File.elf create

CHANGELOG.next.md

@@ -18,6 +18,7 @@ Thanks, you're awesome :-) -->
 
 * Added `event.category` "registry". #1040
 * Added `event.category` "session". #1049
+* Added `file.elf`. #1077
 
 #### Improvements
 

docs/field-details.asciidoc

@@ -2331,6 +2331,12 @@ example: `1001`
 // ===============================================================
 
 
+| <<ecs-file.elf,file.file.elf.*>>
+| ELF events from VirusTotal Intelligence Live Hunt results.
+
+// ===============================================================
+
+
 | <<ecs-hash,file.hash.*>>
 | Hashes, usually file hashes.
 
@@ -2351,6 +2357,162 @@ example: `1001`
 
 |=====
 
+[[ecs-file.elf]]
+=== ELF Header Fields
+
+ELF events from VirusTotal Intelligence Live Hunt results.
+
+[discrete]
+==== ELF Header Field Details
+
+[options="header"]
+|=====
+| Field  | Description | Level
+
+// ===============================================================
+
+| file.elf.creation_date
+| Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
+
+type: date
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+| file.elf.exports
+| List of exported element names and types
+
+type: object
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+| file.elf.header
+| Header information of the ELF file.
+
+type: object
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+| file.elf.imports
+| List of imported element names and types
+
+type: object
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+| file.elf.number_program_headers
+| Number of ELF Program Headers.
+
+type: long
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+| file.elf.number_section_headers
+| Number of ELF Section Headers.
+
+type: long
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+| file.elf.sections
+| Section information of the ELF file.
+
+type: object
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+| file.elf.segment_list
+| ELF object segment list.
+
+type: keyword
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+| file.elf.shared_libraries
+| List of shared libraries used by this ELF object
+
+type: keyword
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+| file.elf.telfhash
+| telfhash hash for ELF files.
+
+type: keyword
+
+
+
+
+
+| extended
+
+// ===============================================================
+
+|=====
+
+[discrete]
+==== Field Reuse
+
+The `file.elf` fields are expected to be nested at: `file.file.elf`, `process.file.elf`.
+
+Note also that the `file.elf` fields are not expected to be used directly at the root of the events.
+
+
+
+
 [[ecs-geo]]
 === Geo Fields
 
@@ -4567,6 +4729,12 @@ Note also that the `process` fields may be used directly at the root of the even
 // ===============================================================
 
 
+| <<ecs-file.elf,process.file.elf.*>>
+| ELF events from VirusTotal Intelligence Live Hunt results.
+
+// ===============================================================
+
+
 | <<ecs-hash,process.hash.*>>
 | Hashes, usually file hashes.
 

docs/fields.asciidoc

@@ -46,6 +46,8 @@ all fields are defined.
 
 | <<ecs-file,File>> | Fields describing files.
 
+| <<ecs-file.elf,ELF Header>> | ELF events from VirusTotal Intelligence Live Hunt results.
+
 | <<ecs-geo,Geo>> | Fields describing a location.
 
 | <<ecs-group,Group>> | User's group relevant to the event.