diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 9947f6e2f2..1d7ec0b444 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -19,6 +19,7 @@ Thanks, you're awesome :-) --> #### Added +* `elf.*` field set added as beta. #1410 * Remove `beta` from `orchestrator` field set. #1417 #### Improvements diff --git a/code/go/ecs/elf.go b/code/go/ecs/elf.go new file mode 100644 index 0000000000..ee17c2870f --- /dev/null +++ b/code/go/ecs/elf.go @@ -0,0 +1,123 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +import ( + "time" +) + +// These fields contain Linux Executable Linkable Format (ELF) metadata. +type Elf struct { + // Extracted when possible from the file's metadata. Indicates when it was + // built or compiled. It can also be faked by malware creators. + CreationDate time.Time `ecs:"creation_date"` + + // Machine architecture of the ELF file. + Architecture string `ecs:"architecture"` + + // Byte sequence of ELF file. + ByteOrder string `ecs:"byte_order"` + + // CPU type of the ELF file. + CpuType string `ecs:"cpu_type"` + + // Header class of the ELF file. + HeaderClass string `ecs:"header.class"` + + // Data table of the ELF header. + HeaderData string `ecs:"header.data"` + + // Application Binary Interface (ABI) of the Linux OS. + HeaderOsAbi string `ecs:"header.os_abi"` + + // Header type of the ELF file. + HeaderType string `ecs:"header.type"` + + // Version of the ELF header. + HeaderVersion string `ecs:"header.version"` + + // Version of the ELF Application Binary Interface (ABI). + HeaderAbiVersion string `ecs:"header.abi_version"` + + // Header entrypoint of the ELF file. + HeaderEntrypoint int64 `ecs:"header.entrypoint"` + + // "0x1" for original ELF files. + HeaderObjectVersion string `ecs:"header.object_version"` + + // An array containing an object for each section of the ELF file. + // The keys that should be present in these objects are defined by + // sub-fields underneath `elf.sections.*`. + Sections []Sections `ecs:"sections"` + + // List of exported element names and types. + Exports map[string]interface{} `ecs:"exports"` + + // List of imported element names and types. + Imports map[string]interface{} `ecs:"imports"` + + // List of shared libraries used by this ELF object. + SharedLibraries string `ecs:"shared_libraries"` + + // telfhash symbol hash for ELF file. + Telfhash string `ecs:"telfhash"` + + // An array containing an object for each segment of the ELF file. + // The keys that should be present in these objects are defined by + // sub-fields underneath `elf.segments.*`. + Segments []Segments `ecs:"segments"` +} + +type Sections struct { + // ELF Section List flags. + Flags string `ecs:"flags"` + + // ELF Section List name. + Name string `ecs:"name"` + + // ELF Section List offset. + PhysicalOffset string `ecs:"physical_offset"` + + // ELF Section List type. + Type string `ecs:"type"` + + // ELF Section List physical size. + PhysicalSize int64 `ecs:"physical_size"` + + // ELF Section List virtual address. + VirtualAddress int64 `ecs:"virtual_address"` + + // ELF Section List virtual size. + VirtualSize int64 `ecs:"virtual_size"` + + // Shannon entropy calculation from the section. + Entropy int64 `ecs:"entropy"` + + // Chi-square probability distribution of the section. + Chi2 int64 `ecs:"chi2"` +} + +type Segments struct { + // ELF object segment type. + Type string `ecs:"type"` + + // ELF object segment sections. + Sections string `ecs:"sections"` +} diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index b0f96b297d..a18639a396 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -1849,6 +1849,517 @@ example: `1.0.0` |===== +[[ecs-elf]] +=== ELF Header Fields + +These fields contain Linux Executable Linkable Format (ELF) metadata. + +beta::[ These fields are in beta and are subject to change.] + +[discrete] +==== ELF Header Field Details + +[options="header"] +|===== +| Field | Description | Level + +// =============================================================== + +| +[[field-elf-architecture]] +<> + +| Machine architecture of the ELF file. + +type: keyword + + + +example: `x86-64` + +| extended + +// =============================================================== + +| +[[field-elf-byte-order]] +<> + +| Byte sequence of ELF file. + +type: keyword + + + +example: `Little Endian` + +| extended + +// =============================================================== + +| +[[field-elf-cpu-type]] +<> + +| CPU type of the ELF file. + +type: keyword + + + +example: `Intel` + +| extended + +// =============================================================== + +| +[[field-elf-creation-date]] +<> + +| Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. + +type: date + + + + + +| extended + +// =============================================================== + +| +[[field-elf-exports]] +<> + +| List of exported element names and types. + +type: flattened + + +Note: this field should contain an array of values. + + + + + +| extended + +// =============================================================== + +| +[[field-elf-header-abi-version]] +<> + +| Version of the ELF Application Binary Interface (ABI). + +type: keyword + + + + + +| extended + +// =============================================================== + +| +[[field-elf-header-class]] +<> + +| Header class of the ELF file. + +type: keyword + + + + + +| extended + +// =============================================================== + +| +[[field-elf-header-data]] +<> + +| Data table of the ELF header. + +type: keyword + + + + + +| extended + +// =============================================================== + +| +[[field-elf-header-entrypoint]] +<> + +| Header entrypoint of the ELF file. + +type: long + + + + + +| extended + +// =============================================================== + +| +[[field-elf-header-object-version]] +<> + +| "0x1" for original ELF files. + +type: keyword + + + + + +| extended + +// =============================================================== + +| +[[field-elf-header-os-abi]] +<> + +| Application Binary Interface (ABI) of the Linux OS. + +type: keyword + + + + + +| extended + +// =============================================================== + +| +[[field-elf-header-type]] +<> + +| Header type of the ELF file. + +type: keyword + + + + + +| extended + +// =============================================================== + +| +[[field-elf-header-version]] +<> + +| Version of the ELF header. + +type: keyword + + + + + +| extended + +// =============================================================== + +| +[[field-elf-imports]] +<> + +| List of imported element names and types. + +type: flattened + + +Note: this field should contain an array of values. + + + + + +| extended + +// =============================================================== + +| +[[field-elf-sections]] +<> + +| An array containing an object for each section of the ELF file. + +The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`. + +type: nested + + +Note: this field should contain an array of values. + + + + + +| extended + +// =============================================================== + +| +[[field-elf-sections-chi2]] +<> + +| Chi-square probability distribution of the section. + +type: long + + + + + +| extended + +// =============================================================== + +| +[[field-elf-sections-entropy]] +<> + +| Shannon entropy calculation from the section. + +type: long + + + + + +| extended + +// =============================================================== + +| +[[field-elf-sections-flags]] +<> + +| ELF Section List flags. + +type: keyword + + + + + +| extended + +// =============================================================== + +| +[[field-elf-sections-name]] +<> + +| ELF Section List name. + +type: keyword + + + + + +| extended + +// =============================================================== + +| +[[field-elf-sections-physical-offset]] +<> + +| ELF Section List offset. + +type: keyword + + + + + +| extended + +// =============================================================== + +| +[[field-elf-sections-physical-size]] +<> + +| ELF Section List physical size. + +type: long + + + + + +| extended + +// =============================================================== + +| +[[field-elf-sections-type]] +<> + +| ELF Section List type. + +type: keyword + + + + + +| extended + +// =============================================================== + +| +[[field-elf-sections-virtual-address]] +<> + +| ELF Section List virtual address. + +type: long + + + + + +| extended + +// =============================================================== + +| +[[field-elf-sections-virtual-size]] +<> + +| ELF Section List virtual size. + +type: long + + + + + +| extended + +// =============================================================== + +| +[[field-elf-segments]] +<> + +| An array containing an object for each segment of the ELF file. + +The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`. + +type: nested + + +Note: this field should contain an array of values. + + + + + +| extended + +// =============================================================== + +| +[[field-elf-segments-sections]] +<> + +| ELF object segment sections. + +type: keyword + + + + + +| extended + +// =============================================================== + +| +[[field-elf-segments-type]] +<> + +| ELF object segment type. + +type: keyword + + + + + +| extended + +// =============================================================== + +| +[[field-elf-shared-libraries]] +<> + +| List of shared libraries used by this ELF object. + +type: keyword + + +Note: this field should contain an array of values. + + + + + +| extended + +// =============================================================== + +| +[[field-elf-telfhash]] +<> + +| telfhash symbol hash for ELF file. + +type: keyword + + + + + +| extended + +// =============================================================== + +|===== + +[discrete] +==== Field Reuse + +The `elf` fields are expected to be nested at: `file.elf`, `process.elf`. + +Note also that the `elf` fields are not expected to be used directly at the root of the events. + + + + [[ecs-error]] === Error Fields @@ -2874,6 +3385,14 @@ example: `1001` // =============================================================== +| <> +| `file.elf.*`| beta:[ This field reuse is beta and subject to change.] + +These fields contain Linux Executable Linkable Format (ELF) metadata. + +// =============================================================== + + | <> | `file.hash.*` | Hashes, usually file hashes. @@ -5874,6 +6393,14 @@ Note also that the `process` fields may be used directly at the root of the even // =============================================================== +| <> +| `process.elf.*`| beta:[ This field reuse is beta and subject to change.] + +These fields contain Linux Executable Linkable Format (ELF) metadata. + +// =============================================================== + + | <> | `process.hash.*` | Hashes, usually file hashes. diff --git a/docs/fields.asciidoc b/docs/fields.asciidoc index a9adf96872..5da8f2d9d1 100644 --- a/docs/fields.asciidoc +++ b/docs/fields.asciidoc @@ -42,6 +42,8 @@ all fields are defined. | <> | Meta-information specific to ECS. +| <> | These fields contain Linux Executable Linkable Format (ELF) metadata. + | <> | Fields about errors of any kind. | <> | Fields breaking down the event details. diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index f2c68b783f..62af39687f 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -1538,7 +1538,7 @@ type: keyword ignore_above: 1024 description: Byte sequence of ELF file. - example: Little Endian, Big Endian + example: Little Endian default_field: false - name: cpu_type level: extended @@ -1614,7 +1614,10 @@ - name: sections level: extended type: nested - description: Section information of the ELF file. + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.sections.*`.' default_field: false - name: sections.chi2 level: extended @@ -1673,7 +1676,10 @@ - name: segments level: extended type: nested - description: ELF object segment list. + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.segments.*`.' default_field: false - name: segments.sections level: extended @@ -1691,14 +1697,13 @@ level: extended type: keyword ignore_above: 1024 - description: List of shared libraries used by this ELF object + description: List of shared libraries used by this ELF object. default_field: false - name: telfhash level: extended type: keyword ignore_above: 1024 - description: telfhash is symbol hash for ELF files, just like imphash is imports - hash for PE files. Learn more at https://github.com/trendmicro/telfhash. + description: telfhash symbol hash for ELF file. default_field: false - name: error title: Error @@ -2169,7 +2174,7 @@ type: keyword ignore_above: 1024 description: Byte sequence of ELF file. - example: Little Endian, Big Endian + example: Little Endian default_field: false - name: elf.cpu_type level: extended @@ -2245,7 +2250,10 @@ - name: elf.sections level: extended type: nested - description: Section information of the ELF file. + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.sections.*`.' default_field: false - name: elf.sections.chi2 level: extended @@ -2304,7 +2312,10 @@ - name: elf.segments level: extended type: nested - description: ELF object segment list. + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.segments.*`.' default_field: false - name: elf.segments.sections level: extended @@ -2322,14 +2333,13 @@ level: extended type: keyword ignore_above: 1024 - description: List of shared libraries used by this ELF object + description: List of shared libraries used by this ELF object. default_field: false - name: elf.telfhash level: extended type: keyword ignore_above: 1024 - description: telfhash is symbol hash for ELF files, just like imphash is imports - hash for PE files. Learn more at https://github.com/trendmicro/telfhash. + description: telfhash symbol hash for ELF file. default_field: false - name: extension level: extended @@ -4759,7 +4769,7 @@ type: keyword ignore_above: 1024 description: Byte sequence of ELF file. - example: Little Endian, Big Endian + example: Little Endian default_field: false - name: elf.cpu_type level: extended @@ -4835,7 +4845,10 @@ - name: elf.sections level: extended type: nested - description: Section information of the ELF file. + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.sections.*`.' default_field: false - name: elf.sections.chi2 level: extended @@ -4894,7 +4907,10 @@ - name: elf.segments level: extended type: nested - description: ELF object segment list. + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.segments.*`.' default_field: false - name: elf.segments.sections level: extended @@ -4912,14 +4928,13 @@ level: extended type: keyword ignore_above: 1024 - description: List of shared libraries used by this ELF object + description: List of shared libraries used by this ELF object. default_field: false - name: elf.telfhash level: extended type: keyword ignore_above: 1024 - description: telfhash is symbol hash for ELF files, just like imphash is imports - hash for PE files. Learn more at https://github.com/trendmicro/telfhash. + description: telfhash symbol hash for ELF file. default_field: false - name: entity_id level: extended @@ -5100,7 +5115,7 @@ type: keyword ignore_above: 1024 description: Byte sequence of ELF file. - example: Little Endian, Big Endian + example: Little Endian default_field: false - name: parent.elf.cpu_type level: extended @@ -5176,7 +5191,10 @@ - name: parent.elf.sections level: extended type: nested - description: Section information of the ELF file. + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.sections.*`.' default_field: false - name: parent.elf.sections.chi2 level: extended @@ -5235,7 +5253,10 @@ - name: parent.elf.segments level: extended type: nested - description: ELF object segment list. + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.segments.*`.' default_field: false - name: parent.elf.segments.sections level: extended @@ -5253,14 +5274,13 @@ level: extended type: keyword ignore_above: 1024 - description: List of shared libraries used by this ELF object + description: List of shared libraries used by this ELF object. default_field: false - name: parent.elf.telfhash level: extended type: keyword ignore_above: 1024 - description: telfhash is symbol hash for ELF files, just like imphash is imports - hash for PE files. Learn more at https://github.com/trendmicro/telfhash. + description: telfhash symbol hash for ELF file. default_field: false - name: parent.entity_id level: extended @@ -7055,6 +7075,185 @@ The value should be uppercase, and not include the colon.' example: C default_field: false + - name: indicator.file.elf.architecture + level: extended + type: keyword + ignore_above: 1024 + description: Machine architecture of the ELF file. + example: x86-64 + default_field: false + - name: indicator.file.elf.byte_order + level: extended + type: keyword + ignore_above: 1024 + description: Byte sequence of ELF file. + example: Little Endian + default_field: false + - name: indicator.file.elf.cpu_type + level: extended + type: keyword + ignore_above: 1024 + description: CPU type of the ELF file. + example: Intel + default_field: false + - name: indicator.file.elf.creation_date + level: extended + type: date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + default_field: false + - name: indicator.file.elf.exports + level: extended + type: flattened + description: List of exported element names and types. + default_field: false + - name: indicator.file.elf.header.abi_version + level: extended + type: keyword + ignore_above: 1024 + description: Version of the ELF Application Binary Interface (ABI). + default_field: false + - name: indicator.file.elf.header.class + level: extended + type: keyword + ignore_above: 1024 + description: Header class of the ELF file. + default_field: false + - name: indicator.file.elf.header.data + level: extended + type: keyword + ignore_above: 1024 + description: Data table of the ELF header. + default_field: false + - name: indicator.file.elf.header.entrypoint + level: extended + type: long + format: string + description: Header entrypoint of the ELF file. + default_field: false + - name: indicator.file.elf.header.object_version + level: extended + type: keyword + ignore_above: 1024 + description: '"0x1" for original ELF files.' + default_field: false + - name: indicator.file.elf.header.os_abi + level: extended + type: keyword + ignore_above: 1024 + description: Application Binary Interface (ABI) of the Linux OS. + default_field: false + - name: indicator.file.elf.header.type + level: extended + type: keyword + ignore_above: 1024 + description: Header type of the ELF file. + default_field: false + - name: indicator.file.elf.header.version + level: extended + type: keyword + ignore_above: 1024 + description: Version of the ELF header. + default_field: false + - name: indicator.file.elf.imports + level: extended + type: flattened + description: List of imported element names and types. + default_field: false + - name: indicator.file.elf.sections + level: extended + type: nested + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.sections.