TL;DR; Today, there is no standard method to deterministically fingerprint a security event, instead we are using file hashes to fingerprint observables, like files. While file hashes are very useful from an IOC perspective, they lack in providing any contextual event information, making life harder for detection engineers. TTPHash to the rescue While working on QLOG we developed the idea to create a fingerprint method for entire OS security events providing a more reliable and a less false positive prone way to do detection engineering in large scale networks. We decided to implement a PoC for TTPHash in QLOG for process create events to have a working piece of software to experiment with. Anatomy of a TTPHash Technically TTPHash is a SHA 256 Hash generated out of stable parts of a logged security event on Windows systems. It aims to fingerprint an entire security event including contextual information rather than just fingerprinting PE files or binaries based on their ha