Hash Fields
editHash Fields
editThe hash fields represent different bitwise hash algorithms and their values.
Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512).
Note that this fieldset is used for common hashes that may be computed over a range of generic bytes. Entity-specific hashes such as ja3 or imphash are placed in the fieldsets to which they relate (tls and pe, respectively).
Hash Field Details
editField | Description | Level |
---|---|---|
MD5 hash. type: keyword |
extended |
|
SHA1 hash. type: keyword |
extended |
|
SHA256 hash. type: keyword |
extended |
|
SHA512 hash. type: keyword |
extended |
|
SSDEEP hash. type: keyword |
extended |
Field Reuse
editThe hash
fields are expected to be nested at:
-
dll.hash
-
file.hash
-
process.hash
-
threat.enrichments.indicator.hash
-
threat.indicator.hash
Note also that the hash
fields are not expected to be used directly at the root of the events.