*`.' + default_field: false + - name: indicator.file.elf.sections.chi2 + level: extended + type: long + format: number + description: Chi-square probability distribution of the section. + default_field: false + - name: indicator.file.elf.sections.entropy + level: extended + type: long + format: number + description: Shannon entropy calculation from the section. + default_field: false + - name: indicator.file.elf.sections.flags + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List flags. + default_field: false + - name: indicator.file.elf.sections.name + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List name. + default_field: false + - name: indicator.file.elf.sections.physical_offset + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List offset. + default_field: false + - name: indicator.file.elf.sections.physical_size + level: extended + type: long + format: bytes + description: ELF Section List physical size. + default_field: false + - name: indicator.file.elf.sections.type + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List type. + default_field: false + - name: indicator.file.elf.sections.virtual_address + level: extended + type: long + format: string + description: ELF Section List virtual address. + default_field: false + - name: indicator.file.elf.sections.virtual_size + level: extended + type: long + format: string + description: ELF Section List virtual size. + default_field: false + - name: indicator.file.elf.segments + level: extended + type: nested + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.segments.*`.' + default_field: false + - name: indicator.file.elf.segments.sections + level: extended + type: keyword + ignore_above: 1024 + description: ELF object segment sections. + default_field: false + - name: indicator.file.elf.segments.type + level: extended + type: keyword + ignore_above: 1024 + description: ELF object segment type. + default_field: false + - name: indicator.file.elf.shared_libraries + level: extended + type: keyword + ignore_above: 1024 + description: List of shared libraries used by this ELF object. + default_field: false + - name: indicator.file.elf.telfhash + level: extended + type: keyword + ignore_above: 1024 + description: telfhash symbol hash for ELF file. + default_field: false - name: indicator.file.extension level: extended type: keyword diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index e606d2dc41..96285a3d77 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -222,10 +222,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev+exp,true,file,file.directory,wildcard,extended,,/home/alice,Directory where the file is located. 2.0.0-dev+exp,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located. 2.0.0-dev+exp,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. -2.0.0-dev+exp,true,file,file.elf.byte_order,keyword,extended,,"Little Endian, Big Endian",Byte sequence of ELF file. +2.0.0-dev+exp,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. 2.0.0-dev+exp,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. 2.0.0-dev+exp,true,file,file.elf.creation_date,date,extended,,,Build or compile date. -2.0.0-dev+exp,true,file,file.elf.exports,flattened,extended,,,List of exported element names and types. +2.0.0-dev+exp,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types. 2.0.0-dev+exp,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). 2.0.0-dev+exp,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file. 2.0.0-dev+exp,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header. @@ -234,8 +234,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev+exp,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. 2.0.0-dev+exp,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file. 2.0.0-dev+exp,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header. -2.0.0-dev+exp,true,file,file.elf.imports,flattened,extended,,,List of imported element names and types. -2.0.0-dev+exp,true,file,file.elf.sections,nested,extended,,,Section information of the ELF file. +2.0.0-dev+exp,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types. +2.0.0-dev+exp,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file. 2.0.0-dev+exp,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. 2.0.0-dev+exp,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. 2.0.0-dev+exp,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags. @@ -245,11 +245,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev+exp,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type. 2.0.0-dev+exp,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. 2.0.0-dev+exp,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. -2.0.0-dev+exp,true,file,file.elf.segments,nested,extended,,,ELF object segment list. +2.0.0-dev+exp,true,file,file.elf.segments,nested,extended,array,,ELF object segment list. 2.0.0-dev+exp,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections. 2.0.0-dev+exp,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type. -2.0.0-dev+exp,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object -2.0.0-dev+exp,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF files +2.0.0-dev+exp,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. +2.0.0-dev+exp,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. 2.0.0-dev+exp,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot." 2.0.0-dev+exp,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. 2.0.0-dev+exp,true,file,file.group,keyword,extended,,alice,Primary group name of the file. @@ -508,10 +508,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev+exp,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. 2.0.0-dev+exp,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. 2.0.0-dev+exp,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. -2.0.0-dev+exp,true,process,process.elf.byte_order,keyword,extended,,"Little Endian, Big Endian",Byte sequence of ELF file. +2.0.0-dev+exp,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. 2.0.0-dev+exp,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. 2.0.0-dev+exp,true,process,process.elf.creation_date,date,extended,,,Build or compile date. -2.0.0-dev+exp,true,process,process.elf.exports,flattened,extended,,,List of exported element names and types. +2.0.0-dev+exp,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types. 2.0.0-dev+exp,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). 2.0.0-dev+exp,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file. 2.0.0-dev+exp,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header. @@ -520,8 +520,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev+exp,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. 2.0.0-dev+exp,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file. 2.0.0-dev+exp,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header. -2.0.0-dev+exp,true,process,process.elf.imports,flattened,extended,,,List of imported element names and types. -2.0.0-dev+exp,true,process,process.elf.sections,nested,extended,,,Section information of the ELF file. +2.0.0-dev+exp,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types. +2.0.0-dev+exp,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file. 2.0.0-dev+exp,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. 2.0.0-dev+exp,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. 2.0.0-dev+exp,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags. @@ -531,11 +531,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev+exp,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type. 2.0.0-dev+exp,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. 2.0.0-dev+exp,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. -2.0.0-dev+exp,true,process,process.elf.segments,nested,extended,,,ELF object segment list. +2.0.0-dev+exp,true,process,process.elf.segments,nested,extended,array,,ELF object segment list. 2.0.0-dev+exp,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections. 2.0.0-dev+exp,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type. -2.0.0-dev+exp,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object -2.0.0-dev+exp,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF files +2.0.0-dev+exp,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. +2.0.0-dev+exp,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. 2.0.0-dev+exp,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. 2.0.0-dev+exp,true,process,process.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable. 2.0.0-dev+exp,true,process,process.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. @@ -559,10 +559,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev+exp,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. 2.0.0-dev+exp,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. 2.0.0-dev+exp,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. -2.0.0-dev+exp,true,process,process.parent.elf.byte_order,keyword,extended,,"Little Endian, Big Endian",Byte sequence of ELF file. +2.0.0-dev+exp,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. 2.0.0-dev+exp,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. 2.0.0-dev+exp,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date. -2.0.0-dev+exp,true,process,process.parent.elf.exports,flattened,extended,,,List of exported element names and types. +2.0.0-dev+exp,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types. 2.0.0-dev+exp,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). 2.0.0-dev+exp,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file. 2.0.0-dev+exp,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header. @@ -571,8 +571,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev+exp,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. 2.0.0-dev+exp,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file. 2.0.0-dev+exp,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header. -2.0.0-dev+exp,true,process,process.parent.elf.imports,flattened,extended,,,List of imported element names and types. -2.0.0-dev+exp,true,process,process.parent.elf.sections,nested,extended,,,Section information of the ELF file. +2.0.0-dev+exp,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types. +2.0.0-dev+exp,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file. 2.0.0-dev+exp,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. 2.0.0-dev+exp,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. 2.0.0-dev+exp,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags. @@ -582,11 +582,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev+exp,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type. 2.0.0-dev+exp,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. 2.0.0-dev+exp,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. -2.0.0-dev+exp,true,process,process.parent.elf.segments,nested,extended,,,ELF object segment list. +2.0.0-dev+exp,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list. 2.0.0-dev+exp,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections. 2.0.0-dev+exp,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type. -2.0.0-dev+exp,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object -2.0.0-dev+exp,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF files +2.0.0-dev+exp,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. +2.0.0-dev+exp,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. 2.0.0-dev+exp,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. 2.0.0-dev+exp,true,process,process.parent.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable. 2.0.0-dev+exp,true,process,process.parent.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. @@ -828,6 +828,35 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev+exp,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file. 2.0.0-dev+exp,true,threat,threat.indicator.file.directory,wildcard,extended,,/home/alice,Directory where the file is located. 2.0.0-dev+exp,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. 2.0.0-dev+exp,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot." 2.0.0-dev+exp,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. 2.0.0-dev+exp,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 47e425e7c7..ef0bd55bed 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -3145,7 +3145,7 @@ file.elf.architecture: file.elf.byte_order: dashed_name: file-elf-byte-order description: Byte sequence of ELF file. - example: Little Endian, Big Endian + example: Little Endian flat_name: file.elf.byte_order ignore_above: 1024 level: extended @@ -3183,7 +3183,8 @@ file.elf.exports: flat_name: file.elf.exports level: extended name: exports - normalize: [] + normalize: + - array original_fieldset: elf short: List of exported element names and types. type: flattened @@ -3281,17 +3282,22 @@ file.elf.imports: flat_name: file.elf.imports level: extended name: imports - normalize: [] + normalize: + - array original_fieldset: elf short: List of imported element names and types. type: flattened file.elf.sections: dashed_name: file-elf-sections - description: Section information of the ELF file. + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields underneath + `elf.sections.*`.' flat_name: file.elf.sections level: extended name: sections - normalize: [] + normalize: + - array original_fieldset: elf short: Section information of the ELF file. type: nested @@ -3396,11 +3402,15 @@ file.elf.sections.virtual_size: type: long file.elf.segments: dashed_name: file-elf-segments - description: ELF object segment list. + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields underneath + `elf.segments.*`.' flat_name: file.elf.segments level: extended name: segments - normalize: [] + normalize: + - array original_fieldset: elf short: ELF object segment list. type: nested @@ -3428,7 +3438,7 @@ file.elf.segments.type: type: keyword file.elf.shared_libraries: dashed_name: file-elf-shared-libraries - description: List of shared libraries used by this ELF object + description: List of shared libraries used by this ELF object. flat_name: file.elf.shared_libraries ignore_above: 1024 level: extended @@ -3436,19 +3446,18 @@ file.elf.shared_libraries: normalize: - array original_fieldset: elf - short: List of shared libraries used by this ELF object + short: List of shared libraries used by this ELF object. type: keyword file.elf.telfhash: dashed_name: file-elf-telfhash - description: telfhash is symbol hash for ELF files, just like imphash is imports - hash for PE files. Learn more at https://github.com/trendmicro/telfhash. + description: telfhash symbol hash for ELF file. flat_name: file.elf.telfhash ignore_above: 1024 level: extended name: telfhash normalize: [] original_fieldset: elf - short: telfhash hash for ELF files + short: telfhash hash for ELF file. type: keyword file.extension: dashed_name: file-extension @@ -6566,7 +6575,7 @@ process.elf.architecture: process.elf.byte_order: dashed_name: process-elf-byte-order description: Byte sequence of ELF file. - example: Little Endian, Big Endian + example: Little Endian flat_name: process.elf.byte_order ignore_above: 1024 level: extended @@ -6604,7 +6613,8 @@ process.elf.exports: flat_name: process.elf.exports level: extended name: exports - normalize: [] + normalize: + - array original_fieldset: elf short: List of exported element names and types. type: flattened @@ -6702,17 +6712,22 @@ process.elf.imports: flat_name: process.elf.imports level: extended name: imports - normalize: [] + normalize: + - array original_fieldset: elf short: List of imported element names and types. type: flattened process.elf.sections: dashed_name: process-elf-sections - description: Section information of the ELF file. + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields underneath + `elf.sections.*`.' flat_name: process.elf.sections level: extended name: sections - normalize: [] + normalize: + - array original_fieldset: elf short: Section information of the ELF file. type: nested @@ -6817,11 +6832,15 @@ process.elf.sections.virtual_size: type: long process.elf.segments: dashed_name: process-elf-segments - description: ELF object segment list. + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields underneath + `elf.segments.*`.' flat_name: process.elf.segments level: extended name: segments - normalize: [] + normalize: + - array original_fieldset: elf short: ELF object segment list. type: nested @@ -6849,7 +6868,7 @@ process.elf.segments.type: type: keyword process.elf.shared_libraries: dashed_name: process-elf-shared-libraries - description: List of shared libraries used by this ELF object + description: List of shared libraries used by this ELF object. flat_name: process.elf.shared_libraries ignore_above: 1024 level: extended @@ -6857,19 +6876,18 @@ process.elf.shared_libraries: normalize: - array original_fieldset: elf - short: List of shared libraries used by this ELF object + short: List of shared libraries used by this ELF object. type: keyword process.elf.telfhash: dashed_name: process-elf-telfhash - description: telfhash is symbol hash for ELF files, just like imphash is imports - hash for PE files. Learn more at https://github.com/trendmicro/telfhash. + description: telfhash symbol hash for ELF file. flat_name: process.elf.telfhash ignore_above: 1024 level: extended name: telfhash normalize: [] original_fieldset: elf - short: telfhash hash for ELF files + short: telfhash hash for ELF file. type: keyword process.entity_id: dashed_name: process-entity-id @@ -7153,7 +7171,7 @@ process.parent.elf.architecture: process.parent.elf.byte_order: dashed_name: process-parent-elf-byte-order description: Byte sequence of ELF file. - example: Little Endian, Big Endian + example: Little Endian flat_name: process.parent.elf.byte_order ignore_above: 1024 level: extended @@ -7191,7 +7209,8 @@ process.parent.elf.exports: flat_name: process.parent.elf.exports level: extended name: exports - normalize: [] + normalize: + - array original_fieldset: elf short: List of exported element names and types. type: flattened @@ -7289,17 +7308,22 @@ process.parent.elf.imports: flat_name: process.parent.elf.imports level: extended name: imports - normalize: [] + normalize: + - array original_fieldset: elf short: List of imported element names and types. type: flattened process.parent.elf.sections: dashed_name: process-parent-elf-sections - description: Section information of the ELF file. + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields underneath + `elf.sections.*`.' flat_name: process.parent.elf.sections level: extended name: sections - normalize: [] + normalize: + - array original_fieldset: elf short: Section information of the ELF file. type: nested @@ -7404,11 +7428,15 @@ process.parent.elf.sections.virtual_size: type: long process.parent.elf.segments: dashed_name: process-parent-elf-segments - description: ELF object segment list. + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields underneath + `elf.segments.*`.' flat_name: process.parent.elf.segments level: extended name: segments - normalize: [] + normalize: + - array original_fieldset: elf short: ELF object segment list. type: nested @@ -7436,7 +7464,7 @@ process.parent.elf.segments.type: type: keyword process.parent.elf.shared_libraries: dashed_name: process-parent-elf-shared-libraries - description: List of shared libraries used by this ELF object + description: List of shared libraries used by this ELF object. flat_name: process.parent.elf.shared_libraries ignore_above: 1024 level: extended @@ -7444,19 +7472,18 @@ process.parent.elf.shared_libraries: normalize: - array original_fieldset: elf - short: List of shared libraries used by this ELF object + short: List of shared libraries used by this ELF object. type: keyword process.parent.elf.telfhash: dashed_name: process-parent-elf-telfhash - description: telfhash is symbol hash for ELF files, just like imphash is imports - hash for PE files. Learn more at https://github.com/trendmicro/telfhash. + description: telfhash symbol hash for ELF file. flat_name: process.parent.elf.telfhash ignore_above: 1024 level: extended name: telfhash normalize: [] original_fieldset: elf - short: telfhash hash for ELF files + short: telfhash hash for ELF file. type: keyword process.parent.entity_id: dashed_name: process-parent-entity-id @@ -10354,6 +10381,335 @@ threat.indicator.file.drive_letter: original_fieldset: file short: Drive letter where the file is located. type: keyword +threat.indicator.file.elf.architecture: + dashed_name: threat-indicator-file-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: threat.indicator.file.elf.