The following event captures three seperate hash values for the same file.
Each hash is populated under file.hash.* based on the algorithm, and the value is also duplicated in related.hash.
{
"@timestamp": 1651072073705,
"file": {
"hash": {
"md5": "44d88612fea8a8f36de82e1278abb02f",
"sha1": "3395856ce81f2b7382dee72602f798b642f14140",
"sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f"
}
},
"related": {
"hash": [
"44d88612fea8a8f36de82e1278abb02f",
"3395856ce81f2b7382dee72602f798b642f14140",
"275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f"
]
}
}No matter what field a hash appears, a user can query related.hash and match. Searches, detection rules, alerts, etc. can rely on related.hash to query any hash value without needing to know the specific hashing algorithm.
### Search query
GET try-ecs-0001/_search
{
"query": {
"term": {
"related.hash": {
"value": "3395856ce81f2b7382dee72602f798b642f14140"
}
}
}
}
# Search hit
{
"took" : 3,
"timed_out" : false,
"_shards" : {
"total" : 1,
"successful" : 1,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : {
"value" : 1,
"relation" : "eq"
},
"max_score" : 0.39556286,
"hits" : [
{
"_index" : "try-ecs-0001",
"_id" : "0001",
"_score" : 0.39556286,
"_source" : {
"@timestamp" : 1651072073705,
"file" : {
"hash" : {
"md5" : "44d88612fea8a8f36de82e1278abb02f",
"sha1" : "3395856ce81f2b7382dee72602f798b642f14140",
"sha256" : "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f"
}
},
"related" : {
"hash" : [
"44d88612fea8a8f36de82e1278abb02f",
"3395856ce81f2b7382dee72602f798b642f14140",
"275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f"
]
}
}
}
]
}
}