Hash Fields

edit

The hash fields represent different bitwise hash algorithms and their values.

Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512).

Note that this fieldset is used for common hashes that may be computed over a range of generic bytes. Entity-specific hashes such as ja3 or imphash are placed in the fieldsets to which they relate (tls and pe, respectively).

Hash Field Details

edit
Field Description Level

hash.md5

MD5 hash.

type: keyword

extended

hash.sha1

SHA1 hash.

type: keyword

extended

hash.sha256

SHA256 hash.

type: keyword

extended

hash.sha512

SHA512 hash.

type: keyword

extended

hash.ssdeep

SSDEEP hash.

type: keyword

extended

Field Reuse

edit

The hash fields are expected to be nested at:

  • dll.hash
  • file.hash
  • process.hash
  • threat.enrichments.indicator.hash
  • threat.indicator.hash

Note also that the hash fields are not expected to be used directly at the root of the events.