Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added new hash fields #1678

Merged
merged 6 commits into from
Dec 1, 2021
Merged

Added new hash fields #1678

merged 6 commits into from
Dec 1, 2021

Conversation

dstepanic
Copy link
Contributor

@dstepanic dstepanic commented Dec 1, 2021
edited
Loading

  • Have you signed the contributor license agreement? yes
  • Have you followed the contributor guidelines? yes
  • For proposing substantial changes or additions to the schema, have you reviewed the RFC process? yes
  • If submitting code/script changes, have you verified all tests pass locally using make test? no script changes, only schema
  • If submitting schema/fields updates, have you generated new artifacts by running make and committed those changes? yes
  • Is your pull request against main? Unless there is a good reason otherwise, we prefer pull requests against main and will backport as needed. yes
  • Have you added an entry to the CHANGELOG.next.md? yes

Reference: #1620

@dstepanic dstepanic requested a review from kgeller December 1, 2021 13:58
@dstepanic dstepanic mentioned this pull request Dec 1, 2021
Closed
kgeller
kgeller approved these changes Dec 1, 2021
View reviewed changes
Copy link
Contributor

@kgeller kgeller left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@ebeahan
Copy link
Member

ebeahan commented Dec 1, 2021

For the hash.* field set, ECS lists this guidance:

Note that this fieldset is used for common hashes that may be computed over a range of generic bytes. Entity-specific hashes such as ja3 or imphash are placed in the fieldsets to which they relate (tls and pe, respectively).

I'm not very familiar with either pehash or tlsh; are either of those entity-specific hash types?

@dstepanic
Copy link
Contributor Author

Yeh, so TLSH is a fuzzy matching hash used for similarity comparisons and is similar to ssdeep which is currently in the hash.* field set. But for pehash, it sounds to me like it fits more of the entity-specific hash type. I will go and move that under the pe schema.

@dstepanic dstepanic requested a review from kgeller December 1, 2021 15:21
ebeahan
ebeahan approved these changes Dec 1, 2021
View reviewed changes
Copy link
Member

@ebeahan ebeahan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@dstepanic dstepanic merged commit 889cbd4 into elastic:main Dec 1, 2021
@dstepanic dstepanic deleted the hash_additions branch December 1, 2021 17:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ebeahan ebeahan ebeahan approved these changes

@kgeller kgeller Awaiting requested review from kgeller

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dstepanic @ebeahan @kgeller