From c371c734f4788c24f8a02660ee1173f1f05d293d Mon Sep 17 00:00:00 2001 From: Ross Wolf <31489089+rw-access@users.noreply.github.com> Date: Wed, 12 Feb 2020 13:56:22 -0700 Subject: [PATCH] Add DLL fieldset (#679) --- CHANGELOG.next.md | 1 + code/go/ecs/dll.go | 37 ++++++++++ docs/field-details.asciidoc | 78 +++++++++++++++++++- docs/fields.asciidoc | 2 + generated/beats/fields.ecs.yml | 57 ++++++++++++++ generated/csv/fields.csv | 6 ++ generated/ecs/ecs_flat.yml | 74 +++++++++++++++++++ generated/ecs/ecs_nested.yml | 98 +++++++++++++++++++++++++ generated/elasticsearch/6/template.json | 32 ++++++++ generated/elasticsearch/7/template.json | 32 ++++++++ schemas/dll.yml | 31 ++++++++ schemas/hash.yml | 1 + 12 files changed, 448 insertions(+), 1 deletion(-) create mode 100644 code/go/ecs/dll.go create mode 100644 schemas/dll.yml diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index fe3c9b8242..99a14e0613 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -15,6 +15,7 @@ Thanks, you're awesome :-) --> #### Bugfixes #### Added +* Added `dll.*` fields (#679) #### Improvements diff --git a/code/go/ecs/dll.go b/code/go/ecs/dll.go new file mode 100644 index 0000000000..3671e7096e --- /dev/null +++ b/code/go/ecs/dll.go @@ -0,0 +1,37 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +// These fields contain information about code libraries dynamically loaded +// into processes. +// +// Many operating systems refer to "shared code libraries" with different +// names, but this field set refers to all of the following: +// * Dynamic-link library (`.dll`) commonly used on Windows +// * Shared Object (`.so`) commonly used on Unix-like operating systems +// * Dynamic library (`.dylib`) commonly used on macOS +type Dll struct { + // Name of the library. + // This generally maps to the name of the file on disk. + Name string `ecs:"name"` + + // Full file path of the library. + Path string `ecs:"path"` +} diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index a6e5f024f2..02e5b752f7 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -855,6 +855,82 @@ example: `co.uk` // =============================================================== +|===== + +[[ecs-dll]] +=== DLL Fields + +These fields contain information about code libraries dynamically loaded into processes. + + + +Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: + +* Dynamic-link library (`.dll`) commonly used on Windows + +* Shared Object (`.so`) commonly used on Unix-like operating systems + +* Dynamic library (`.dylib`) commonly used on macOS + +==== DLL Field Details + +[options="header"] +|===== +| Field | Description | Level + +// =============================================================== + +| dll.name +| Name of the library. + +This generally maps to the name of the file on disk. + +type: keyword + + + +example: `kernel32.dll` + +| core + +// =============================================================== + +| dll.path +| Full file path of the library. + +type: keyword + + + +example: `C:\Windows\System32\kernel32.dll` + +| extended + +// =============================================================== + +|===== + +==== Field Reuse + + + + +[[ecs-dll-nestings]] +===== Field sets that can be nested under DLL + +[options="header"] +|===== +| Nested fields | Description + +// =============================================================== + + +| <> +| Hashes, usually file hashes. + +// =============================================================== + + |===== [[ecs-dns]] @@ -2245,7 +2321,7 @@ type: keyword ==== Field Reuse -The `hash` fields are expected to be nested at: `file.hash`, `process.hash`, `process.parent.hash`. +The `hash` fields are expected to be nested at: `dll.hash`, `file.hash`, `process.hash`, `process.parent.hash`. Note also that the `hash` fields are not expected to be used directly at the top level. diff --git a/docs/fields.asciidoc b/docs/fields.asciidoc index c3a11635b1..43b6ecd0db 100644 --- a/docs/fields.asciidoc +++ b/docs/fields.asciidoc @@ -32,6 +32,8 @@ all fields are defined. | <> | Fields about the destination side of a network connection, used with source. +| <> | These fields contain information about code libraries dynamically loaded into processes. + | <> | Fields describing DNS queries and answers. | <> | Meta-information specific to ECS. diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 781def75cd..40db8c0f2a 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -692,6 +692,63 @@ default_field: false description: Short name or login of the user. example: albert + - name: dll + title: DLL + group: 2 + description: 'These fields contain information about code libraries dynamically + loaded into processes. + + + Many operating systems refer to "shared code libraries" with different names, + but this field set refers to all of the following: + + * Dynamic-link library (`.dll`) commonly used on Windows + + * Shared Object (`.so`) commonly used on Unix-like operating systems + + * Dynamic library (`.dylib`) commonly used on macOS' + type: group + fields: + - name: hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + default_field: false + - name: hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + default_field: false + - name: hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + default_field: false + - name: hash.sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. + default_field: false + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the library. + + This generally maps to the name of the file on disk.' + example: kernel32.dll + default_field: false + - name: path + level: extended + type: keyword + ignore_above: 1024 + description: Full file path of the library. + example: C:\Windows\System32\kernel32.dll + default_field: false - name: dns title: DNS group: 2 diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 0caa98ed32..6c064558eb 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -90,6 +90,12 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.5.0-dev,true,destination,destination.user.id,keyword,core,,,Unique identifiers of the user. 1.5.0-dev,true,destination,destination.user.name,keyword,core,,albert,Short name or login of the user. 1.5.0-dev,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user. +1.5.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash. +1.5.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash. +1.5.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash. +1.5.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash. +1.5.