User.hash vs. new hash.* fields

[vbohata]

#426 added hash.* fields but "user" already contains hash. So user.hash should become user.hash.*.

[andrewthad]

I agree with this. Would a PR for this be accepted?

[webmat]

It's a good point, thanks for offering to submit a PR.

Since this would be a breaking change, I suggest we keep that discussion open and consider it for ECS 2.0 / Elastic Stack 8.0.

[ebeahan]

Since this issue was opened, the hash.* field set has grown and guidance added that entity-specific hashes should be placed in their related fieldset (for example, ja3 is underneath tls.*).

I can see value to having the various hash.* types to hash the value of the user.*. However, I also see value in how the current user.hash field is described: "Unique user hash to correlate information for a user in anonymized form.".

Having a single field remain that holds the "anonymised" value of the user.name or user.id seems useful. Any thoughts?