Would like to discuss hashes, specifically the one that quickest comes to mind is file hashes.
I found some things with auditbeat that have md5, sha1, etc.
I am thinking that we could use hash as a nested similar to how Geo fields are being used.
File hashes would then be something like:
file.hash.md5
file.hash.sha1
file.hash.sha256
Going on something like x509/SSL/TLS certificates, would then be something like:
tls.certificate.hash.md5
tls.certificate.hash.sha1
tls.certificate.hash.sha256
Going on something like processes, example sysmon event id 1, would then be something like:
process.hash.md5
process.hash.sha1
process.hash.sha256
process.hash.imphash
This would then keep searching hashes across disparate log sources like:
*.hash.md5:60b725f10c9c85c70d97880dfe8191b3
Especially, if/when, start adding source and destination file when doing more things from Sysmon/endpoint/EDR.
Excuse me if I am missing an open issue, I performed some searches in this repo and didn't find much in the issues.
Would like to discuss hashes, specifically the one that quickest comes to mind is file hashes.
I found some things with auditbeat that have md5, sha1, etc.
I am thinking that we could use hash as a nested similar to how Geo fields are being used.
File hashes would then be something like:
Going on something like x509/SSL/TLS certificates, would then be something like:
Going on something like processes, example sysmon event id 1, would then be something like:
This would then keep searching hashes across disparate log sources like:
*.hash.md5:60b725f10c9c85c70d97880dfe8191b3Especially, if/when, start adding source and destination file when doing more things from Sysmon/endpoint/EDR.
Excuse me if I am missing an open issue, I performed some searches in this repo and didn't find much in the issues.