Hash Fields
The hash sub-fields represent cryptographic hash values associated with digital objects described elsewhere in the log (for example, files, processes, scripts, or executables). These fields are not standalone entities; they are appended to top-level object names to express object-specific properties, such as file_hash_md5 or process_hash_sha256.
Cryptographic hashes are fixed-length values derived from data using one-way mathematical functions such as MD5, SHA1, or SHA256. They serve as unique digital fingerprints that allow systems and analysts to verify the integrity or identity of an object without exposing its contents. In cybersecurity monitoring and digital forensics, hash values are commonly used to:
- Detect known malware or benign files through reputation and threat intelligence lookup.
- Verify the integrity of executables, configurations, or downloaded artifacts.
- Support correlation across diverse data sources by normalizing object identity.
Each field in this group corresponds to a specific algorithm:
hash_md5- 128-bit MD5 hash (legacy, collision-prone, often used for backward compatibility).hash_sha1- 160-bit SHA1 hash (deprecated for integrity assurance but still encountered in older tools).hash_sha256- 256-bit SHA2 hash (current best practice for integrity validation and threat correlation).hash_sha512- 512-bit SHA2 hash (used when enhanced resistance to collisions is required).hash_imphash- Import hash derived from PE (Portable Executable) import tables, commonly used to identify similar Windows executables or malware families.
When defining object properties in logs, these fields provide consistent semantic meaning across different data sources, allowing for accurate normalization, correlation, and enrichment of security telemetry.
| field | field_type | description | example_values |
|---|---|---|---|
|
hash_md5 |
keyword |
MD5 hash value. |
4c583e00d47108f809282d5d595f5fb0 |
|
hash_sha1 |
keyword |
SHA1 hash value. |
5d4d04eff6aba8467ebd26c43008ab028203be35 |
|
hash_sha256 |
keyword |
SHA256 hash value. |
|
|
hash_sha512 |
keyword |
SHA512 hash value. |
|
|
hash_imphash |
keyword |
IMP hash value. |
0c2803c4e9a2102c4dc65963dad36cdf |