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library. +1.5.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library. 1.5.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers. 1.5.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record. 1.5.0-dev,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 4f601773f2..b0b4278b18 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -1110,6 +1110,80 @@ destination.user.name: original_fieldset: user short: Short name or login of the user. type: keyword +dll.hash.md5: + dashed_name: dll-hash-md5 + description: MD5 hash. + flat_name: dll.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + normalize: [] + order: 0 + original_fieldset: hash + short: MD5 hash. + type: keyword +dll.hash.sha1: + dashed_name: dll-hash-sha1 + description: SHA1 hash. + flat_name: dll.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + normalize: [] + order: 1 + original_fieldset: hash + short: SHA1 hash. + type: keyword +dll.hash.sha256: + dashed_name: dll-hash-sha256 + description: SHA256 hash. + flat_name: dll.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + normalize: [] + order: 2 + original_fieldset: hash + short: SHA256 hash. + type: keyword +dll.hash.sha512: + dashed_name: dll-hash-sha512 + description: SHA512 hash. + flat_name: dll.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + order: 3 + original_fieldset: hash + short: SHA512 hash. + type: keyword +dll.name: + dashed_name: dll-name + description: 'Name of the library. + + This generally maps to the name of the file on disk.' + example: kernel32.dll + flat_name: dll.name + ignore_above: 1024 + level: core + name: name + normalize: [] + order: 0 + short: Name of the library. + type: keyword +dll.path: + dashed_name: dll-path + description: Full file path of the library. + example: C:\Windows\System32\kernel32.dll + flat_name: dll.path + ignore_above: 1024 + level: extended + name: path + normalize: [] + order: 1 + short: Full file path of the library. + type: keyword dns.answers: dashed_name: dns-answers description: 'An array containing an object for each answer section returned by diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 6bba4737c8..5c8b322305 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -1276,6 +1276,103 @@ destination: short: Fields about the destination side of a network connection, used with source. title: Destination type: group +dll: + description: 'These fields contain information about code libraries dynamically + loaded into processes. + + + Many operating systems refer to "shared code libraries" with different names, + but this field set refers to all of the following: + + * Dynamic-link library (`.dll`) commonly used on Windows + + * Shared Object (`.so`) commonly used on Unix-like operating systems + + * Dynamic library (`.dylib`) commonly used on macOS' + fields: + hash.md5: + dashed_name: dll-hash-md5 + description: MD5 hash. + flat_name: dll.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + normalize: [] + order: 0 + original_fieldset: hash + short: MD5 hash. + type: keyword + hash.sha1: + dashed_name: dll-hash-sha1 + description: SHA1 hash. + flat_name: dll.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + normalize: [] + order: 1 + original_fieldset: hash + short: SHA1 hash. + type: keyword + hash.sha256: + dashed_name: dll-hash-sha256 + description: SHA256 hash. + flat_name: dll.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + normalize: [] + order: 2 + original_fieldset: hash + short: SHA256 hash. + type: keyword + hash.sha512: + dashed_name: dll-hash-sha512 + description: SHA512 hash. + flat_name: dll.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + order: 3 + original_fieldset: hash + short: SHA512 hash. + type: keyword + name: + dashed_name: dll-name + description: 'Name of the library. + + This generally maps to the name of the file on disk.' + example: kernel32.dll + flat_name: dll.name + ignore_above: 1024 + level: core + name: name + normalize: [] + order: 0 + short: Name of the library. + type: keyword + path: + dashed_name: dll-path + description: Full file path of the library. + example: C:\Windows\System32\kernel32.dll + flat_name: dll.path + ignore_above: 1024 + level: extended + name: path + normalize: [] + order: 1 + short: Full file path of the library. + type: keyword + group: 2 + name: dll + nestings: + - hash + prefix: dll. + short: These fields contain information about code libraries dynamically loaded + into processes. + title: DLL + type: group dns: description: 'Fields describing DNS queries and answers. @@ -2876,6 +2973,7 @@ hash: - file - process - process.parent + - dll top_level: false short: Hashes, usually file hashes. title: Hash diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index c89f9b6948..f75b0ee1af 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -459,6 +459,38 @@ } } }, + "dll": { + "properties": { + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "dns": { "properties": { "answers": { diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 70375f4c9a..7d4b3d6a23 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -458,6 +458,38 @@ } } }, + "dll": { + "properties": { + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "dns": { "properties": { "answers": { diff --git a/schemas/dll.yml b/schemas/dll.yml new file mode 100644 index 0000000000..f4bf90a2c5 --- /dev/null +++ b/schemas/dll.yml @@ -0,0 +1,31 @@ +--- +- name: dll + title: DLL + group: 2 + short: These fields contain information about code libraries dynamically loaded into processes. + description: |- + These fields contain information about code libraries dynamically loaded into processes. + + Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: + * Dynamic-link library (`.dll`) commonly used on Windows + * Shared Object (`.so`) commonly used on Unix-like operating systems + * Dynamic library (`.dylib`) commonly used on macOS + type: group + + fields: + + - name: name + level: core + type: keyword + short: Name of the library. + description: > + Name of the library. + + This generally maps to the name of the file on disk. + example: kernel32.dll + + - name: path + level: extended + type: keyword + description: Full file path of the library. + example: C:\Windows\System32\kernel32.dll diff --git a/schemas/hash.yml b/schemas/hash.yml index 1c6f21c131..08de3e0d29 100644 --- a/schemas/hash.yml +++ b/schemas/hash.yml @@ -17,6 +17,7 @@ - file - process - process.parent + - dll fields: