analyzer (for use with TheHive) that looks up a hash observable in the NIST NSRL via the HashScanner API.
Run it on any MD5 / SHA-1 / SHA-256 observable to instantly tell whether the file is known (cataloged in NSRL) — so you can filter the known out of a case and focus analyst time on the unknown.
A match means the file is known — not that it is safe, clean, or malicious. NIST does not label files good or bad.
analyzers/HashScanner/ # the analyzer (flavor JSON + program + requirements)
thehive-templates/ # TheHive short/long report templates
This mirrors the Cortex-Analyzers
catalog layout, so the analyzers/HashScanner/ and thehive-templates/ folders can be
copied straight into a Cortex-Analyzers PR.
- Clone this repo onto your Cortex host and add
analyzers/to Cortex'sanalyzer.path(or copyanalyzers/HashScanner/into an existing analyzers path). - Install dependencies:
pip install -r analyzers/HashScanner/requirements.txt - In the Cortex UI, enable HashScanner_NSRL, set your api_key (free at https://www.hashscanner.com/register), and run it on a hash observable.
| Item | Required | Default | Description |
|---|---|---|---|
api_key |
yes | — | HashScanner API key (hs_..._sk_...) |
api_url |
no | https://api.hashscanner.com/v1 |
API base URL |
timeout |
no | 30 |
Request timeout (seconds) |
- HashScanner: https://www.hashscanner.com
- API docs: https://www.hashscanner.com/api
- Sign up (free API key): https://www.hashscanner.com/register
MIT