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: elf + short: Machine architecture of the ELF file. + type: keyword +threat.indicator.file.elf.byte_order: + dashed_name: threat-indicator-file-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: threat.indicator.file.elf.byte_order + ignore_above: 1024 + level: extended + name: byte_order + normalize: [] + original_fieldset: elf + short: Byte sequence of ELF file. + type: keyword +threat.indicator.file.elf.cpu_type: + dashed_name: threat-indicator-file-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: threat.indicator.file.elf.cpu_type + ignore_above: 1024 + level: extended + name: cpu_type + normalize: [] + original_fieldset: elf + short: CPU type of the ELF file. + type: keyword +threat.indicator.file.elf.creation_date: + dashed_name: threat-indicator-file-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when it + was built or compiled. It can also be faked by malware creators. + flat_name: threat.indicator.file.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. + type: date +threat.indicator.file.elf.exports: + dashed_name: threat-indicator-file-elf-exports + description: List of exported element names and types. + flat_name: threat.indicator.file.elf.exports + level: extended + name: exports + normalize: + - array + original_fieldset: elf + short: List of exported element names and types. + type: flattened +threat.indicator.file.elf.header.abi_version: + dashed_name: threat-indicator-file-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: threat.indicator.file.elf.header.abi_version + ignore_above: 1024 + level: extended + name: header.abi_version + normalize: [] + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). + type: keyword +threat.indicator.file.elf.header.class: + dashed_name: threat-indicator-file-elf-header-class + description: Header class of the ELF file. + flat_name: threat.indicator.file.elf.header.class + ignore_above: 1024 + level: extended + name: header.class + normalize: [] + original_fieldset: elf + short: Header class of the ELF file. + type: keyword +threat.indicator.file.elf.header.data: + dashed_name: threat-indicator-file-elf-header-data + description: Data table of the ELF header. + flat_name: threat.indicator.file.elf.header.data + ignore_above: 1024 + level: extended + name: header.data + normalize: [] + original_fieldset: elf + short: Data table of the ELF header. + type: keyword +threat.indicator.file.elf.header.entrypoint: + dashed_name: threat-indicator-file-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: threat.indicator.file.elf.header.entrypoint + format: string + level: extended + name: header.entrypoint + normalize: [] + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long +threat.indicator.file.elf.header.object_version: + dashed_name: threat-indicator-file-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: threat.indicator.file.elf.header.object_version + ignore_above: 1024 + level: extended + name: header.object_version + normalize: [] + original_fieldset: elf + short: '"0x1" for original ELF files.' + type: keyword +threat.indicator.file.elf.header.os_abi: + dashed_name: threat-indicator-file-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: threat.indicator.file.elf.header.os_abi + ignore_above: 1024 + level: extended + name: header.os_abi + normalize: [] + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. + type: keyword +threat.indicator.file.elf.header.type: + dashed_name: threat-indicator-file-elf-header-type + description: Header type of the ELF file. + flat_name: threat.indicator.file.elf.header.type + ignore_above: 1024 + level: extended + name: header.type + normalize: [] + original_fieldset: elf + short: Header type of the ELF file. + type: keyword +threat.indicator.file.elf.header.version: + dashed_name: threat-indicator-file-elf-header-version + description: Version of the ELF header. + flat_name: threat.indicator.file.elf.header.version + ignore_above: 1024 + level: extended + name: header.version + normalize: [] + original_fieldset: elf + short: Version of the ELF header. + type: keyword +threat.indicator.file.elf.imports: + dashed_name: threat-indicator-file-elf-imports + description: List of imported element names and types. + flat_name: threat.indicator.file.elf.imports + level: extended + name: imports + normalize: + - array + original_fieldset: elf + short: List of imported element names and types. + type: flattened +threat.indicator.file.elf.sections: + dashed_name: threat-indicator-file-elf-sections + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields underneath + `elf.sections.*`.' + flat_name: threat.indicator.file.elf.sections + level: extended + name: sections + normalize: + - array + original_fieldset: elf + short: Section information of the ELF file. + type: nested +threat.indicator.file.elf.sections.chi2: + dashed_name: threat-indicator-file-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: threat.indicator.file.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long +threat.indicator.file.elf.sections.entropy: + dashed_name: threat-indicator-file-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: threat.indicator.file.elf.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long +threat.indicator.file.elf.sections.flags: + dashed_name: threat-indicator-file-elf-sections-flags + description: ELF Section List flags. + flat_name: threat.indicator.file.elf.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: elf + short: ELF Section List flags. + type: keyword +threat.indicator.file.elf.sections.name: + dashed_name: threat-indicator-file-elf-sections-name + description: ELF Section List name. + flat_name: threat.indicator.file.elf.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: elf + short: ELF Section List name. + type: keyword +threat.indicator.file.elf.sections.physical_offset: + dashed_name: threat-indicator-file-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: threat.indicator.file.elf.sections.physical_offset + ignore_above: 1024 + level: extended + name: sections.physical_offset + normalize: [] + original_fieldset: elf + short: ELF Section List offset. + type: keyword +threat.indicator.file.elf.sections.physical_size: + dashed_name: threat-indicator-file-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: threat.indicator.file.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long +threat.indicator.file.elf.sections.type: + dashed_name: threat-indicator-file-elf-sections-type + description: ELF Section List type. + flat_name: threat.indicator.file.elf.sections.type + ignore_above: 1024 + level: extended + name: sections.type + normalize: [] + original_fieldset: elf + short: ELF Section List type. + type: keyword +threat.indicator.file.elf.sections.virtual_address: + dashed_name: threat-indicator-file-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: threat.indicator.file.elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: elf + short: ELF Section List virtual address. + type: long +threat.indicator.file.elf.sections.virtual_size: + dashed_name: threat-indicator-file-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: threat.indicator.file.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long +threat.indicator.file.elf.segments: + dashed_name: threat-indicator-file-elf-segments + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields underneath + `elf.segments.*`.' + flat_name: threat.indicator.file.elf.segments + level: extended + name: segments + normalize: + - array + original_fieldset: elf + short: ELF object segment list. + type: nested +threat.indicator.file.elf.segments.sections: + dashed_name: threat-indicator-file-elf-segments-sections + description: ELF object segment sections. + flat_name: threat.indicator.file.elf.segments.sections + ignore_above: 1024 + level: extended + name: segments.sections + normalize: [] + original_fieldset: elf + short: ELF object segment sections. + type: keyword +threat.indicator.file.elf.segments.type: + dashed_name: threat-indicator-file-elf-segments-type + description: ELF object segment type. + flat_name: threat.indicator.file.elf.segments.type + ignore_above: 1024 + level: extended + name: segments.type + normalize: [] + original_fieldset: elf + short: ELF object segment type. + type: keyword +threat.indicator.file.elf.shared_libraries: + dashed_name: threat-indicator-file-elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: threat.indicator.file.elf.shared_libraries + ignore_above: 1024 + level: extended + name: shared_libraries + normalize: + - array + original_fieldset: elf + short: List of shared libraries used by this ELF object. + type: keyword +threat.indicator.file.elf.telfhash: + dashed_name: threat-indicator-file-elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: threat.indicator.file.elf.telfhash + ignore_above: 1024 + level: extended + name: telfhash + normalize: [] + original_fieldset: elf + short: telfhash hash for ELF file. + type: keyword threat.indicator.file.extension: dashed_name: threat-indicator-file-extension description: 'File extension, excluding the leading dot. diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 83244a4a5b..7433479948 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -2570,6 +2570,7 @@ ecs: title: ECS type: group elf: + beta: These fields are in beta and are subject to change. description: These fields contain Linux Executable Linkable Format (ELF) metadata. fields: elf.architecture: @@ -2586,7 +2587,7 @@ elf: elf.byte_order: dashed_name: elf-byte-order description: Byte sequence of ELF file. - example: Little Endian, Big Endian + example: Little Endian flat_name: elf.byte_order ignore_above: 1024 level: extended @@ -2621,7 +2622,8 @@ elf: flat_name: elf.exports level: extended name: exports - normalize: [] + normalize: + - array short: List of exported element names and types. type: flattened elf.header.abi_version: @@ -2710,16 +2712,21 @@ elf: flat_name: elf.imports level: extended name: imports - normalize: [] + normalize: + - array short: List of imported element names and types. type: flattened elf.sections: dashed_name: elf-sections - description: Section information of the ELF file. + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.sections.*`.' flat_name: elf.sections level: extended name: sections - normalize: [] + normalize: + - array short: Section information of the ELF file. type: nested elf.sections.chi2: @@ -2814,11 +2821,15 @@ elf: type: long elf.segments: dashed_name: elf-segments - description: ELF object segment list. + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.segments.*`.' flat_name: elf.segments level: extended name: segments - normalize: [] + normalize: + - array short: ELF object segment list. type: nested elf.segments.sections: @@ -2843,25 +2854,24 @@ elf: type: keyword elf.shared_libraries: dashed_name: elf-shared-libraries - description: List of shared libraries used by this ELF object + description: List of shared libraries used by this ELF object. flat_name: elf.shared_libraries ignore_above: 1024 level: extended name: shared_libraries normalize: - array - short: List of shared libraries used by this ELF object + short: List of shared libraries used by this ELF object. type: keyword elf.telfhash: dashed_name: elf-telfhash - description: telfhash is symbol hash for ELF files, just like imphash is imports - hash for PE files. Learn more at https://github.com/trendmicro/telfhash. + description: telfhash symbol hash for ELF file. flat_name: elf.telfhash ignore_above: 1024 level: extended name: telfhash normalize: [] - short: telfhash hash for ELF files + short: telfhash hash for ELF file. type: keyword group: 2 name: elf @@ -2870,9 +2880,11 @@ elf: expected: - as: elf at: file + beta: This field reuse is beta and subject to change. full: file.elf - as: elf at: process + beta: This field reuse is beta and subject to change. full: process.elf top_level: false short: These fields contain Linux Executable Linkable Format (ELF) metadata. @@ -3935,7 +3947,7 @@ file: file.elf.byte_order: dashed_name: file-elf-byte-order description: Byte sequence of ELF file. - example: Little Endian, Big Endian + example: Little Endian flat_name: file.elf.byte_order ignore_above: 1024 level: extended @@ -3973,7 +3985,8 @@ file: flat_name: file.elf.exports level: extended name: exports - normalize: [] + normalize: + - array original_fieldset: elf short: List of exported element names and types. type: flattened @@ -4071,17 +4084,22 @@ file: flat_name: file.elf.imports level: extended name: imports - normalize: [] + normalize: + - array original_fieldset: elf short: List of imported element names and types. type: flattened file.elf.sections: dashed_name: file-elf-sections - description: Section information of the ELF file. + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.sections.*`.' flat_name: file.elf.sections level: extended name: sections - normalize: [] + normalize: + - array original_fieldset: elf short: Section information of the ELF file. type: nested @@ -4186,11 +4204,15 @@ file: type: long file.elf.segments: dashed_name: file-elf-segments - description: ELF object segment list. + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.segments.*`.' flat_name: file.elf.segments level: extended name: segments - normalize: [] + normalize: + - array original_fieldset: elf short: ELF object segment list. type: nested @@ -4218,7 +4240,7 @@ file: type: keyword file.elf.shared_libraries: dashed_name: file-elf-shared-libraries - description: List of shared libraries used by this ELF object + description: List of shared libraries used by this ELF object. flat_name: file.elf.shared_libraries ignore_above: 1024 level: extended @@ -4226,19 +4248,18 @@ file: normalize: - array original_fieldset: elf - short: List of shared libraries used by this ELF object + short: List of shared libraries used by this ELF object. type: keyword file.elf.telfhash: dashed_name: file-elf-telfhash - description: telfhash is symbol hash for ELF files, just like imphash is imports - hash for PE files. Learn more at https://github.com/trendmicro/telfhash. + description: telfhash symbol hash for ELF file. flat_name: file.elf.telfhash ignore_above: 1024 level: extended name: telfhash normalize: [] original_fieldset: elf - short: telfhash hash for ELF files + short: telfhash hash for ELF file. type: keyword file.extension: dashed_name: file-extension @@ -5243,6 +5264,10 @@ file: - full: file.code_signature schema_name: code_signature short: These fields contain information about binary code signatures. + - beta: This field reuse is beta and subject to change. + full: file.elf + schema_name: elf + short: These fields contain Linux Executable Linkable Format (ELF) metadata. - full: file.hash schema_name: hash short: Hashes, usually file hashes. @@ -5252,9 +5277,6 @@ file: - full: file.x509 schema_name: x509 short: These fields contain x509 certificate metadata. - - full: file.elf - schema_name: elf - short: These fields contain Linux Executable Linkable Format (ELF) metadata. short: Fields describing files. title: File type: group @@ -8422,7 +8444,7 @@ process: process.elf.byte_order: dashed_name: process-elf-byte-order description: Byte sequence of ELF file. - example: Little Endian, Big Endian + example: Little Endian flat_name: process.elf.byte_order ignore_above: 1024 level: extended @@ -8460,7 +8482,8 @@ process: flat_name: process.elf.exports level: extended name: exports - normalize: [] + normalize: + - array original_fieldset: elf short: List of exported element names and types. type: flattened @@ -8558,17 +8581,22 @@ process: flat_name: process.elf.imports level: extended name: imports - normalize: [] + normalize: + - array original_fieldset: elf short: List of imported element names and types. type: flattened process.elf.sections: dashed_name: process-elf-sections - description: Section information of the ELF file. + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.sections.*`.' flat_name: process.elf.sections level: extended name: sections - normalize: [] + normalize: + - array original_fieldset: elf short: Section information of the ELF file. type: nested @@ -8673,11 +8701,15 @@ process: type: long process.elf.segments: dashed_name: process-elf-segments - description: ELF object segment list. + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.segments.*`.' flat_name: process.elf.segments level: extended name: segments - normalize: [] + normalize: + - array original_fieldset: elf short: ELF object segment list. type: nested @@ -8705,7 +8737,7 @@ process: type: keyword process.elf.shared_libraries: dashed_name: process-elf-shared-libraries - description: List of shared libraries used by this ELF object + description: List of shared libraries used by this ELF object. flat_name: process.elf.shared_libraries ignore_above: 1024 level: extended @@ -8713,19 +8745,18 @@ process: normalize: - array original_fieldset: elf - short: List of shared libraries used by this ELF object + short: List of shared libraries used by this ELF object. type: keyword process.elf.telfhash: dashed_name: process-elf-telfhash - description: telfhash is symbol hash for ELF files, just like imphash is imports - hash for PE files. Learn more at https://github.com/trendmicro/telfhash. + description: telfhash symbol hash for ELF file. flat_name: process.elf.telfhash ignore_above: 1024 level: extended name: telfhash normalize: [] original_fieldset: elf - short: telfhash hash for ELF files + short: telfhash hash for ELF file. type: keyword process.entity_id: dashed_name: process-entity-id @@ -9009,7 +9040,7 @@ process: process.parent.elf.byte_order: dashed_name: process-parent-elf-byte-order description: Byte sequence of ELF file. - example: Little Endian, Big Endian + example: Little Endian flat_name: process.parent.elf.byte_order ignore_above: 1024 level: extended @@ -9047,7 +9078,8 @@ process: flat_name: process.parent.elf.exports level: extended name: exports - normalize: [] + normalize: + - array original_fieldset: elf short: List of exported element names and types. type: flattened @@ -9145,17 +9177,22 @@ process: flat_name: process.parent.elf.imports level: extended name: imports - normalize: [] + normalize: + - array original_fieldset: elf short: List of imported element names and types. type: flattened process.parent.elf.sections: dashed_name: process-parent-elf-sections - description: Section information of the ELF file. + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.sections.*`.' flat_name: process.parent.elf.sections level: extended name: sections - normalize: [] + normalize: + - array original_fieldset: elf short: Section information of the ELF file. type: nested @@ -9260,11 +9297,15 @@ process: type: long process.parent.elf.segments: dashed_name: process-parent-elf-segments - description: ELF object segment list. + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.segments.*`.' flat_name: process.parent.elf.segments level: extended name: segments - normalize: [] + normalize: + - array original_fieldset: elf short: ELF object segment list. type: nested @@ -9292,7 +9333,7 @@ process: type: keyword process.parent.elf.shared_libraries: dashed_name: process-parent-elf-shared-libraries - description: List of shared libraries used by this ELF object + description: List of shared libraries used by this ELF object. flat_name: process.parent.elf.shared_libraries ignore_above: 1024 level: extended @@ -9300,19 +9341,18 @@ process: normalize: - array original_fieldset: elf - short: List of shared libraries used by this ELF object + short: List of shared libraries used by this ELF object. type: keyword process.parent.elf.telfhash: dashed_name: process-parent-elf-telfhash - description: telfhash is symbol hash for ELF files, just like imphash is imports - hash for PE files. Learn more at https://github.com/trendmicro/telfhash. + description: telfhash symbol hash for ELF file. flat_name: process.parent.elf.telfhash ignore_above: 1024 level: extended name: telfhash normalize: [] original_fieldset: elf - short: telfhash hash for ELF files + short: telfhash hash for ELF file. type: keyword process.parent.entity_id: dashed_name: process-parent-entity-id @@ -10594,15 +10634,16 @@ process: - full: process.code_signature schema_name: code_signature short: These fields contain information about binary code signatures. + - beta: This field reuse is beta and subject to change. + full: process.elf + schema_name: elf + short: These fields contain Linux Executable Linkable Format (ELF) metadata. - full: process.hash schema_name: hash short: Hashes, usually file hashes. - full: process.pe schema_name: pe short: These fields contain Windows Portable Executable (PE) metadata. - - full: process.elf - schema_name: elf - short: These fields contain Linux Executable Linkable Format (ELF) metadata. - full: process.parent schema_name: process short: Information about the parent process. @@ -12362,6 +12403,335 @@ threat: original_fieldset: file short: Drive letter where the file is located. type: keyword + threat.indicator.file.elf.architecture: + dashed_name: threat-indicator-file-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: threat.indicator.file.elf.