Since it's a bug that needs to be fixed and affects the DHO, I would like to propose the only three approaches that I see (maybe there are more...) to solve this issue and would like to have your feedback to achieve an agreement.

1. Rename the key 'malware.hash' to something like 'malware.hash.other' for situations where we see a feed providing a different type of hash

2. Remove the key 'malware.hash' and keep with the other two ones

3. Remove the keys 'malware.hash.md5' and 'malware.hash.sha1' and only use the key 'malware.hash' for all types of hash. With this approach, if the feed provides a md5 and sha1 hashes in the same event, we will not be able to store both.

The chosen approach is the first one. If you have chance, please take some minutes to give your feedback in order to understand if everyone is comfortable with that.

Thank you in advance.

Cheers!