forked from elastic/ecs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
hash.yml
86 lines (74 loc) · 2.51 KB
/
hash.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
# Licensed to Elasticsearch B.V. under one or more contributor
# license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright
# ownership. Elasticsearch B.V. licenses this file to you under
# the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
---
- name: hash
title: Hash
group: 2
type: group
short: Hashes, usually file hashes.
description: >
The hash fields represent different bitwise hash algorithms and their values.
Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes
by lowercasing the hash algorithm name and using underscore separators as appropriate
(snake case, e.g. sha3_512).
Note that this fieldset is used for common hashes that may be computed
over a range of generic bytes. Entity-specific hashes such as ja3 or imphash are
placed in the fieldsets to which they relate (tls and pe, respectively).
reusable:
top_level: false
order: 1
expected:
- file
- process
- dll
- email.attachments.file
fields:
- name: cdhash
level: extended
type: keyword
short: The Code Directory (CD) hash of an executable.
description: Code directory hash, utilized to uniquely identify and authenticate the integrity of the executable code.
example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
beta: This field is beta and subject to change.
- name: md5
level: extended
type: keyword
description: MD5 hash.
- name: sha1
level: extended
type: keyword
description: SHA1 hash.
- name: sha256
level: extended
type: keyword
description: SHA256 hash.
- name: sha384
level: extended
type: keyword
description: SHA384 hash.
- name: sha512
level: extended
type: keyword
description: SHA512 hash.
- name: ssdeep
level: extended
type: keyword
description: SSDEEP hash.
- name: tlsh
level: extended
type: keyword
description: TLSH hash.