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: elf + short: Machine architecture of the ELF file. + type: keyword + threat.indicator.file.elf.byte_order: + dashed_name: threat-indicator-file-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: threat.indicator.file.elf.byte_order + ignore_above: 1024 + level: extended + name: byte_order + normalize: [] + original_fieldset: elf + short: Byte sequence of ELF file. + type: keyword + threat.indicator.file.elf.cpu_type: + dashed_name: threat-indicator-file-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: threat.indicator.file.elf.cpu_type + ignore_above: 1024 + level: extended + name: cpu_type + normalize: [] + original_fieldset: elf + short: CPU type of the ELF file. + type: keyword + threat.indicator.file.elf.creation_date: + dashed_name: threat-indicator-file-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + flat_name: threat.indicator.file.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. + type: date + threat.indicator.file.elf.exports: + dashed_name: threat-indicator-file-elf-exports + description: List of exported element names and types. + flat_name: threat.indicator.file.elf.exports + level: extended + name: exports + normalize: + - array + original_fieldset: elf + short: List of exported element names and types. + type: flattened + threat.indicator.file.elf.header.abi_version: + dashed_name: threat-indicator-file-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: threat.indicator.file.elf.header.abi_version + ignore_above: 1024 + level: extended + name: header.abi_version + normalize: [] + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). + type: keyword + threat.indicator.file.elf.header.class: + dashed_name: threat-indicator-file-elf-header-class + description: Header class of the ELF file. + flat_name: threat.indicator.file.elf.header.class + ignore_above: 1024 + level: extended + name: header.class + normalize: [] + original_fieldset: elf + short: Header class of the ELF file. + type: keyword + threat.indicator.file.elf.header.data: + dashed_name: threat-indicator-file-elf-header-data + description: Data table of the ELF header. + flat_name: threat.indicator.file.elf.header.data + ignore_above: 1024 + level: extended + name: header.data + normalize: [] + original_fieldset: elf + short: Data table of the ELF header. + type: keyword + threat.indicator.file.elf.header.entrypoint: + dashed_name: threat-indicator-file-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: threat.indicator.file.elf.header.entrypoint + format: string + level: extended + name: header.entrypoint + normalize: [] + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long + threat.indicator.file.elf.header.object_version: + dashed_name: threat-indicator-file-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: threat.indicator.file.elf.header.object_version + ignore_above: 1024 + level: extended + name: header.object_version + normalize: [] + original_fieldset: elf + short: '"0x1" for original ELF files.' + type: keyword + threat.indicator.file.elf.header.os_abi: + dashed_name: threat-indicator-file-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: threat.indicator.file.elf.header.os_abi + ignore_above: 1024 + level: extended + name: header.os_abi + normalize: [] + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. + type: keyword + threat.indicator.file.elf.header.type: + dashed_name: threat-indicator-file-elf-header-type + description: Header type of the ELF file. + flat_name: threat.indicator.file.elf.header.type + ignore_above: 1024 + level: extended + name: header.type + normalize: [] + original_fieldset: elf + short: Header type of the ELF file. + type: keyword + threat.indicator.file.elf.header.version: + dashed_name: threat-indicator-file-elf-header-version + description: Version of the ELF header. + flat_name: threat.indicator.file.elf.header.version + ignore_above: 1024 + level: extended + name: header.version + normalize: [] + original_fieldset: elf + short: Version of the ELF header. + type: keyword + threat.indicator.file.elf.imports: + dashed_name: threat-indicator-file-elf-imports + description: List of imported element names and types. + flat_name: threat.indicator.file.elf.imports + level: extended + name: imports + normalize: + - array + original_fieldset: elf + short: List of imported element names and types. + type: flattened + threat.indicator.file.elf.sections: + dashed_name: threat-indicator-file-elf-sections + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.sections.*`.' + flat_name: threat.indicator.file.elf.sections + level: extended + name: sections + normalize: + - array + original_fieldset: elf + short: Section information of the ELF file. + type: nested + threat.indicator.file.elf.sections.chi2: + dashed_name: threat-indicator-file-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: threat.indicator.file.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long + threat.indicator.file.elf.sections.entropy: + dashed_name: threat-indicator-file-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: threat.indicator.file.elf.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long + threat.indicator.file.elf.sections.flags: + dashed_name: threat-indicator-file-elf-sections-flags + description: ELF Section List flags. + flat_name: threat.indicator.file.elf.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: elf + short: ELF Section List flags. + type: keyword + threat.indicator.file.elf.sections.name: + dashed_name: threat-indicator-file-elf-sections-name + description: ELF Section List name. + flat_name: threat.indicator.file.elf.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: elf + short: ELF Section List name. + type: keyword + threat.indicator.file.elf.sections.physical_offset: + dashed_name: threat-indicator-file-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: threat.indicator.file.elf.sections.physical_offset + ignore_above: 1024 + level: extended + name: sections.physical_offset + normalize: [] + original_fieldset: elf + short: ELF Section List offset. + type: keyword + threat.indicator.file.elf.sections.physical_size: + dashed_name: threat-indicator-file-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: threat.indicator.file.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long + threat.indicator.file.elf.sections.type: + dashed_name: threat-indicator-file-elf-sections-type + description: ELF Section List type. + flat_name: threat.indicator.file.elf.sections.type + ignore_above: 1024 + level: extended + name: sections.type + normalize: [] + original_fieldset: elf + short: ELF Section List type. + type: keyword + threat.indicator.file.elf.sections.virtual_address: + dashed_name: threat-indicator-file-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: threat.indicator.file.elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: elf + short: ELF Section List virtual address. + type: long + threat.indicator.file.elf.sections.virtual_size: + dashed_name: threat-indicator-file-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: threat.indicator.file.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long + threat.indicator.file.elf.segments: + dashed_name: threat-indicator-file-elf-segments + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.segments.*`.' + flat_name: threat.indicator.file.elf.segments + level: extended + name: segments + normalize: + - array + original_fieldset: elf + short: ELF object segment list. + type: nested + threat.indicator.file.elf.segments.sections: + dashed_name: threat-indicator-file-elf-segments-sections + description: ELF object segment sections. + flat_name: threat.indicator.file.elf.segments.sections + ignore_above: 1024 + level: extended + name: segments.sections + normalize: [] + original_fieldset: elf + short: ELF object segment sections. + type: keyword + threat.indicator.file.elf.segments.type: + dashed_name: threat-indicator-file-elf-segments-type + description: ELF object segment type. + flat_name: threat.indicator.file.elf.segments.type + ignore_above: 1024 + level: extended + name: segments.type + normalize: [] + original_fieldset: elf + short: ELF object segment type. + type: keyword + threat.indicator.file.elf.shared_libraries: + dashed_name: threat-indicator-file-elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: threat.indicator.file.elf.shared_libraries + ignore_above: 1024 + level: extended + name: shared_libraries + normalize: + - array + original_fieldset: elf + short: List of shared libraries used by this ELF object. + type: keyword + threat.indicator.file.elf.telfhash: + dashed_name: threat-indicator-file-elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: threat.indicator.file.elf.telfhash + ignore_above: 1024 + level: extended + name: telfhash + normalize: [] + original_fieldset: elf + short: telfhash hash for ELF file. + type: keyword threat.indicator.file.extension: dashed_name: threat-indicator-file-extension description: 'File extension, excluding the leading dot. diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json index e95282fb92..ed0e238b76 100644 --- a/experimental/generated/elasticsearch/7/template.json +++ b/experimental/generated/elasticsearch/7/template.json @@ -3742,6 +3742,123 @@ "ignore_above": 1, "type": "keyword" }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "extension": { "ignore_above": 1024, "type": "keyword" diff --git a/experimental/generated/elasticsearch/component/threat.json b/experimental/generated/elasticsearch/component/threat.json index c4a3056201..123ee68bdc 100644 --- a/experimental/generated/elasticsearch/component/threat.json +++ b/experimental/generated/elasticsearch/component/threat.json @@ -132,6 +132,123 @@ "ignore_above": 1, "type": "keyword" }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "extension": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 3067eab765..afca29826a 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -1329,6 +1329,191 @@ ECS versions -- this field lets integrations adjust to the schema version of the events.' example: 1.0.0 + - name: elf + title: ELF Header + group: 2 + description: These fields contain Linux Executable Linkable Format (ELF) metadata. + type: group + fields: + - name: architecture + level: extended + type: keyword + ignore_above: 1024 + description: Machine architecture of the ELF file. + example: x86-64 + default_field: false + - name: byte_order + level: extended + type: keyword + ignore_above: 1024 + description: Byte sequence of ELF file. + example: Little Endian + default_field: false + - name: cpu_type + level: extended + type: keyword + ignore_above: 1024 + description: CPU type of the ELF file. + example: Intel + default_field: false + - name: creation_date + level: extended + type: date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + default_field: false + - name: exports + level: extended + type: flattened + description: List of exported element names and types. + default_field: false + - name: header.abi_version + level: extended + type: keyword + ignore_above: 1024 + description: Version of the ELF Application Binary Interface (ABI). + default_field: false + - name: header.class + level: extended + type: keyword + ignore_above: 1024 + description: Header class of the ELF file. + default_field: false + - name: header.data + level: extended + type: keyword + ignore_above: 1024 + description: Data table of the ELF header. + default_field: false + - name: header.entrypoint + level: extended + type: long + format: string + description: Header entrypoint of the ELF file. + default_field: false + - name: header.object_version + level: extended + type: keyword + ignore_above: 1024 + description: '"0x1" for original ELF files.' + default_field: false + - name: header.os_abi + level: extended + type: keyword + ignore_above: 1024 + description: Application Binary Interface (ABI) of the Linux OS. + default_field: false + - name: header.type + level: extended + type: keyword + ignore_above: 1024 + description: Header type of the ELF file. + default_field: false + - name: header.version + level: extended + type: keyword + ignore_above: 1024 + description: Version of the ELF header. + default_field: false + - name: imports + level: extended + type: flattened + description: List of imported element names and types. + default_field: false + - name: sections + level: extended + type: nested + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.sections.*`.' + default_field: false + - name: sections.chi2 + level: extended + type: long + format: number + description: Chi-square probability distribution of the section. + default_field: false + - name: sections.entropy + level: extended + type: long + format: number + description: Shannon entropy calculation from the section. + default_field: false + - name: sections.flags + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List flags. + default_field: false + - name: sections.name + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List name. + default_field: false + - name: sections.physical_offset + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List offset. + default_field: false + - name: sections.physical_size + level: extended + type: long + format: bytes + description: ELF Section List physical size. + default_field: false + - name: sections.type + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List type. + default_field: false + - name: sections.virtual_address + level: extended + type: long + format: string + description: ELF Section List virtual address. + default_field: false + - name: sections.virtual_size + level: extended + type: long + format: string + description: ELF Section List virtual size. + default_field: false + - name: segments + level: extended + type: nested + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.segments.*`.' + default_field: false + - name: segments.sections + level: extended + type: keyword + ignore_above: 1024 + description: ELF object segment sections. + default_field: false + - name: segments.type + level: extended + type: keyword + ignore_above: 1024 + description: ELF object segment type. + default_field: false + - name: shared_libraries + level: extended + type: keyword + ignore_above: 1024 + description: List of shared libraries used by this ELF object. + default_field: false + - name: telfhash + level: extended + type: keyword + ignore_above: 1024 + description: telfhash symbol hash for ELF file. + default_field: false - name: error title: Error group: 2 @@ -1790,6 +1975,185 @@ The value should be uppercase, and not include the colon.' example: C default_field: false + - name: elf.architecture + level: extended + type: keyword + ignore_above: 1024 + description: Machine architecture of the ELF file. + example: x86-64 + default_field: false + - name: elf.byte_order + level: extended + type: keyword + ignore_above: 1024 + description: Byte sequence of ELF file. + example: Little Endian + default_field: false + - name: elf.cpu_type + level: extended + type: keyword + ignore_above: 1024 + description: CPU type of the ELF file. + example: Intel + default_field: false + - name: elf.creation_date + level: extended + type: date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + default_field: false + - name: elf.exports + level: extended + type: flattened + description: List of exported element names and types. + default_field: false + - name: elf.header.abi_version + level: extended + type: keyword + ignore_above: 1024 + description: Version of the ELF Application Binary Interface (ABI). + default_field: false + - name: elf.header.class + level: extended + type: keyword + ignore_above: 1024 + description: Header class of the ELF file. + default_field: false + - name: elf.header.data + level: extended + type: keyword + ignore_above: 1024 + description: Data table of the ELF header. + default_field: false + - name: elf.header.entrypoint + level: extended + type: long + format: string + description: Header entrypoint of the ELF file. + default_field: false + - name: elf.header.object_version + level: extended + type: keyword + ignore_above: 1024 + description: '"0x1" for original ELF files.' + default_field: false + - name: elf.header.os_abi + level: extended + type: keyword + ignore_above: 1024 + description: Application Binary Interface (ABI) of the Linux OS. + default_field: false + - name: elf.header.type + level: extended + type: keyword + ignore_above: 1024 + description: Header type of the ELF file. + default_field: false + - name: elf.header.version + level: extended + type: keyword + ignore_above: 1024 + description: Version of the ELF header. + default_field: false + - name: elf.imports + level: extended + type: flattened + description: List of imported element names and types. + default_field: false + - name: elf.sections + level: extended + type: nested + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.sections.*`.' + default_field: false + - name: elf.sections.chi2 + level: extended + type: long + format: number + description: Chi-square probability distribution of the section. + default_field: false + - name: elf.sections.entropy + level: extended + type: long + format: number + description: Shannon entropy calculation from the section. + default_field: false + - name: elf.sections.flags + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List flags. + default_field: false + - name: elf.sections.name + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List name. + default_field: false + - name: elf.sections.physical_offset + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List offset. + default_field: false + - name: elf.sections.physical_size + level: extended + type: long + format: bytes + description: ELF Section List physical size. + default_field: false + - name: elf.sections.type + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List type. + default_field: false + - name: elf.sections.virtual_address + level: extended + type: long + format: string + description: ELF Section List virtual address. + default_field: false + - name: elf.sections.virtual_size + level: extended + type: long + format: string + description: ELF Section List virtual size. + default_field: false + - name: elf.segments + level: extended + type: nested + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.segments.*`.' + default_field: false + - name: elf.segments.sections + level: extended + type: keyword + ignore_above: 1024 + description: ELF object segment sections. + default_field: false + - name: elf.segments.type + level: extended + type: keyword + ignore_above: 1024 + description: ELF object segment type. + default_field: false + - name: elf.shared_libraries + level: extended + type: keyword + ignore_above: 1024 + description: List of shared libraries used by this ELF object. + default_field: false + - name: elf.telfhash + level: extended + type: keyword + ignore_above: 1024 + description: telfhash symbol hash for ELF file. + default_field: false - name: extension level: extended type: keyword @@ -3812,6 +4176,185 @@ Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 default_field: false + - name: elf.architecture + level: extended + type: keyword + ignore_above: 1024 + description: Machine architecture of the ELF file. + example: x86-64 + default_field: false + - name: elf.byte_order + level: extended + type: keyword + ignore_above: 1024 + description: Byte sequence of ELF file. + example: Little Endian + default_field: false + - name: elf.cpu_type + level: extended + type: keyword + ignore_above: 1024 + description: CPU type of the ELF file. + example: Intel + default_field: false + - name: elf.creation_date + level: extended + type: date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + default_field: false + - name: elf.exports + level: extended + type: flattened + description: List of exported element names and types. + default_field: false + - name: elf.header.abi_version + level: extended + type: keyword + ignore_above: 1024 + description: Version of the ELF Application Binary Interface (ABI). + default_field: false + - name: elf.header.class + level: extended + type: keyword + ignore_above: 1024 + description: Header class of the ELF file. + default_field: false + - name: elf.header.data + level: extended + type: keyword + ignore_above: 1024 + description: Data table of the ELF header. + default_field: false + - name: elf.header.entrypoint + level: extended + type: long + format: string + description: Header entrypoint of the ELF file. + default_field: false + - name: elf.header.object_version + level: extended + type: keyword + ignore_above: 1024 + description: '"0x1" for original ELF files.' + default_field: false + - name: elf.header.os_abi + level: extended + type: keyword + ignore_above: 1024 + description: Application Binary Interface (ABI) of the Linux OS. + default_field: false + - name: elf.header.type + level: extended + type: keyword + ignore_above: 1024 + description: Header type of the ELF file. + default_field: false + - name: elf.header.version + level: extended + type: keyword + ignore_above: 1024 + description: Version of the ELF header. + default_field: false + - name: elf.imports + level: extended + type: flattened + description: List of imported element names and types. + default_field: false + - name: elf.sections + level: extended + type: nested + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.sections.*`.' + default_field: false + - name: elf.sections.chi2 + level: extended + type: long + format: number + description: Chi-square probability distribution of the section. + default_field: false + - name: elf.sections.entropy + level: extended + type: long + format: number + description: Shannon entropy calculation from the section. + default_field: false + - name: elf.sections.flags + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List flags. + default_field: false + - name: elf.sections.name + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List name. + default_field: false + - name: elf.sections.physical_offset + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List offset. + default_field: false + - name: elf.sections.physical_size + level: extended + type: long + format: bytes + description: ELF Section List physical size. + default_field: false + - name: elf.sections.type + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List type. + default_field: false + - name: elf.sections.virtual_address + level: extended + type: long + format: string + description: ELF Section List virtual address. + default_field: false + - name: elf.sections.virtual_size + level: extended + type: long + format: string + description: ELF Section List virtual size. + default_field: false + - name: elf.segments + level: extended + type: nested + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.segments.*`.' + default_field: false + - name: elf.segments.sections + level: extended + type: keyword + ignore_above: 1024 + description: ELF object segment sections. + default_field: false + - name: elf.segments.type + level: extended + type: keyword + ignore_above: 1024 + description: ELF object segment type. + default_field: false + - name: elf.shared_libraries + level: extended + type: keyword + ignore_above: 1024 + description: List of shared libraries used by this ELF object. + default_field: false + - name: elf.telfhash + level: extended + type: keyword + ignore_above: 1024 + description: telfhash symbol hash for ELF file. + default_field: false - name: entity_id level: extended type: keyword @@ -3982,6 +4525,185 @@ Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 default_field: false + - name: parent.elf.architecture + level: extended + type: keyword + ignore_above: 1024 + description: Machine architecture of the ELF file. + example: x86-64 + default_field: false + - name: parent.elf.byte_order + level: extended + type: keyword + ignore_above: 1024 + description: Byte sequence of ELF file. + example: Little Endian + default_field: false + - name: parent.elf.cpu_type + level: extended + type: keyword + ignore_above: 1024 + description: CPU type of the ELF file. + example: Intel + default_field: false + - name: parent.elf.creation_date + level: extended + type: date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + default_field: false + - name: parent.elf.exports + level: extended + type: flattened + description: List of exported element names and types. + default_field: false + - name: parent.elf.header.abi_version + level: extended + type: keyword + ignore_above: 1024 + description: Version of the ELF Application Binary Interface (ABI). + default_field: false + - name: parent.elf.header.class + level: extended + type: keyword + ignore_above: 1024 + description: Header class of the ELF file. + default_field: false + - name: parent.elf.header.data + level: extended + type: keyword + ignore_above: 1024 + description: Data table of the ELF header. + default_field: false + - name: parent.elf.header.entrypoint + level: extended + type: long + format: string + description: Header entrypoint of the ELF file. + default_field: false + - name: parent.elf.header.object_version + level: extended + type: keyword + ignore_above: 1024 + description: '"0x1" for original ELF files.' + default_field: false + - name: parent.elf.header.os_abi + level: extended + type: keyword + ignore_above: 1024 + description: Application Binary Interface (ABI) of the Linux OS. + default_field: false + - name: parent.elf.header.type + level: extended + type: keyword + ignore_above: 1024 + description: Header type of the ELF file. + default_field: false + - name: parent.elf.header.version + level: extended + type: keyword + ignore_above: 1024 + description: Version of the ELF header. + default_field: false + - name: parent.elf.imports + level: extended + type: flattened + description: List of imported element names and types. + default_field: false + - name: parent.elf.sections + level: extended + type: nested + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.sections.*`.' + default_field: false + - name: parent.elf.sections.chi2 + level: extended + type: long + format: number + description: Chi-square probability distribution of the section. + default_field: false + - name: parent.elf.sections.entropy + level: extended + type: long + format: number + description: Shannon entropy calculation from the section. + default_field: false + - name: parent.elf.sections.flags + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List flags. + default_field: false + - name: parent.elf.sections.name + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List name. + default_field: false + - name: parent.elf.sections.physical_offset + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List offset. + default_field: false + - name: parent.elf.sections.physical_size + level: extended + type: long + format: bytes + description: ELF Section List physical size. + default_field: false + - name: parent.elf.sections.type + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List type. + default_field: false + - name: parent.elf.sections.virtual_address + level: extended + type: long + format: string + description: ELF Section List virtual address. + default_field: false + - name: parent.elf.sections.virtual_size + level: extended + type: long + format: string + description: ELF Section List virtual size. + default_field: false + - name: parent.elf.segments + level: extended + type: nested + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.segments.*`.' + default_field: false + - name: parent.elf.segments.sections + level: extended + type: keyword + ignore_above: 1024 + description: ELF object segment sections. + default_field: false + - name: parent.elf.segments.type + level: extended + type: keyword + ignore_above: 1024 + description: ELF object segment type. + default_field: false + - name: parent.elf.shared_libraries + level: extended + type: keyword + ignore_above: 1024 + description: List of shared libraries used by this ELF object. + default_field: false + - name: parent.elf.telfhash + level: extended + type: keyword + ignore_above: 1024 + description: telfhash symbol hash for ELF file. + default_field: false - name: parent.entity_id level: extended type: keyword diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 2ba05d75be..9cb1921949 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -190,6 +190,35 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file. 2.0.0-dev,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located. 2.0.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located. +2.0.0-dev,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. +2.0.0-dev,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. +2.0.0-dev,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. +2.0.0-dev,true,file,file.elf.creation_date,date,extended,,,Build or compile date. +2.0.0-dev,true,file,file.elf.exports,flattened,extended,array,,List of exported element names and types. +2.0.0-dev,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). +2.0.0-dev,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file. +2.0.0-dev,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header. +2.0.0-dev,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. +2.0.0-dev,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." +2.0.0-dev,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. +2.0.0-dev,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file. +2.0.0-dev,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header. +2.0.0-dev,true,file,file.elf.imports,flattened,extended,array,,List of imported element names and types. +2.0.0-dev,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file. +2.0.0-dev,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. +2.0.0-dev,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +2.0.0-dev,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags. +2.0.0-dev,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name. +2.0.0-dev,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. +2.0.0-dev,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size. +2.0.0-dev,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type. +2.0.0-dev,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. +2.0.0-dev,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. +2.0.0-dev,true,file,file.elf.segments,nested,extended,array,,ELF object segment list. +2.0.0-dev,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections. +2.0.0-dev,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type. +2.0.0-dev,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. +2.0.0-dev,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. 2.0.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot." 2.0.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. 2.0.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file. @@ -416,6 +445,35 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. 2.0.0-dev,true,process,process.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. 2.0.0-dev,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +2.0.0-dev,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. +2.0.0-dev,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. +2.0.0-dev,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. +2.0.0-dev,true,process,process.elf.creation_date,date,extended,,,Build or compile date. +2.0.0-dev,true,process,process.elf.exports,flattened,extended,array,,List of exported element names and types. +2.0.0-dev,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). +2.0.0-dev,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file. +2.0.0-dev,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header. +2.0.0-dev,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. +2.0.0-dev,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." +2.0.0-dev,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. +2.0.0-dev,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file. +2.0.0-dev,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header. +2.0.0-dev,true,process,process.elf.imports,flattened,extended,array,,List of imported element names and types. +2.0.0-dev,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file. +2.0.0-dev,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. +2.0.0-dev,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +2.0.0-dev,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags. +2.0.0-dev,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name. +2.0.0-dev,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. +2.0.0-dev,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size. +2.0.0-dev,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type. +2.0.0-dev,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. +2.0.0-dev,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. +2.0.0-dev,true,process,process.elf.segments,nested,extended,array,,ELF object segment list. +2.0.0-dev,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections. +2.0.0-dev,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type. +2.0.0-dev,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. +2.0.0-dev,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. 2.0.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. 2.0.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. 2.0.0-dev,true,process,process.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. @@ -438,6 +496,35 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. 2.0.0-dev,true,process,process.parent.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. 2.0.0-dev,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +2.0.0-dev,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. +2.0.0-dev,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. +2.0.0-dev,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. +2.0.0-dev,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date. +2.0.0-dev,true,process,process.parent.elf.exports,flattened,extended,array,,List of exported element names and types. +2.0.0-dev,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). +2.0.0-dev,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file. +2.0.0-dev,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header. +2.0.0-dev,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. +2.0.0-dev,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." +2.0.0-dev,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. +2.0.0-dev,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file. +2.0.0-dev,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header. +2.0.0-dev,true,process,process.parent.elf.imports,flattened,extended,array,,List of imported element names and types. +2.0.0-dev,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file. +2.0.0-dev,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. +2.0.0-dev,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +2.0.0-dev,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags. +2.0.0-dev,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name. +2.0.0-dev,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. +2.0.0-dev,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size. +2.0.0-dev,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type. +2.0.0-dev,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. +2.0.0-dev,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. +2.0.0-dev,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list. +2.0.0-dev,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections. +2.0.0-dev,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type. +2.0.0-dev,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. +2.0.0-dev,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. 2.0.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. 2.0.0-dev,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. 2.0.0-dev,true,process,process.parent.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 3e8772e2b0..f0e93ec851 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -2782,6 +2782,335 @@ file.drive_letter: normalize: [] short: Drive letter where the file is located. type: keyword +file.elf.architecture: + dashed_name: file-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: file.elf.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: elf + short: Machine architecture of the ELF file. + type: keyword +file.elf.byte_order: + dashed_name: file-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: file.elf.byte_order + ignore_above: 1024 + level: extended + name: byte_order + normalize: [] + original_fieldset: elf + short: Byte sequence of ELF file. + type: keyword +file.elf.cpu_type: + dashed_name: file-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: file.elf.cpu_type + ignore_above: 1024 + level: extended + name: cpu_type + normalize: [] + original_fieldset: elf + short: CPU type of the ELF file. + type: keyword +file.elf.creation_date: + dashed_name: file-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when it + was built or compiled. It can also be faked by malware creators. + flat_name: file.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. + type: date +file.elf.exports: + dashed_name: file-elf-exports + description: List of exported element names and types. + flat_name: file.elf.exports + level: extended + name: exports + normalize: + - array + original_fieldset: elf + short: List of exported element names and types. + type: flattened +file.elf.header.abi_version: + dashed_name: file-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: file.elf.header.abi_version + ignore_above: 1024 + level: extended + name: header.abi_version + normalize: [] + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). + type: keyword +file.elf.header.class: + dashed_name: file-elf-header-class + description: Header class of the ELF file. + flat_name: file.elf.header.class + ignore_above: 1024 + level: extended + name: header.class + normalize: [] + original_fieldset: elf + short: Header class of the ELF file. + type: keyword +file.elf.header.data: + dashed_name: file-elf-header-data + description: Data table of the ELF header. + flat_name: file.elf.header.data + ignore_above: 1024 + level: extended + name: header.data + normalize: [] + original_fieldset: elf + short: Data table of the ELF header. + type: keyword +file.elf.header.entrypoint: + dashed_name: file-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: file.elf.header.entrypoint + format: string + level: extended + name: header.entrypoint + normalize: [] + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long +file.elf.header.object_version: + dashed_name: file-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: file.elf.header.object_version + ignore_above: 1024 + level: extended + name: header.object_version + normalize: [] + original_fieldset: elf + short: '"0x1" for original ELF files.' + type: keyword +file.elf.header.os_abi: + dashed_name: file-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: file.elf.header.os_abi + ignore_above: 1024 + level: extended + name: header.os_abi + normalize: [] + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. + type: keyword +file.elf.header.type: + dashed_name: file-elf-header-type + description: Header type of the ELF file. + flat_name: file.elf.header.type + ignore_above: 1024 + level: extended + name: header.type + normalize: [] + original_fieldset: elf + short: Header type of the ELF file. + type: keyword +file.elf.header.version: + dashed_name: file-elf-header-version + description: Version of the ELF header. + flat_name: file.elf.header.version + ignore_above: 1024 + level: extended + name: header.version + normalize: [] + original_fieldset: elf + short: Version of the ELF header. + type: keyword +file.elf.imports: + dashed_name: file-elf-imports + description: List of imported element names and types. + flat_name: file.elf.imports + level: extended + name: imports + normalize: + - array + original_fieldset: elf + short: List of imported element names and types. + type: flattened +file.elf.sections: + dashed_name: file-elf-sections + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields underneath + `elf.sections.