tlsh()

The tlsh() function computes the TLSH (TrendMicro Locality Sensitive Hash) fuzzy hash of binary data and returns it as a string.

Syntax

tlsh(DATA)

Parameters

DATA: The binary data to compute the TLSH hash for. Must be at least 50 bytes.

Description

The tlsh() function computes the TLSH fuzzy hash of the input binary data and returns it as a hexadecimal string. TLSH is a fuzzy hashing algorithm developed by TrendMicro in which similar data produces similar hash values. This allows similarity-based analysis such as malware variant detection.

Returns null if the input value is null or not a binary type. Returns null if the input data is less than 50 bytes, since the data is too short to compute a TLSH hash. Returns null if an error occurs during hash computation.

The returned hash string can be passed to tlshdiff() to compute the similarity score between two hashes.

Error codes

N/A

Usage examples

Compute the TLSH hash of binary data

json "{}"
| eval data = randbytes(256),
       h = tlsh(data)
| # h: (TLSH hash string, determined by the input)

Compute the TLSH hash of file contents

logdb://files
| eval h = tlsh(file_content)

Input data is less than 50 bytes

json "{}" | eval h = tlsh(randbytes(10))
| # h: null

null input

json "{'data': null}" | eval h = tlsh(data)
| # h: null

Compatibility

The tlsh() function has been available since Sonar 4.0.2308.0-u3043.