diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 99a14e0613..ef3e354452 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -16,6 +16,7 @@ Thanks, you're awesome :-) --> #### Added * Added `dll.*` fields (#679) +* Fieldset for PE metadata. #731 #### Improvements diff --git a/code/go/ecs/pe.go b/code/go/ecs/pe.go new file mode 100644 index 0000000000..983585597a --- /dev/null +++ b/code/go/ecs/pe.go @@ -0,0 +1,38 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +// These fields contain Windows Portable Executable (PE) metadata. +type Pe struct { + // Internal name of the file, provided at compile-time. + OriginalFileName string `ecs:"original_file_name"` + + // Internal version of the file, provided at compile-time. + FileVersion string `ecs:"file_version"` + + // Internal description of the file, provided at compile-time. + Description string `ecs:"description"` + + // Internal product name of the file, provided at compile-time. + Product string `ecs:"product"` + + // Internal company name of the file, provided at compile-time. + Company string `ecs:"company"` +} diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 02e5b752f7..10dd88f038 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -931,6 +931,12 @@ example: `C:\Windows\System32\kernel32.dll` // =============================================================== +| <> +| These fields contain Windows Portable Executable (PE) metadata. + +// =============================================================== + + |===== [[ecs-dns]] @@ -2049,6 +2055,12 @@ example: `1001` // =============================================================== +| <> +| These fields contain Windows Portable Executable (PE) metadata. + +// =============================================================== + + |===== [[ecs-geo]] @@ -3585,6 +3597,95 @@ example: `1.12.9` |===== +[[ecs-pe]] +=== PE Header Fields + +These fields contain Windows Portable Executable (PE) metadata. + +==== PE Header Field Details + +[options="header"] +|===== +| Field | Description | Level + +// =============================================================== + +| pe.company +| Internal company name of the file, provided at compile-time. + +type: keyword + + + +example: `Microsoft Corporation` + +| extended + +// =============================================================== + +| pe.description +| Internal description of the file, provided at compile-time. + +type: keyword + + + +example: `Paint` + +| extended + +// =============================================================== + +| pe.file_version +| Internal version of the file, provided at compile-time. + +type: keyword + + + +example: `6.3.9600.17415` + +| extended + +// =============================================================== + +| pe.original_file_name +| Internal name of the file, provided at compile-time. + +type: keyword + + + +example: `MSPAINT.EXE` + +| extended + +// =============================================================== + +| pe.product +| Internal product name of the file, provided at compile-time. + +type: keyword + + + +example: `Microsoft® Windows® Operating System` + +| extended + +// =============================================================== + +|===== + +==== Field Reuse + +The `pe` fields are expected to be nested at: `dll.pe`, `file.pe`, `process.pe`. + +Note also that the `pe` fields are not expected to be used directly at the top level. + + + + [[ecs-process]] === Process Fields @@ -4103,6 +4204,12 @@ example: `/home/alice` // =============================================================== +| <> +| These fields contain Windows Portable Executable (PE) metadata. + +// =============================================================== + + |===== [[ecs-registry]] diff --git a/docs/fields.asciidoc b/docs/fields.asciidoc index 43b6ecd0db..47f60f48da 100644 --- a/docs/fields.asciidoc +++ b/docs/fields.asciidoc @@ -66,6 +66,8 @@ all fields are defined. | <> | These fields contain information about an installed software package. +| <> | These fields contain Windows Portable Executable (PE) metadata. + | <> | These fields contain information about a process. | <> | Fields related to Windows Registry operations. diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 40db8c0f2a..8a66797378 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -749,6 +749,41 @@ description: Full file path of the library. example: C:\Windows\System32\kernel32.dll default_field: false + - name: pe.company + level: extended + type: keyword + ignore_above: 1024 + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + default_field: false + - name: pe.description + level: extended + type: keyword + ignore_above: 1024 + description: Internal description of the file, provided at compile-time. + example: Paint + default_field: false + - name: pe.file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: pe.original_file_name + level: extended + type: keyword + ignore_above: 1024 + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: pe.product + level: extended + type: keyword + ignore_above: 1024 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false - name: dns title: DNS group: 2 @@ -1367,6 +1402,41 @@ description: Full path to the file, including the file name. It should include the drive letter, when appropriate. example: /home/alice/example.png + - name: pe.company + level: extended + type: keyword + ignore_above: 1024 + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + default_field: false + - name: pe.description + level: extended + type: keyword + ignore_above: 1024 + description: Internal description of the file, provided at compile-time. + example: Paint + default_field: false + - name: pe.file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: pe.original_file_name + level: extended + type: keyword + ignore_above: 1024 + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: pe.product + level: extended + type: keyword + ignore_above: 1024 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false - name: size level: extended type: long @@ -2405,6 +2475,47 @@ ignore_above: 1024 description: Package version example: 1.12.9 + - name: pe + title: PE Header + group: 2 + description: These fields contain Windows Portable Executable (PE) metadata. + type: group + fields: + - name: company + level: extended + type: keyword + ignore_above: 1024 + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + default_field: false + - name: description + level: extended + type: keyword + ignore_above: 1024 + description: Internal description of the file, provided at compile-time. + example: Paint + default_field: false + - name: file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: original_file_name + level: extended + type: keyword + ignore_above: 1024 + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: product + level: extended + type: keyword + ignore_above: 1024 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false - name: process title: Process group: 2 @@ -2669,6 +2780,41 @@ description: The working directory of the process. example: /home/alice default_field: false + - name: pe.company + level: extended + type: keyword + ignore_above: 1024 + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + default_field: false + - name: pe.description + level: extended + type: keyword + ignore_above: 1024 + description: Internal description of the file, provided at compile-time. + example: Paint + default_field: false + - name: pe.file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: pe.original_file_name + level: extended + type: keyword + ignore_above: 1024 + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: pe.product + level: extended + type: keyword + ignore_above: 1024 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false - name: pgid level: extended type: long diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 6c064558eb..4af0e4ebe8 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -96,6 +96,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.5.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash. 1.5.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library. 1.5.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library. +1.5.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.5.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.5.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.5.0-dev,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.5.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." 1.5.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers. 1.5.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record. 1.5.0-dev,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource. @@ -164,6 +169,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.5.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username. 1.5.0-dev,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." 1.5.0-dev,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name." +1.5.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.5.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.5.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.5.0-dev,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.5.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." 1.5.0-dev,true,file,file.size,long,extended,,16384,File size in bytes. 1.5.0-dev,true,file,file.target_path,keyword,extended,,,Target path for symlinks. 1.5.0-dev,true,file,file.target_path.text,text,extended,,,Target path for symlinks. @@ -304,6 +314,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.5.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes. 1.5.0-dev,true,package,package.type,keyword,extended,,rpm,Package type 1.5.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version +1.5.0-dev,true,pe,pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.5.0-dev,true,pe,pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.5.0-dev,true,pe,pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.5.0-dev,true,pe,pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.5.0-dev,true,pe,pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." 1.5.0-dev,true,process,process.args,keyword,extended,array,"['/usr/bin/ssh', '-l', 'user', '10.0.0.16']",Array of process arguments. 1.5.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array. 1.5.0-dev,true,process,process.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. @@ -341,6 +356,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.5.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up. 1.5.0-dev,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process. 1.5.0-dev,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process. +1.5.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.5.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.5.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.5.0-dev,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.5.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." 1.5.0-dev,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to. 1.5.0-dev,true,process,process.pid,long,core,,4242,Process id. 1.5.0-dev,true,process,process.ppid,long,extended,,4241,Parent process' pid. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index b0b4278b18..2311f18445 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -1184,6 +1184,71 @@ dll.path: order: 1 short: Full file path of the library. type: keyword +dll.pe.company: + dashed_name: dll-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: dll.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + order: 4 + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword +dll.pe.description: + dashed_name: dll-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: dll.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + order: 2 + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword +dll.pe.file_version: + dashed_name: dll-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: dll.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + order: 1 + original_fieldset: pe + short: Process name. + type: keyword +dll.pe.original_file_name: + dashed_name: dll-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: dll.pe.original_file_name + ignore_above: 1024 + level: extended + name: original_file_name + normalize: [] + order: 0 + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: keyword +dll.pe.product: + dashed_name: dll-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: dll.