*`.' + flat_name: file.elf.sections + level: extended + name: sections + normalize: + - array + original_fieldset: elf + short: Section information of the ELF file. + type: nested +file.elf.sections.chi2: + dashed_name: file-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: file.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long +file.elf.sections.entropy: + dashed_name: file-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: file.elf.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long +file.elf.sections.flags: + dashed_name: file-elf-sections-flags + description: ELF Section List flags. + flat_name: file.elf.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: elf + short: ELF Section List flags. + type: keyword +file.elf.sections.name: + dashed_name: file-elf-sections-name + description: ELF Section List name. + flat_name: file.elf.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: elf + short: ELF Section List name. + type: keyword +file.elf.sections.physical_offset: + dashed_name: file-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: file.elf.sections.physical_offset + ignore_above: 1024 + level: extended + name: sections.physical_offset + normalize: [] + original_fieldset: elf + short: ELF Section List offset. + type: keyword +file.elf.sections.physical_size: + dashed_name: file-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: file.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long +file.elf.sections.type: + dashed_name: file-elf-sections-type + description: ELF Section List type. + flat_name: file.elf.sections.type + ignore_above: 1024 + level: extended + name: sections.type + normalize: [] + original_fieldset: elf + short: ELF Section List type. + type: keyword +file.elf.sections.virtual_address: + dashed_name: file-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: file.elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: elf + short: ELF Section List virtual address. + type: long +file.elf.sections.virtual_size: + dashed_name: file-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: file.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long +file.elf.segments: + dashed_name: file-elf-segments + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields underneath + `elf.segments.*`.' + flat_name: file.elf.segments + level: extended + name: segments + normalize: + - array + original_fieldset: elf + short: ELF object segment list. + type: nested +file.elf.segments.sections: + dashed_name: file-elf-segments-sections + description: ELF object segment sections. + flat_name: file.elf.segments.sections + ignore_above: 1024 + level: extended + name: segments.sections + normalize: [] + original_fieldset: elf + short: ELF object segment sections. + type: keyword +file.elf.segments.type: + dashed_name: file-elf-segments-type + description: ELF object segment type. + flat_name: file.elf.segments.type + ignore_above: 1024 + level: extended + name: segments.type + normalize: [] + original_fieldset: elf + short: ELF object segment type. + type: keyword +file.elf.shared_libraries: + dashed_name: file-elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: file.elf.shared_libraries + ignore_above: 1024 + level: extended + name: shared_libraries + normalize: + - array + original_fieldset: elf + short: List of shared libraries used by this ELF object. + type: keyword +file.elf.telfhash: + dashed_name: file-elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: file.elf.telfhash + ignore_above: 1024 + level: extended + name: telfhash + normalize: [] + original_fieldset: elf + short: telfhash hash for ELF file. + type: keyword file.extension: dashed_name: file-extension description: 'File extension, excluding the leading dot. @@ -5534,6 +5863,335 @@ process.command_line: normalize: [] short: Full command line that started the process. type: keyword +process.elf.architecture: + dashed_name: process-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: process.elf.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: elf + short: Machine architecture of the ELF file. + type: keyword +process.elf.byte_order: + dashed_name: process-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: process.elf.byte_order + ignore_above: 1024 + level: extended + name: byte_order + normalize: [] + original_fieldset: elf + short: Byte sequence of ELF file. + type: keyword +process.elf.cpu_type: + dashed_name: process-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: process.elf.cpu_type + ignore_above: 1024 + level: extended + name: cpu_type + normalize: [] + original_fieldset: elf + short: CPU type of the ELF file. + type: keyword +process.elf.creation_date: + dashed_name: process-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when it + was built or compiled. It can also be faked by malware creators. + flat_name: process.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. + type: date +process.elf.exports: + dashed_name: process-elf-exports + description: List of exported element names and types. + flat_name: process.elf.exports + level: extended + name: exports + normalize: + - array + original_fieldset: elf + short: List of exported element names and types. + type: flattened +process.elf.header.abi_version: + dashed_name: process-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: process.elf.header.abi_version + ignore_above: 1024 + level: extended + name: header.abi_version + normalize: [] + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). + type: keyword +process.elf.header.class: + dashed_name: process-elf-header-class + description: Header class of the ELF file. + flat_name: process.elf.header.class + ignore_above: 1024 + level: extended + name: header.class + normalize: [] + original_fieldset: elf + short: Header class of the ELF file. + type: keyword +process.elf.header.data: + dashed_name: process-elf-header-data + description: Data table of the ELF header. + flat_name: process.elf.header.data + ignore_above: 1024 + level: extended + name: header.data + normalize: [] + original_fieldset: elf + short: Data table of the ELF header. + type: keyword +process.elf.header.entrypoint: + dashed_name: process-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: process.elf.header.entrypoint + format: string + level: extended + name: header.entrypoint + normalize: [] + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long +process.elf.header.object_version: + dashed_name: process-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: process.elf.header.object_version + ignore_above: 1024 + level: extended + name: header.object_version + normalize: [] + original_fieldset: elf + short: '"0x1" for original ELF files.' + type: keyword +process.elf.header.os_abi: + dashed_name: process-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: process.elf.header.os_abi + ignore_above: 1024 + level: extended + name: header.os_abi + normalize: [] + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. + type: keyword +process.elf.header.type: + dashed_name: process-elf-header-type + description: Header type of the ELF file. + flat_name: process.elf.header.type + ignore_above: 1024 + level: extended + name: header.type + normalize: [] + original_fieldset: elf + short: Header type of the ELF file. + type: keyword +process.elf.header.version: + dashed_name: process-elf-header-version + description: Version of the ELF header. + flat_name: process.elf.header.version + ignore_above: 1024 + level: extended + name: header.version + normalize: [] + original_fieldset: elf + short: Version of the ELF header. + type: keyword +process.elf.imports: + dashed_name: process-elf-imports + description: List of imported element names and types. + flat_name: process.elf.imports + level: extended + name: imports + normalize: + - array + original_fieldset: elf + short: List of imported element names and types. + type: flattened +process.elf.sections: + dashed_name: process-elf-sections + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields underneath + `elf.sections.*`.' + flat_name: process.elf.sections + level: extended + name: sections + normalize: + - array + original_fieldset: elf + short: Section information of the ELF file. + type: nested +process.elf.sections.chi2: + dashed_name: process-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: process.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long +process.elf.sections.entropy: + dashed_name: process-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.elf.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long +process.elf.sections.flags: + dashed_name: process-elf-sections-flags + description: ELF Section List flags. + flat_name: process.elf.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: elf + short: ELF Section List flags. + type: keyword +process.elf.sections.name: + dashed_name: process-elf-sections-name + description: ELF Section List name. + flat_name: process.elf.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: elf + short: ELF Section List name. + type: keyword +process.elf.sections.physical_offset: + dashed_name: process-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: process.elf.sections.physical_offset + ignore_above: 1024 + level: extended + name: sections.physical_offset + normalize: [] + original_fieldset: elf + short: ELF Section List offset. + type: keyword +process.elf.sections.physical_size: + dashed_name: process-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: process.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long +process.elf.sections.type: + dashed_name: process-elf-sections-type + description: ELF Section List type. + flat_name: process.elf.sections.type + ignore_above: 1024 + level: extended + name: sections.type + normalize: [] + original_fieldset: elf + short: ELF Section List type. + type: keyword +process.elf.sections.virtual_address: + dashed_name: process-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: process.elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: elf + short: ELF Section List virtual address. + type: long +process.elf.sections.virtual_size: + dashed_name: process-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: process.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long +process.elf.segments: + dashed_name: process-elf-segments + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields underneath + `elf.segments.*`.' + flat_name: process.elf.segments + level: extended + name: segments + normalize: + - array + original_fieldset: elf + short: ELF object segment list. + type: nested +process.elf.segments.sections: + dashed_name: process-elf-segments-sections + description: ELF object segment sections. + flat_name: process.elf.segments.sections + ignore_above: 1024 + level: extended + name: segments.sections + normalize: [] + original_fieldset: elf + short: ELF object segment sections. + type: keyword +process.elf.segments.type: + dashed_name: process-elf-segments-type + description: ELF object segment type. + flat_name: process.elf.segments.type + ignore_above: 1024 + level: extended + name: segments.type + normalize: [] + original_fieldset: elf + short: ELF object segment type. + type: keyword +process.elf.shared_libraries: + dashed_name: process-elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: process.elf.shared_libraries + ignore_above: 1024 + level: extended + name: shared_libraries + normalize: + - array + original_fieldset: elf + short: List of shared libraries used by this ELF object. + type: keyword +process.elf.telfhash: + dashed_name: process-elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: process.elf.telfhash + ignore_above: 1024 + level: extended + name: telfhash + normalize: [] + original_fieldset: elf + short: telfhash hash for ELF file. + type: keyword process.entity_id: dashed_name: process-entity-id description: 'Unique identifier for the process. @@ -5804,6 +6462,335 @@ process.parent.command_line: original_fieldset: process short: Full command line that started the process. type: keyword +process.parent.elf.architecture: + dashed_name: process-parent-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: process.parent.elf.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: elf + short: Machine architecture of the ELF file. + type: keyword +process.parent.elf.byte_order: + dashed_name: process-parent-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: process.parent.elf.byte_order + ignore_above: 1024 + level: extended + name: byte_order + normalize: [] + original_fieldset: elf + short: Byte sequence of ELF file. + type: keyword +process.parent.elf.cpu_type: + dashed_name: process-parent-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: process.parent.elf.cpu_type + ignore_above: 1024 + level: extended + name: cpu_type + normalize: [] + original_fieldset: elf + short: CPU type of the ELF file. + type: keyword +process.parent.elf.creation_date: + dashed_name: process-parent-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when it + was built or compiled. It can also be faked by malware creators. + flat_name: process.parent.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. + type: date +process.parent.elf.exports: + dashed_name: process-parent-elf-exports + description: List of exported element names and types. + flat_name: process.parent.elf.exports + level: extended + name: exports + normalize: + - array + original_fieldset: elf + short: List of exported element names and types. + type: flattened +process.parent.elf.header.abi_version: + dashed_name: process-parent-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: process.parent.elf.header.abi_version + ignore_above: 1024 + level: extended + name: header.abi_version + normalize: [] + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). + type: keyword +process.parent.elf.header.class: + dashed_name: process-parent-elf-header-class + description: Header class of the ELF file. + flat_name: process.parent.elf.header.class + ignore_above: 1024 + level: extended + name: header.class + normalize: [] + original_fieldset: elf + short: Header class of the ELF file. + type: keyword +process.parent.elf.header.data: + dashed_name: process-parent-elf-header-data + description: Data table of the ELF header. + flat_name: process.parent.elf.header.data + ignore_above: 1024 + level: extended + name: header.data + normalize: [] + original_fieldset: elf + short: Data table of the ELF header. + type: keyword +process.parent.elf.header.entrypoint: + dashed_name: process-parent-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: process.parent.elf.header.entrypoint + format: string + level: extended + name: header.entrypoint + normalize: [] + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long +process.parent.elf.header.object_version: + dashed_name: process-parent-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: process.parent.elf.header.object_version + ignore_above: 1024 + level: extended + name: header.object_version + normalize: [] + original_fieldset: elf + short: '"0x1" for original ELF files.' + type: keyword +process.parent.elf.header.os_abi: + dashed_name: process-parent-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: process.parent.elf.header.os_abi + ignore_above: 1024 + level: extended + name: header.os_abi + normalize: [] + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. + type: keyword +process.parent.elf.header.type: + dashed_name: process-parent-elf-header-type + description: Header type of the ELF file. + flat_name: process.parent.elf.header.type + ignore_above: 1024 + level: extended + name: header.type + normalize: [] + original_fieldset: elf + short: Header type of the ELF file. + type: keyword +process.parent.elf.header.version: + dashed_name: process-parent-elf-header-version + description: Version of the ELF header. + flat_name: process.parent.elf.header.version + ignore_above: 1024 + level: extended + name: header.version + normalize: [] + original_fieldset: elf + short: Version of the ELF header. + type: keyword +process.parent.elf.imports: + dashed_name: process-parent-elf-imports + description: List of imported element names and types. + flat_name: process.parent.elf.imports + level: extended + name: imports + normalize: + - array + original_fieldset: elf + short: List of imported element names and types. + type: flattened +process.parent.elf.sections: + dashed_name: process-parent-elf-sections + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields underneath + `elf.sections.*`.' + flat_name: process.parent.elf.sections + level: extended + name: sections + normalize: + - array + original_fieldset: elf + short: Section information of the ELF file. + type: nested +process.parent.elf.sections.chi2: + dashed_name: process-parent-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: process.parent.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long +process.parent.elf.sections.entropy: + dashed_name: process-parent-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.parent.elf.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long +process.parent.elf.sections.flags: + dashed_name: process-parent-elf-sections-flags + description: ELF Section List flags. + flat_name: process.parent.elf.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: elf + short: ELF Section List flags. + type: keyword +process.parent.elf.sections.name: + dashed_name: process-parent-elf-sections-name + description: ELF Section List name. + flat_name: process.parent.elf.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: elf + short: ELF Section List name. + type: keyword +process.parent.elf.sections.physical_offset: + dashed_name: process-parent-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: process.parent.elf.sections.physical_offset + ignore_above: 1024 + level: extended + name: sections.physical_offset + normalize: [] + original_fieldset: elf + short: ELF Section List offset. + type: keyword +process.parent.elf.sections.physical_size: + dashed_name: process-parent-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: process.parent.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long +process.parent.elf.sections.type: + dashed_name: process-parent-elf-sections-type + description: ELF Section List type. + flat_name: process.parent.elf.sections.type + ignore_above: 1024 + level: extended + name: sections.type + normalize: [] + original_fieldset: elf + short: ELF Section List type. + type: keyword +process.parent.elf.sections.virtual_address: + dashed_name: process-parent-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: process.parent.elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: elf + short: ELF Section List virtual address. + type: long +process.parent.elf.sections.virtual_size: + dashed_name: process-parent-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: process.parent.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long +process.parent.elf.segments: + dashed_name: process-parent-elf-segments + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields underneath + `elf.segments.*`.' + flat_name: process.parent.elf.segments + level: extended + name: segments + normalize: + - array + original_fieldset: elf + short: ELF object segment list. + type: nested +process.parent.elf.segments.sections: + dashed_name: process-parent-elf-segments-sections + description: ELF object segment sections. + flat_name: process.parent.elf.segments.sections + ignore_above: 1024 + level: extended + name: segments.sections + normalize: [] + original_fieldset: elf + short: ELF object segment sections. + type: keyword +process.parent.elf.segments.type: + dashed_name: process-parent-elf-segments-type + description: ELF object segment type. + flat_name: process.parent.elf.segments.type + ignore_above: 1024 + level: extended + name: segments.type + normalize: [] + original_fieldset: elf + short: ELF object segment type. + type: keyword +process.parent.elf.shared_libraries: + dashed_name: process-parent-elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: process.parent.elf.shared_libraries + ignore_above: 1024 + level: extended + name: shared_libraries + normalize: + - array + original_fieldset: elf + short: List of shared libraries used by this ELF object. + type: keyword +process.parent.elf.telfhash: + dashed_name: process-parent-elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: process.parent.elf.telfhash + ignore_above: 1024 + level: extended + name: telfhash + normalize: [] + original_fieldset: elf + short: telfhash hash for ELF file. + type: keyword process.parent.entity_id: dashed_name: process-parent-entity-id description: 'Unique identifier for the process. diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 7913e8897a..6c3e37c1bf 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -2213,6 +2213,327 @@ ecs: short: Meta-information specific to ECS. title: ECS type: group +elf: + beta: These fields are in beta and are subject to change. + description: These fields contain Linux Executable Linkable Format (ELF) metadata. + fields: + elf.architecture: + dashed_name: elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: elf.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + short: Machine architecture of the ELF file. + type: keyword + elf.byte_order: + dashed_name: elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: elf.byte_order + ignore_above: 1024 + level: extended + name: byte_order + normalize: [] + short: Byte sequence of ELF file. + type: keyword + elf.cpu_type: + dashed_name: elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: elf.cpu_type + ignore_above: 1024 + level: extended + name: cpu_type + normalize: [] + short: CPU type of the ELF file. + type: keyword + elf.creation_date: + dashed_name: elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + flat_name: elf.creation_date + level: extended + name: creation_date + normalize: [] + short: Build or compile date. + type: date + elf.exports: + dashed_name: elf-exports + description: List of exported element names and types. + flat_name: elf.exports + level: extended + name: exports + normalize: + - array + short: List of exported element names and types. + type: flattened + elf.header.abi_version: + dashed_name: elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: elf.header.abi_version + ignore_above: 1024 + level: extended + name: header.abi_version + normalize: [] + short: Version of the ELF Application Binary Interface (ABI). + type: keyword + elf.header.class: + dashed_name: elf-header-class + description: Header class of the ELF file. + flat_name: elf.header.class + ignore_above: 1024 + level: extended + name: header.class + normalize: [] + short: Header class of the ELF file. + type: keyword + elf.header.data: + dashed_name: elf-header-data + description: Data table of the ELF header. + flat_name: elf.header.data + ignore_above: 1024 + level: extended + name: header.data + normalize: [] + short: Data table of the ELF header. + type: keyword + elf.header.entrypoint: + dashed_name: elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: elf.header.entrypoint + format: string + level: extended + name: header.entrypoint + normalize: [] + short: Header entrypoint of the ELF file. + type: long + elf.header.object_version: + dashed_name: elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: elf.header.object_version + ignore_above: 1024 + level: extended + name: header.object_version + normalize: [] + short: '"0x1" for original ELF files.' + type: keyword + elf.header.os_abi: + dashed_name: elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: elf.header.os_abi + ignore_above: 1024 + level: extended + name: header.os_abi + normalize: [] + short: Application Binary Interface (ABI) of the Linux OS. + type: keyword + elf.header.type: + dashed_name: elf-header-type + description: Header type of the ELF file. + flat_name: elf.header.type + ignore_above: 1024 + level: extended + name: header.type + normalize: [] + short: Header type of the ELF file. + type: keyword + elf.header.version: + dashed_name: elf-header-version + description: Version of the ELF header. + flat_name: elf.header.version + ignore_above: 1024 + level: extended + name: header.version + normalize: [] + short: Version of the ELF header. + type: keyword + elf.imports: + dashed_name: elf-imports + description: List of imported element names and types. + flat_name: elf.imports + level: extended + name: imports + normalize: + - array + short: List of imported element names and types. + type: flattened + elf.sections: + dashed_name: elf-sections + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.sections.*`.' + flat_name: elf.sections + level: extended + name: sections + normalize: + - array + short: Section information of the ELF file. + type: nested + elf.sections.chi2: + dashed_name: elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: elf.sections.chi2 + format: number + level: extended + name: sections.chi2 + normalize: [] + short: Chi-square probability distribution of the section. + type: long + elf.sections.entropy: + dashed_name: elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: elf.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + short: Shannon entropy calculation from the section. + type: long + elf.sections.flags: + dashed_name: elf-sections-flags + description: ELF Section List flags. + flat_name: elf.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + short: ELF Section List flags. + type: keyword + elf.sections.name: + dashed_name: elf-sections-name + description: ELF Section List name. + flat_name: elf.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + short: ELF Section List name. + type: keyword + elf.sections.physical_offset: + dashed_name: elf-sections-physical-offset + description: ELF Section List offset. + flat_name: elf.sections.physical_offset + ignore_above: 1024 + level: extended + name: sections.physical_offset + normalize: [] + short: ELF Section List offset. + type: keyword + elf.sections.physical_size: + dashed_name: elf-sections-physical-size + description: ELF Section List physical size. + flat_name: elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + short: ELF Section List physical size. + type: long + elf.sections.type: + dashed_name: elf-sections-type + description: ELF Section List type. + flat_name: elf.sections.type + ignore_above: 1024 + level: extended + name: sections.type + normalize: [] + short: ELF Section List type. + type: keyword + elf.sections.virtual_address: + dashed_name: elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + short: ELF Section List virtual address. + type: long + elf.sections.virtual_size: + dashed_name: elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + short: ELF Section List virtual size. + type: long + elf.segments: + dashed_name: elf-segments + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.segments.*`.' + flat_name: elf.segments + level: extended + name: segments + normalize: + - array + short: ELF object segment list. + type: nested + elf.segments.sections: + dashed_name: elf-segments-sections + description: ELF object segment sections. + flat_name: elf.segments.sections + ignore_above: 1024 + level: extended + name: segments.sections + normalize: [] + short: ELF object segment sections. + type: keyword + elf.segments.type: + dashed_name: elf-segments-type + description: ELF object segment type. + flat_name: elf.segments.type + ignore_above: 1024 + level: extended + name: segments.type + normalize: [] + short: ELF object segment type. + type: keyword + elf.shared_libraries: + dashed_name: elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: elf.shared_libraries + ignore_above: 1024 + level: extended + name: shared_libraries + normalize: + - array + short: List of shared libraries used by this ELF object. + type: keyword + elf.telfhash: + dashed_name: elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: elf.telfhash + ignore_above: 1024 + level: extended + name: telfhash + normalize: [] + short: telfhash hash for ELF file. + type: keyword + group: 2 + name: elf + prefix: elf. + reusable: + expected: + - as: elf + at: file + beta: This field reuse is beta and subject to change. + full: file.elf + - as: elf + at: process + beta: This field reuse is beta and subject to change. + full: process.elf + top_level: false + short: These fields contain Linux Executable Linkable Format (ELF) metadata. + title: ELF Header + type: group error: description: 'These fields can represent errors of any kind. @@ -3260,6 +3581,335 @@ file: normalize: [] short: Drive letter where the file is located. type: keyword + file.elf.architecture: + dashed_name: file-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: file.elf.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: elf + short: Machine architecture of the ELF file. + type: keyword + file.elf.byte_order: + dashed_name: file-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: file.elf.byte_order + ignore_above: 1024 + level: extended + name: byte_order + normalize: [] + original_fieldset: elf + short: Byte sequence of ELF file. + type: keyword + file.elf.cpu_type: + dashed_name: file-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: file.elf.cpu_type + ignore_above: 1024 + level: extended + name: cpu_type + normalize: [] + original_fieldset: elf + short: CPU type of the ELF file. + type: keyword + file.elf.creation_date: + dashed_name: file-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + flat_name: file.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. + type: date + file.elf.exports: + dashed_name: file-elf-exports + description: List of exported element names and types. + flat_name: file.elf.exports + level: extended + name: exports + normalize: + - array + original_fieldset: elf + short: List of exported element names and types. + type: flattened + file.elf.header.abi_version: + dashed_name: file-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: file.elf.header.abi_version + ignore_above: 1024 + level: extended + name: header.abi_version + normalize: [] + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). + type: keyword + file.elf.header.class: + dashed_name: file-elf-header-class + description: Header class of the ELF file. + flat_name: file.elf.header.class + ignore_above: 1024 + level: extended + name: header.class + normalize: [] + original_fieldset: elf + short: Header class of the ELF file. + type: keyword + file.elf.header.data: + dashed_name: file-elf-header-data + description: Data table of the ELF header. + flat_name: file.elf.header.data + ignore_above: 1024 + level: extended + name: header.data + normalize: [] + original_fieldset: elf + short: Data table of the ELF header. + type: keyword + file.elf.header.entrypoint: + dashed_name: file-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: file.elf.header.entrypoint + format: string + level: extended + name: header.entrypoint + normalize: [] + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long + file.elf.header.object_version: + dashed_name: file-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: file.elf.header.object_version + ignore_above: 1024 + level: extended + name: header.object_version + normalize: [] + original_fieldset: elf + short: '"0x1" for original ELF files.' + type: keyword + file.elf.header.os_abi: + dashed_name: file-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: file.elf.header.os_abi + ignore_above: 1024 + level: extended + name: header.os_abi + normalize: [] + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. + type: keyword + file.elf.header.type: + dashed_name: file-elf-header-type + description: Header type of the ELF file. + flat_name: file.elf.header.type + ignore_above: 1024 + level: extended + name: header.type + normalize: [] + original_fieldset: elf + short: Header type of the ELF file. + type: keyword + file.elf.header.version: + dashed_name: file-elf-header-version + description: Version of the ELF header. + flat_name: file.elf.header.version + ignore_above: 1024 + level: extended + name: header.version + normalize: [] + original_fieldset: elf + short: Version of the ELF header. + type: keyword + file.elf.imports: + dashed_name: file-elf-imports + description: List of imported element names and types. + flat_name: file.elf.imports + level: extended + name: imports + normalize: + - array + original_fieldset: elf + short: List of imported element names and types. + type: flattened + file.elf.sections: + dashed_name: file-elf-sections + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.sections.*`.' + flat_name: file.elf.sections + level: extended + name: sections + normalize: + - array + original_fieldset: elf + short: Section information of the ELF file. + type: nested + file.elf.sections.chi2: + dashed_name: file-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: file.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long + file.elf.sections.entropy: + dashed_name: file-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: file.elf.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long + file.elf.sections.flags: + dashed_name: file-elf-sections-flags + description: ELF Section List flags. + flat_name: file.elf.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: elf + short: ELF Section List flags. + type: keyword + file.elf.sections.name: + dashed_name: file-elf-sections-name + description: ELF Section List name. + flat_name: file.elf.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: elf + short: ELF Section List name. + type: keyword + file.elf.sections.physical_offset: + dashed_name: file-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: file.elf.sections.physical_offset + ignore_above: 1024 + level: extended + name: sections.physical_offset + normalize: [] + original_fieldset: elf + short: ELF Section List offset. + type: keyword + file.elf.sections.physical_size: + dashed_name: file-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: file.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long + file.elf.sections.type: + dashed_name: file-elf-sections-type + description: ELF Section List type. + flat_name: file.elf.sections.type + ignore_above: 1024 + level: extended + name: sections.type + normalize: [] + original_fieldset: elf + short: ELF Section List type. + type: keyword + file.elf.sections.virtual_address: + dashed_name: file-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: file.elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: elf + short: ELF Section List virtual address. + type: long + file.elf.sections.virtual_size: + dashed_name: file-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: file.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long + file.elf.segments: + dashed_name: file-elf-segments + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.segments.*`.' + flat_name: file.elf.segments + level: extended + name: segments + normalize: + - array + original_fieldset: elf + short: ELF object segment list. + type: nested + file.elf.segments.sections: + dashed_name: file-elf-segments-sections + description: ELF object segment sections. + flat_name: file.elf.segments.sections + ignore_above: 1024 + level: extended + name: segments.sections + normalize: [] + original_fieldset: elf + short: ELF object segment sections. + type: keyword + file.elf.segments.type: + dashed_name: file-elf-segments-type + description: ELF object segment type. + flat_name: file.elf.segments.type + ignore_above: 1024 + level: extended + name: segments.type + normalize: [] + original_fieldset: elf + short: ELF object segment type. + type: keyword + file.elf.shared_libraries: + dashed_name: file-elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: file.elf.shared_libraries + ignore_above: 1024 + level: extended + name: shared_libraries + normalize: + - array + original_fieldset: elf + short: List of shared libraries used by this ELF object. + type: keyword + file.elf.telfhash: + dashed_name: file-elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: file.elf.telfhash + ignore_above: 1024 + level: extended + name: telfhash + normalize: [] + original_fieldset: elf + short: telfhash hash for ELF file. + type: keyword file.extension: dashed_name: file-extension description: 'File extension, excluding the leading dot. @@ -3881,6 +4531,7 @@ file: name: file nestings: - file.code_signature + - file.elf - file.hash - file.pe - file.x509 @@ -3889,6 +4540,10 @@ file: - full: file.code_signature schema_name: code_signature short: These fields contain information about binary code signatures. + - beta: This field reuse is beta and subject to change. + full: file.elf + schema_name: elf + short: These fields contain Linux Executable Linkable Format (ELF) metadata. - full: file.hash schema_name: hash short: Hashes, usually file hashes. @@ -6721,6 +7376,335 @@ process: normalize: [] short: Full command line that started the process. type: keyword + process.elf.architecture: + dashed_name: process-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: process.elf.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: elf + short: Machine architecture of the ELF file. + type: keyword + process.elf.byte_order: + dashed_name: process-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: process.elf.byte_order + ignore_above: 1024 + level: extended + name: byte_order + normalize: [] + original_fieldset: elf + short: Byte sequence of ELF file. + type: keyword + process.elf.cpu_type: + dashed_name: process-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: process.elf.cpu_type + ignore_above: 1024 + level: extended + name: cpu_type + normalize: [] + original_fieldset: elf + short: CPU type of the ELF file. + type: keyword + process.elf.creation_date: + dashed_name: process-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + flat_name: process.