Add PE field set under dll, file and process (elastic#731)

CHANGELOG.next.md

@@ -16,6 +16,7 @@ Thanks, you're awesome :-) -->
 
 #### Added
 * Added `dll.*` fields (#679)
+* Fieldset for PE metadata. #731
 
 #### Improvements
 

docs/field-details.asciidoc

@@ -931,6 +931,12 @@ example: `C:\Windows\System32\kernel32.dll`
 // ===============================================================
 
 
+| <<ecs-pe,dll.pe.*>>
+| These fields contain Windows Portable Executable (PE) metadata.
+
+// ===============================================================
+
+
 |=====
 
 [[ecs-dns]]
@@ -2049,6 +2055,12 @@ example: `1001`
 // ===============================================================
 
 
+| <<ecs-pe,file.pe.*>>
+| These fields contain Windows Portable Executable (PE) metadata.
+
+// ===============================================================
+
+
 |=====
 
 [[ecs-geo]]
@@ -3585,6 +3597,95 @@ example: `1.12.9`
 
 |=====
 
+[[ecs-pe]]
+=== PE Header Fields
+
+These fields contain Windows Portable Executable (PE) metadata.
+
+==== PE Header Field Details
+
+[options="header"]
+|=====
+| Field  | Description | Level
+
+// ===============================================================
+
+| pe.company
+| Internal company name of the file, provided at compile-time.
+
+type: keyword
+
+
+
+example: `Microsoft Corporation`
+
+| extended
+
+// ===============================================================
+
+| pe.description
+| Internal description of the file, provided at compile-time.
+
+type: keyword
+
+
+
+example: `Paint`
+
+| extended
+
+// ===============================================================
+
+| pe.file_version
+| Internal version of the file, provided at compile-time.
+
+type: keyword
+
+
+
+example: `6.3.9600.17415`
+
+| extended
+
+// ===============================================================
+
+| pe.original_file_name
+| Internal name of the file, provided at compile-time.
+
+type: keyword
+
+
+
+example: `MSPAINT.EXE`
+
+| extended
+
+// ===============================================================
+
+| pe.product
+| Internal product name of the file, provided at compile-time.
+
+type: keyword
+
+
+
+example: `Microsoft® Windows® Operating System`
+
+| extended
+
+// ===============================================================
+
+|=====
+
+==== Field Reuse
+
+The `pe` fields are expected to be nested at: `dll.pe`, `file.pe`, `process.pe`.
+
+Note also that the `pe` fields are not expected to be used directly at the top level.
+
+
+
+
 [[ecs-process]]
 === Process Fields
 
@@ -4103,6 +4204,12 @@ example: `/home/alice`
 // ===============================================================
 
 
+| <<ecs-pe,process.pe.*>>
+| These fields contain Windows Portable Executable (PE) metadata.
+
+// ===============================================================
+
+
 |=====
 
 [[ecs-registry]]

docs/fields.asciidoc

@@ -66,6 +66,8 @@ all fields are defined.
 
 | <<ecs-package,Package>> | These fields contain information about an installed software package.
 
+| <<ecs-pe,PE Header>> | These fields contain Windows Portable Executable (PE) metadata.
+
 | <<ecs-process,Process>> | These fields contain information about a process.
 
 | <<ecs-registry,Registry>> | Fields related to Windows Registry operations.

generated/beats/fields.ecs.yml

@@ -749,6 +749,41 @@
       description: Full file path of the library.
       example: C:\Windows\System32\kernel32.dll
       default_field: false
+    - name: pe.company
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      default_field: false
+    - name: pe.description
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      default_field: false
+    - name: pe.file_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      default_field: false
+    - name: pe.original_file_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      default_field: false
+    - name: pe.product
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal product name of the file, provided at compile-time.
+      example: "Microsoft\xAE Windows\xAE Operating System"
+      default_field: false
   - name: dns
     title: DNS
     group: 2
@@ -1367,6 +1402,41 @@
       description: Full path to the file, including the file name. It should include
         the drive letter, when appropriate.
       example: /home/alice/example.png
+    - name: pe.company
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      default_field: false
+    - name: pe.description
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      default_field: false
+    - name: pe.file_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      default_field: false
+    - name: pe.original_file_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      default_field: false
+    - name: pe.product
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal product name of the file, provided at compile-time.
+      example: "Microsoft\xAE Windows\xAE Operating System"
+      default_field: false
     - name: size
       level: extended
       type: long
@@ -2405,6 +2475,47 @@
       ignore_above: 1024
       description: Package version
       example: 1.12.9
+  - name: pe
+    title: PE Header
+    group: 2
+    description: These fields contain Windows Portable Executable (PE) metadata.
+    type: group
+    fields:
+    - name: company
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      default_field: false
+    - name: description
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      default_field: false
+    - name: file_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      default_field: false
+    - name: original_file_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      default_field: false
+    - name: product
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal product name of the file, provided at compile-time.
+      example: "Microsoft\xAE Windows\xAE Operating System"
+      default_field: false
   - name: process
     title: Process
     group: 2
@@ -2669,6 +2780,41 @@
       description: The working directory of the process.
       example: /home/alice
       default_field: false
+    - name: pe.company
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal company name of the file, provided at compile-time.
+      example: Microsoft Corporation
+      default_field: false
+    - name: pe.description
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal description of the file, provided at compile-time.
+      example: Paint
+      default_field: false
+    - name: pe.file_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal version of the file, provided at compile-time.
+      example: 6.3.9600.17415
+      default_field: false
+    - name: pe.original_file_name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal name of the file, provided at compile-time.
+      example: MSPAINT.EXE
+      default_field: false
+    - name: pe.product
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Internal product name of the file, provided at compile-time.
+      example: "Microsoft\xAE Windows\xAE Operating System"
+      default_field: false
     - name: pgid
       level: extended
       type: long