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + order: 3 + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword dns.answers: dashed_name: dns-answers description: 'An array containing an object for each answer section returned by @@ -2418,6 +2483,71 @@ file.path: order: 4 short: Full path to the file, including the file name. type: keyword +file.pe.company: + dashed_name: file-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: file.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + order: 4 + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword +file.pe.description: + dashed_name: file-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: file.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + order: 2 + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword +file.pe.file_version: + dashed_name: file-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: file.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + order: 1 + original_fieldset: pe + short: Process name. + type: keyword +file.pe.original_file_name: + dashed_name: file-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: file.pe.original_file_name + ignore_above: 1024 + level: extended + name: original_file_name + normalize: [] + order: 0 + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: keyword +file.pe.product: + dashed_name: file-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: file.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + order: 3 + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword file.size: dashed_name: file-size description: 'File size in bytes. @@ -4205,6 +4335,71 @@ package.version: order: 1 short: Package version type: keyword +pe.company: + dashed_name: pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + order: 4 + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword +pe.description: + dashed_name: pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + order: 2 + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword +pe.file_version: + dashed_name: pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + order: 1 + original_fieldset: pe + short: Process name. + type: keyword +pe.original_file_name: + dashed_name: pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: pe.original_file_name + ignore_above: 1024 + level: extended + name: original_file_name + normalize: [] + order: 0 + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: keyword +pe.product: + dashed_name: pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + order: 3 + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword process.args: dashed_name: process-args description: 'Array of process arguments, starting with the absolute path to the @@ -4627,6 +4822,71 @@ process.parent.working_directory: order: 27 short: The working directory of the process. type: keyword +process.pe.company: + dashed_name: process-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: process.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + order: 4 + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword +process.pe.description: + dashed_name: process-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: process.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + order: 2 + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword +process.pe.file_version: + dashed_name: process-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: process.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + order: 1 + original_fieldset: pe + short: Process name. + type: keyword +process.pe.original_file_name: + dashed_name: process-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: process.pe.original_file_name + ignore_above: 1024 + level: extended + name: original_file_name + normalize: [] + order: 0 + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: keyword +process.pe.product: + dashed_name: process-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: process.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + order: 3 + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword process.pgid: dashed_name: process-pgid description: Identifier of the group of processes the process belongs to. diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 5c8b322305..c0016813c9 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -1364,10 +1364,76 @@ dll: order: 1 short: Full file path of the library. type: keyword + pe.company: + dashed_name: dll-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: dll.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + order: 4 + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword + pe.description: + dashed_name: dll-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: dll.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + order: 2 + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword + pe.file_version: + dashed_name: dll-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: dll.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + order: 1 + original_fieldset: pe + short: Process name. + type: keyword + pe.original_file_name: + dashed_name: dll-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: dll.pe.original_file_name + ignore_above: 1024 + level: extended + name: original_file_name + normalize: [] + order: 0 + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: keyword + pe.product: + dashed_name: dll-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: dll.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + order: 3 + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword group: 2 name: dll nestings: - hash + - pe prefix: dll. short: These fields contain information about code libraries dynamically loaded into processes. @@ -2681,6 +2747,71 @@ file: order: 4 short: Full path to the file, including the file name. type: keyword + pe.company: + dashed_name: file-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: file.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + order: 4 + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword + pe.description: + dashed_name: file-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: file.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + order: 2 + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword + pe.file_version: + dashed_name: file-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: file.