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. + type: date + process.elf.exports: + dashed_name: process-elf-exports + description: List of exported element names and types. + flat_name: process.elf.exports + level: extended + name: exports + normalize: + - array + original_fieldset: elf + short: List of exported element names and types. + type: flattened + process.elf.header.abi_version: + dashed_name: process-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: process.elf.header.abi_version + ignore_above: 1024 + level: extended + name: header.abi_version + normalize: [] + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). + type: keyword + process.elf.header.class: + dashed_name: process-elf-header-class + description: Header class of the ELF file. + flat_name: process.elf.header.class + ignore_above: 1024 + level: extended + name: header.class + normalize: [] + original_fieldset: elf + short: Header class of the ELF file. + type: keyword + process.elf.header.data: + dashed_name: process-elf-header-data + description: Data table of the ELF header. + flat_name: process.elf.header.data + ignore_above: 1024 + level: extended + name: header.data + normalize: [] + original_fieldset: elf + short: Data table of the ELF header. + type: keyword + process.elf.header.entrypoint: + dashed_name: process-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: process.elf.header.entrypoint + format: string + level: extended + name: header.entrypoint + normalize: [] + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long + process.elf.header.object_version: + dashed_name: process-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: process.elf.header.object_version + ignore_above: 1024 + level: extended + name: header.object_version + normalize: [] + original_fieldset: elf + short: '"0x1" for original ELF files.' + type: keyword + process.elf.header.os_abi: + dashed_name: process-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: process.elf.header.os_abi + ignore_above: 1024 + level: extended + name: header.os_abi + normalize: [] + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. + type: keyword + process.elf.header.type: + dashed_name: process-elf-header-type + description: Header type of the ELF file. + flat_name: process.elf.header.type + ignore_above: 1024 + level: extended + name: header.type + normalize: [] + original_fieldset: elf + short: Header type of the ELF file. + type: keyword + process.elf.header.version: + dashed_name: process-elf-header-version + description: Version of the ELF header. + flat_name: process.elf.header.version + ignore_above: 1024 + level: extended + name: header.version + normalize: [] + original_fieldset: elf + short: Version of the ELF header. + type: keyword + process.elf.imports: + dashed_name: process-elf-imports + description: List of imported element names and types. + flat_name: process.elf.imports + level: extended + name: imports + normalize: + - array + original_fieldset: elf + short: List of imported element names and types. + type: flattened + process.elf.sections: + dashed_name: process-elf-sections + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.sections.*`.' + flat_name: process.elf.sections + level: extended + name: sections + normalize: + - array + original_fieldset: elf + short: Section information of the ELF file. + type: nested + process.elf.sections.chi2: + dashed_name: process-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: process.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long + process.elf.sections.entropy: + dashed_name: process-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.elf.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long + process.elf.sections.flags: + dashed_name: process-elf-sections-flags + description: ELF Section List flags. + flat_name: process.elf.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: elf + short: ELF Section List flags. + type: keyword + process.elf.sections.name: + dashed_name: process-elf-sections-name + description: ELF Section List name. + flat_name: process.elf.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: elf + short: ELF Section List name. + type: keyword + process.elf.sections.physical_offset: + dashed_name: process-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: process.elf.sections.physical_offset + ignore_above: 1024 + level: extended + name: sections.physical_offset + normalize: [] + original_fieldset: elf + short: ELF Section List offset. + type: keyword + process.elf.sections.physical_size: + dashed_name: process-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: process.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long + process.elf.sections.type: + dashed_name: process-elf-sections-type + description: ELF Section List type. + flat_name: process.elf.sections.type + ignore_above: 1024 + level: extended + name: sections.type + normalize: [] + original_fieldset: elf + short: ELF Section List type. + type: keyword + process.elf.sections.virtual_address: + dashed_name: process-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: process.elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: elf + short: ELF Section List virtual address. + type: long + process.elf.sections.virtual_size: + dashed_name: process-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: process.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long + process.elf.segments: + dashed_name: process-elf-segments + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.segments.*`.' + flat_name: process.elf.segments + level: extended + name: segments + normalize: + - array + original_fieldset: elf + short: ELF object segment list. + type: nested + process.elf.segments.sections: + dashed_name: process-elf-segments-sections + description: ELF object segment sections. + flat_name: process.elf.segments.sections + ignore_above: 1024 + level: extended + name: segments.sections + normalize: [] + original_fieldset: elf + short: ELF object segment sections. + type: keyword + process.elf.segments.type: + dashed_name: process-elf-segments-type + description: ELF object segment type. + flat_name: process.elf.segments.type + ignore_above: 1024 + level: extended + name: segments.type + normalize: [] + original_fieldset: elf + short: ELF object segment type. + type: keyword + process.elf.shared_libraries: + dashed_name: process-elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: process.elf.shared_libraries + ignore_above: 1024 + level: extended + name: shared_libraries + normalize: + - array + original_fieldset: elf + short: List of shared libraries used by this ELF object. + type: keyword + process.elf.telfhash: + dashed_name: process-elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: process.elf.telfhash + ignore_above: 1024 + level: extended + name: telfhash + normalize: [] + original_fieldset: elf + short: telfhash hash for ELF file. + type: keyword process.entity_id: dashed_name: process-entity-id description: 'Unique identifier for the process. @@ -6991,6 +7975,335 @@ process: original_fieldset: process short: Full command line that started the process. type: keyword + process.parent.elf.architecture: + dashed_name: process-parent-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: process.parent.elf.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: elf + short: Machine architecture of the ELF file. + type: keyword + process.parent.elf.byte_order: + dashed_name: process-parent-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: process.parent.elf.byte_order + ignore_above: 1024 + level: extended + name: byte_order + normalize: [] + original_fieldset: elf + short: Byte sequence of ELF file. + type: keyword + process.parent.elf.cpu_type: + dashed_name: process-parent-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: process.parent.elf.cpu_type + ignore_above: 1024 + level: extended + name: cpu_type + normalize: [] + original_fieldset: elf + short: CPU type of the ELF file. + type: keyword + process.parent.elf.creation_date: + dashed_name: process-parent-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + flat_name: process.parent.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. + type: date + process.parent.elf.exports: + dashed_name: process-parent-elf-exports + description: List of exported element names and types. + flat_name: process.parent.elf.exports + level: extended + name: exports + normalize: + - array + original_fieldset: elf + short: List of exported element names and types. + type: flattened + process.parent.elf.header.abi_version: + dashed_name: process-parent-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: process.parent.elf.header.abi_version + ignore_above: 1024 + level: extended + name: header.abi_version + normalize: [] + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). + type: keyword + process.parent.elf.header.class: + dashed_name: process-parent-elf-header-class + description: Header class of the ELF file. + flat_name: process.parent.elf.header.class + ignore_above: 1024 + level: extended + name: header.class + normalize: [] + original_fieldset: elf + short: Header class of the ELF file. + type: keyword + process.parent.elf.header.data: + dashed_name: process-parent-elf-header-data + description: Data table of the ELF header. + flat_name: process.parent.elf.header.data + ignore_above: 1024 + level: extended + name: header.data + normalize: [] + original_fieldset: elf + short: Data table of the ELF header. + type: keyword + process.parent.elf.header.entrypoint: + dashed_name: process-parent-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: process.parent.elf.header.entrypoint + format: string + level: extended + name: header.entrypoint + normalize: [] + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long + process.parent.elf.header.object_version: + dashed_name: process-parent-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: process.parent.elf.header.object_version + ignore_above: 1024 + level: extended + name: header.object_version + normalize: [] + original_fieldset: elf + short: '"0x1" for original ELF files.' + type: keyword + process.parent.elf.header.os_abi: + dashed_name: process-parent-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: process.parent.elf.header.os_abi + ignore_above: 1024 + level: extended + name: header.os_abi + normalize: [] + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. + type: keyword + process.parent.elf.header.type: + dashed_name: process-parent-elf-header-type + description: Header type of the ELF file. + flat_name: process.parent.elf.header.type + ignore_above: 1024 + level: extended + name: header.type + normalize: [] + original_fieldset: elf + short: Header type of the ELF file. + type: keyword + process.parent.elf.header.version: + dashed_name: process-parent-elf-header-version + description: Version of the ELF header. + flat_name: process.parent.elf.header.version + ignore_above: 1024 + level: extended + name: header.version + normalize: [] + original_fieldset: elf + short: Version of the ELF header. + type: keyword + process.parent.elf.imports: + dashed_name: process-parent-elf-imports + description: List of imported element names and types. + flat_name: process.parent.elf.imports + level: extended + name: imports + normalize: + - array + original_fieldset: elf + short: List of imported element names and types. + type: flattened + process.parent.elf.sections: + dashed_name: process-parent-elf-sections + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.sections.*`.' + flat_name: process.parent.elf.sections + level: extended + name: sections + normalize: + - array + original_fieldset: elf + short: Section information of the ELF file. + type: nested + process.parent.elf.sections.chi2: + dashed_name: process-parent-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: process.parent.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long + process.parent.elf.sections.entropy: + dashed_name: process-parent-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: process.parent.elf.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long + process.parent.elf.sections.flags: + dashed_name: process-parent-elf-sections-flags + description: ELF Section List flags. + flat_name: process.parent.elf.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: elf + short: ELF Section List flags. + type: keyword + process.parent.elf.sections.name: + dashed_name: process-parent-elf-sections-name + description: ELF Section List name. + flat_name: process.parent.elf.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: elf + short: ELF Section List name. + type: keyword + process.parent.elf.sections.physical_offset: + dashed_name: process-parent-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: process.parent.elf.sections.physical_offset + ignore_above: 1024 + level: extended + name: sections.physical_offset + normalize: [] + original_fieldset: elf + short: ELF Section List offset. + type: keyword + process.parent.elf.sections.physical_size: + dashed_name: process-parent-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: process.parent.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long + process.parent.elf.sections.type: + dashed_name: process-parent-elf-sections-type + description: ELF Section List type. + flat_name: process.parent.elf.sections.type + ignore_above: 1024 + level: extended + name: sections.type + normalize: [] + original_fieldset: elf + short: ELF Section List type. + type: keyword + process.parent.elf.sections.virtual_address: + dashed_name: process-parent-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: process.parent.elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: elf + short: ELF Section List virtual address. + type: long + process.parent.elf.sections.virtual_size: + dashed_name: process-parent-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: process.parent.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long + process.parent.elf.segments: + dashed_name: process-parent-elf-segments + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.segments.*`.' + flat_name: process.parent.elf.segments + level: extended + name: segments + normalize: + - array + original_fieldset: elf + short: ELF object segment list. + type: nested + process.parent.elf.segments.sections: + dashed_name: process-parent-elf-segments-sections + description: ELF object segment sections. + flat_name: process.parent.elf.segments.sections + ignore_above: 1024 + level: extended + name: segments.sections + normalize: [] + original_fieldset: elf + short: ELF object segment sections. + type: keyword + process.parent.elf.segments.type: + dashed_name: process-parent-elf-segments-type + description: ELF object segment type. + flat_name: process.parent.elf.segments.type + ignore_above: 1024 + level: extended + name: segments.type + normalize: [] + original_fieldset: elf + short: ELF object segment type. + type: keyword + process.parent.elf.shared_libraries: + dashed_name: process-parent-elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: process.parent.elf.shared_libraries + ignore_above: 1024 + level: extended + name: shared_libraries + normalize: + - array + original_fieldset: elf + short: List of shared libraries used by this ELF object. + type: keyword + process.parent.elf.telfhash: + dashed_name: process-parent-elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: process.parent.elf.telfhash + ignore_above: 1024 + level: extended + name: telfhash + normalize: [] + original_fieldset: elf + short: telfhash hash for ELF file. + type: keyword process.parent.entity_id: dashed_name: process-parent-entity-id description: 'Unique identifier for the process. @@ -7521,6 +8834,7 @@ process: name: process nestings: - process.code_signature + - process.elf - process.hash - process.parent - process.pe @@ -7536,6 +8850,10 @@ process: - full: process.code_signature schema_name: code_signature short: These fields contain information about binary code signatures. + - beta: This field reuse is beta and subject to change. + full: process.elf + schema_name: elf + short: These fields contain Linux Executable Linkable Format (ELF) metadata. - full: process.hash schema_name: hash short: Hashes, usually file hashes. diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index 2a964ae302..b7d1740c69 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -895,6 +895,123 @@ "ignore_above": 1, "type": "keyword" }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "extension": { "ignore_above": 1024, "type": "keyword" @@ -1987,6 +2104,123 @@ "ignore_above": 1024, "type": "keyword" }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "entity_id": { "ignore_above": 1024, "type": "keyword" @@ -2086,6 +2320,123 @@ "ignore_above": 1024, "type": "keyword" }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "entity_id": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index fea66d43bb..4a071008ce 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -891,6 +891,123 @@ "ignore_above": 1, "type": "keyword" }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "extension": { "ignore_above": 1024, "type": "keyword" @@ -1983,6 +2100,123 @@ "ignore_above": 1024, "type": "keyword" }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "entity_id": { "ignore_above": 1024, "type": "keyword" @@ -2082,6 +2316,123 @@ "ignore_above": 1024, "type": "keyword" }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "entity_id": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/elasticsearch/component/file.json b/generated/elasticsearch/component/file.json index ea4c4a4a1d..464fb1e9eb 100644 --- a/generated/elasticsearch/component/file.json +++ b/generated/elasticsearch/component/file.json @@ -62,6 +62,123 @@ "ignore_above": 1, "type": "keyword" }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "extension": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/elasticsearch/component/process.json b/generated/elasticsearch/component/process.json index 5bbf33b350..e1ab458007 100644 --- a/generated/elasticsearch/component/process.json +++ b/generated/elasticsearch/component/process.json @@ -54,6 +54,123 @@ "ignore_above": 1024, "type": "keyword" }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "entity_id": { "ignore_above": 1024, "type": "keyword" @@ -153,6 +270,123 @@ "ignore_above": 1024, "type": "keyword" }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "entity_id": { "ignore_above": 1024, "type": "keyword" diff --git a/experimental/schemas/elf.yml b/schemas/elf.yml similarity index 80% rename from experimental/schemas/elf.yml rename to schemas/elf.yml index 82b17da920..525b155414 100644 --- a/experimental/schemas/elf.yml +++ b/schemas/elf.yml @@ -4,12 +4,18 @@ group: 2 description: > These fields contain Linux Executable Linkable Format (ELF) metadata. + beta: > + These fields are in beta and are subject to change. type: group reusable: top_level: false expected: - - file - - process + - at: file + as: elf + beta: This field reuse is beta and subject to change. + - at: process + as: elf + beta: This field reuse is beta and subject to change. fields: - name: creation_date short: Build or compile date. @@ -31,7 +37,7 @@ Byte sequence of ELF file. type: keyword level: extended - example: Little Endian, Big Endian + example: Little Endian - name: cpu_type description: > @@ -90,10 +96,16 @@ "0x1" for original ELF files. - name: sections + short: Section information of the ELF file. description: > - Section information of the ELF file. + An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.sections.*`. type: nested level: extended + normalize: + - "array" - name: sections.flags description: > @@ -159,33 +171,43 @@ List of exported element names and types. level: extended type: flattened + normalize: + - array - name: imports description: > List of imported element names and types. type: flattened level: extended + normalize: + - array - name: shared_libraries description: > - List of shared libraries used by this ELF object + List of shared libraries used by this ELF object. type: keyword level: extended normalize: - array - name: telfhash - short: telfhash hash for ELF files + short: telfhash hash for ELF file. description: > - telfhash is symbol hash for ELF files, just like imphash is imports hash for PE files. Learn more at https://github.com/trendmicro/telfhash. + telfhash symbol hash for ELF file. type: keyword level: extended - name: segments + short: ELF object segment list. description: > - ELF object segment list. + An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.segments.*`. type: nested level: extended + normalize: + - array - name: segments.type description: ELF object segment type.