forked from elastic/ecs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
hash.yml
55 lines (46 loc) · 1.37 KB
/
hash.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
---
- name: hash
title: Hash
group: 2
type: group
short: Hashes, usually file hashes.
description: >
The hash fields represent different bitwise hash algorithms and their values.
Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes
by lowercasing the hash algorithm name and using underscore separators as appropriate
(snake case, e.g. sha3_512).
Note that this fieldset is used for common hashes that may be computed
over a range of generic bytes. Entity-specific hashes such as ja3 or imphash are
placed in the fieldsets to which they relate (tls and pe, respectively).
reusable:
top_level: false
expected:
- file
- process
- dll
- at: threat.indicator
as: hash
- at: threat.enrichments.indicator
as: hash
beta: Reusing the `hash` fields in this location is currently considered beta.
fields:
- name: md5
level: extended
type: keyword
description: MD5 hash.
- name: sha1
level: extended
type: keyword
description: SHA1 hash.
- name: sha256
level: extended
type: keyword
description: SHA256 hash.
- name: sha512
level: extended
type: keyword
description: SHA512 hash.
- name: ssdeep
level: extended
type: keyword
description: SSDEEP hash.