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + order: 1 + original_fieldset: pe + short: Process name. + type: keyword + pe.original_file_name: + dashed_name: file-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: file.pe.original_file_name + ignore_above: 1024 + level: extended + name: original_file_name + normalize: [] + order: 0 + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: keyword + pe.product: + dashed_name: file-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: file.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + order: 3 + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword size: dashed_name: file-size description: 'File size in bytes. @@ -2738,6 +2869,7 @@ file: name: file nestings: - hash + - pe prefix: file. short: Fields describing files. title: File @@ -4601,6 +4733,81 @@ package: short: These fields contain information about an installed software package. title: Package type: group +pe: + description: These fields contain Windows Portable Executable (PE) metadata. + fields: + company: + dashed_name: pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + order: 4 + short: Internal company name of the file, provided at compile-time. + type: keyword + description: + dashed_name: pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + order: 2 + short: Internal description of the file, provided at compile-time. + type: keyword + file_version: + dashed_name: pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + order: 1 + short: Process name. + type: keyword + original_file_name: + dashed_name: pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: pe.original_file_name + ignore_above: 1024 + level: extended + name: original_file_name + normalize: [] + order: 0 + short: Internal name of the file, provided at compile-time. + type: keyword + product: + dashed_name: pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + order: 3 + short: Internal product name of the file, provided at compile-time. + type: keyword + group: 2 + name: pe + prefix: pe. + reusable: + expected: + - file + - dll + - process + top_level: false + short: These fields contain Windows Portable Executable (PE) metadata. + title: PE Header + type: group process: description: 'These fields contain information about a process. @@ -5030,6 +5237,71 @@ process: order: 27 short: The working directory of the process. type: keyword + pe.company: + dashed_name: process-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: process.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + order: 4 + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword + pe.description: + dashed_name: process-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: process.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + order: 2 + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword + pe.file_version: + dashed_name: process-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: process.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + order: 1 + original_fieldset: pe + short: Process name. + type: keyword + pe.original_file_name: + dashed_name: process-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: process.pe.original_file_name + ignore_above: 1024 + level: extended + name: original_file_name + normalize: [] + order: 0 + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: keyword + pe.product: + dashed_name: process-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: process.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + order: 3 + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword pgid: dashed_name: process-pgid description: Identifier of the group of processes the process belongs to. @@ -5151,6 +5423,7 @@ process: name: process nestings: - hash + - pe prefix: process. short: These fields contain information about a process. title: Process diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index f75b0ee1af..2bb1fab8bc 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -488,6 +488,30 @@ "path": { "ignore_above": 1024, "type": "keyword" + }, + "pe": { + "properties": { + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, @@ -783,6 +807,30 @@ "ignore_above": 1024, "type": "keyword" }, + "pe": { + "properties": { + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "size": { "type": "long" }, @@ -1458,6 +1506,30 @@ } } }, + "pe": { + "properties": { + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "process": { "properties": { "args": { @@ -1630,6 +1702,30 @@ } } }, + "pe": { + "properties": { + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "pgid": { "type": "long" }, diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 7d4b3d6a23..7c2e8e7d7a 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -487,6 +487,30 @@ "path": { "ignore_above": 1024, "type": "keyword" + }, + "pe": { + "properties": { + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, @@ -782,6 +806,30 @@ "ignore_above": 1024, "type": "keyword" }, + "pe": { + "properties": { + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "size": { "type": "long" }, @@ -1457,6 +1505,30 @@ } } }, + "pe": { + "properties": { + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "process": { "properties": { "args": { @@ -1629,6 +1701,30 @@ } } }, + "pe": { + "properties": { + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "pgid": { "type": "long" }, diff --git a/schemas/pe.yml b/schemas/pe.yml new file mode 100644 index 0000000000..ccc11289fe --- /dev/null +++ b/schemas/pe.yml @@ -0,0 +1,47 @@ +--- +- name: pe + title: PE Header + group: 2 + description: These fields contain Windows Portable Executable (PE) metadata. + type: group + reusable: + top_level: false + expected: + - file + - dll + - process + fields: + + - name: original_file_name + level: extended + type: keyword + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + + + - name: file_version + level: extended + type: keyword + short: Process name. + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + + + - name: description + level: extended + type: keyword + description: Internal description of the file, provided at compile-time. + example: Paint + + - name: product + level: extended + type: keyword + description: Internal product name of the file, provided at compile-time. + example: Microsoft® Windows® Operating System + + + - name: company + level: extended + type: keyword + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation