From 3531314ba9cf350008b130587992828cb6a6bfab Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Mon, 8 Feb 2021 15:36:57 -0600 Subject: [PATCH 1/5] add addl PE fields from RFC 0014 --- experimental/schemas/pe.yml | 221 ++++++++++++++++++++++++++++++++++++ 1 file changed, 221 insertions(+) diff --git a/experimental/schemas/pe.yml b/experimental/schemas/pe.yml index 77a0574348..88105892fa 100644 --- a/experimental/schemas/pe.yml +++ b/experimental/schemas/pe.yml @@ -3,3 +3,224 @@ fields: - name: original_file_name type: wildcard + + - name: icon.hash.dhash + level: extended + type: keyword + description: > + Difference Hash (dhash) to find files with a visually similar icon or thumbnail. + + example: b806e17c8e330d82 + + - name: debug + level: extended + type: nested + short: Debug information + description: > + Debug information, if present + + normalize: + - array + + - name: debug.offset + level: extended + type: keyword + description: Debug offset information. + example: 1296336 + + - name: debug.size + level: extended + type: long + format: bytes + description: Size of the debug information. + example: 816 + + - name: debug.type + level: extended + type: keyword + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + + - name: debug.timestamp + level: extended + type: date + description: Timestamp of the debug information. + example: "2020-11-05T17:25:47.000Z" + + - name: imports + level: extended + type: flattened + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" }' + + - name: sections + level: extended + short: Data about sections of the compiled binary PE + description: > + Data about sections of compiled binary PE + type: nested + normalize: + - array + + - name: sections.chi2 + level: extended + description: Chi-square probability distribution. + type: long + example: 3027194 + + - name: sections.virtual_address + level: extended + description: Virtual address available to the file. + type: long + format: bytes + example: 8192 + + - name: sections.entropy + level: extended + description: Measurement of entropy randomness in the file. + type: float + example: 6.24 + + - name: sections.flags + level: extended + description: Section flags of the file. + type: keyword + example: rx + + - name: sections.name + level: extended + description: Section names of the file. + type: keyword + example: .text, .data + + - name: sections.raw_size + level: extended + description: Size of the section or the dize of the initialized data on disk. + type: long + format: bytes + example: 198144 + + - name: resources + level: extended + type: nested + description: > + If the PE contains resources, some info about them + normalize: + - array + + - name: resources.chi2 + level: extended + description: Chi-square probability distribution. + type: long + example: -1 + + - name: resources.filetype + level: extended + description: File type of the resources section. + type: keyword + example: Data + + - name: resources.entropy + level: extended + description: Measurement of entropy randomness in the resources section. + type: long + example: 0, 1 + + - name: resources.sha256 + level: extended + description: SHA256 hash of resources section. + type: keyword + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + + - name: resources.language + level: extended + description: Language identification. + type: keyword + example: "CHINESE SIMPLIFIED" + + - name: resources.type + level: extended + type: keyword + short: List of resource types. + description: > + Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + normalize: + - array + + - name: exports + level: extended + type: keyword + description: > + List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + normalize: + - array + + - name: creation_date + level: extended + short: Build or compile date. + description: > + Extracted when possible from the file's metadata. Indicates when it was + built or compiled. It can also be faked by malware creators. + type: date + example: "2020-11-05T17:25:47.000Z" + + - name: authentihash + level: extended + description: > + Authentihash of the PE file. + type: keyword + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + + - name: compile_timestamp + level: extended + description: > + Compile timestamp of the PE file. + type: date + example: "2020-11-05T17:25:47.000Z" + + - name: compiler.name + level: extended + type: keyword + description: > + Name of the compiler + example: Clang + + - name: compiler.version + level: extended + type: keyword + description: > + Version of the compiler. + example: 11.0.0 + + - name: rich_header.hash.md5 + level: extended + type: keyword + description: > + MD5 hash of the header for the PE file. + + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + + - name: entry_point + level: extended + description: > + Relative byte offset to the base of the PE file. + type: keyword + example: 25856 + + - name: machine_type + level: extended + description: > + Machine type of the PE file. + type: keyword + example: "Intel 386 or later, and compatibles" + + - name: packers + level: extended + description: > + List of packers and tools used. + type: keyword + example: '["ASPack v2.12", ".NET executable"]' + normalize: + - array From 14b815f7a5a60aa9a795e457c4788602db223013 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Mon, 8 Feb 2021 15:37:31 -0600 Subject: [PATCH 2/5] experimental artifacts --- experimental/generated/beats/fields.ecs.yml | 1072 +++++++++- experimental/generated/csv/fields.csv | 124 ++ experimental/generated/ecs/ecs_flat.yml | 1522 +++++++++++++- experimental/generated/ecs/ecs_nested.yml | 1863 ++++++++++++++++- .../generated/elasticsearch/7/template.json | 544 +++++ .../elasticsearch/component/dll.json | 136 ++ .../elasticsearch/component/file.json | 136 ++ .../elasticsearch/component/process.json | 272 +++ 8 files changed, 5594 insertions(+), 75 deletions(-) diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index ad713b3658..84c5bdce2d 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -1040,6 +1040,13 @@ description: CPU architecture target for the file. example: x64 default_field: false + - name: pe.authentihash + level: extended + type: keyword + ignore_above: 1024 + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + default_field: false - name: pe.company level: extended type: keyword @@ -1047,6 +1054,65 @@ description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false + - name: pe.compile_timestamp + level: extended + type: date + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: pe.compiler.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the compiler + example: Clang + default_field: false + - name: pe.compiler.version + level: extended + type: keyword + ignore_above: 1024 + description: Version of the compiler. + example: 11.0.0 + default_field: false + - name: pe.creation_date + level: extended + type: date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: pe.debug + level: extended + type: nested + description: Debug information, if present + default_field: false + - name: pe.debug.offset + level: extended + type: keyword + ignore_above: 1024 + description: Debug offset information. + example: 1296336 + default_field: false + - name: pe.debug.size + level: extended + type: long + format: bytes + description: Size of the debug information. + example: 816 + default_field: false + - name: pe.debug.timestamp + level: extended + type: date + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: pe.debug.type + level: extended + type: keyword + ignore_above: 1024 + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + default_field: false - name: pe.description level: extended type: keyword @@ -1054,6 +1120,20 @@ description: Internal description of the file, provided at compile-time. example: Paint default_field: false + - name: pe.entry_point + level: extended + type: keyword + ignore_above: 1024 + description: Relative byte offset to the base of the PE file. + example: 25856 + default_field: false + - name: pe.exports + level: extended + type: keyword + ignore_above: 1024 + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + default_field: false - name: pe.file_version level: extended type: keyword @@ -1061,6 +1141,14 @@ description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false + - name: pe.icon.hash.dhash + level: extended + type: keyword + ignore_above: 1024 + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + default_field: false - name: pe.imphash level: extended type: keyword @@ -1072,12 +1160,33 @@ Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf default_field: false + - name: pe.imports + level: extended + type: flattened + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + default_field: false + - name: pe.machine_type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + default_field: false - name: pe.original_file_name level: extended type: wildcard description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false + - name: pe.packers + level: extended + type: keyword + ignore_above: 1024 + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + default_field: false - name: pe.product level: extended type: keyword @@ -1085,6 +1194,103 @@ description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" default_field: false + - name: pe.resources + level: extended + type: nested + description: If the PE contains resources, some info about them + default_field: false + - name: pe.resources.chi2 + level: extended + type: long + description: Chi-square probability distribution. + example: -1 + default_field: false + - name: pe.resources.entropy + level: extended + type: long + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + default_field: false + - name: pe.resources.filetype + level: extended + type: keyword + ignore_above: 1024 + description: File type of the resources section. + example: Data + default_field: false + - name: pe.resources.language + level: extended + type: keyword + ignore_above: 1024 + description: Language identification. + example: CHINESE SIMPLIFIED + default_field: false + - name: pe.resources.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + default_field: false + - name: pe.resources.type + level: extended + type: keyword + ignore_above: 1024 + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + default_field: false + - name: pe.rich_header.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + default_field: false + - name: pe.sections + level: extended + type: nested + description: Data about sections of compiled binary PE + default_field: false + - name: pe.sections.chi2 + level: extended + type: long + description: Chi-square probability distribution. + example: 3027194 + default_field: false + - name: pe.sections.entropy + level: extended + type: float + description: Measurement of entropy randomness in the file. + example: 6.24 + default_field: false + - name: pe.sections.flags + level: extended + type: keyword + ignore_above: 1024 + description: Section flags of the file. + example: rx + default_field: false + - name: pe.sections.name + level: extended + type: keyword + ignore_above: 1024 + description: Section names of the file. + example: .text, .data + default_field: false + - name: pe.sections.raw_size + level: extended + type: long + format: bytes + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + default_field: false + - name: pe.sections.virtual_address + level: extended + type: long + format: bytes + description: Virtual address available to the file. + example: 8192 + default_field: false - name: dns title: DNS group: 2 @@ -1809,6 +2015,13 @@ description: CPU architecture target for the file. example: x64 default_field: false + - name: pe.authentihash + level: extended + type: keyword + ignore_above: 1024 + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + default_field: false - name: pe.company level: extended type: keyword @@ -1816,6 +2029,65 @@ description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false + - name: pe.compile_timestamp + level: extended + type: date + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: pe.compiler.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the compiler + example: Clang + default_field: false + - name: pe.compiler.version + level: extended + type: keyword + ignore_above: 1024 + description: Version of the compiler. + example: 11.0.0 + default_field: false + - name: pe.creation_date + level: extended + type: date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: pe.debug + level: extended + type: nested + description: Debug information, if present + default_field: false + - name: pe.debug.offset + level: extended + type: keyword + ignore_above: 1024 + description: Debug offset information. + example: 1296336 + default_field: false + - name: pe.debug.size + level: extended + type: long + format: bytes + description: Size of the debug information. + example: 816 + default_field: false + - name: pe.debug.timestamp + level: extended + type: date + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: pe.debug.type + level: extended + type: keyword + ignore_above: 1024 + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + default_field: false - name: pe.description level: extended type: keyword @@ -1823,6 +2095,20 @@ description: Internal description of the file, provided at compile-time. example: Paint default_field: false + - name: pe.entry_point + level: extended + type: keyword + ignore_above: 1024 + description: Relative byte offset to the base of the PE file. + example: 25856 + default_field: false + - name: pe.exports + level: extended + type: keyword + ignore_above: 1024 + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + default_field: false - name: pe.file_version level: extended type: keyword @@ -1830,6 +2116,14 @@ description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false + - name: pe.icon.hash.dhash + level: extended + type: keyword + ignore_above: 1024 + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + default_field: false - name: pe.imphash level: extended type: keyword @@ -1841,12 +2135,33 @@ Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf default_field: false + - name: pe.imports + level: extended + type: flattened + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + default_field: false + - name: pe.machine_type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + default_field: false - name: pe.original_file_name level: extended type: wildcard description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false + - name: pe.packers + level: extended + type: keyword + ignore_above: 1024 + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + default_field: false - name: pe.product level: extended type: keyword @@ -1854,6 +2169,103 @@ description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" default_field: false + - name: pe.resources + level: extended + type: nested + description: If the PE contains resources, some info about them + default_field: false + - name: pe.resources.chi2 + level: extended + type: long + description: Chi-square probability distribution. + example: -1 + default_field: false + - name: pe.resources.entropy + level: extended + type: long + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + default_field: false + - name: pe.resources.filetype + level: extended + type: keyword + ignore_above: 1024 + description: File type of the resources section. + example: Data + default_field: false + - name: pe.resources.language + level: extended + type: keyword + ignore_above: 1024 + description: Language identification. + example: CHINESE SIMPLIFIED + default_field: false + - name: pe.resources.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + default_field: false + - name: pe.resources.type + level: extended + type: keyword + ignore_above: 1024 + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + default_field: false + - name: pe.rich_header.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + default_field: false + - name: pe.sections + level: extended + type: nested + description: Data about sections of compiled binary PE + default_field: false + - name: pe.sections.chi2 + level: extended + type: long + description: Chi-square probability distribution. + example: 3027194 + default_field: false + - name: pe.sections.entropy + level: extended + type: float + description: Measurement of entropy randomness in the file. + example: 6.24 + default_field: false + - name: pe.sections.flags + level: extended + type: keyword + ignore_above: 1024 + description: Section flags of the file. + example: rx + default_field: false + - name: pe.sections.name + level: extended + type: keyword + ignore_above: 1024 + description: Section names of the file. + example: .text, .data + default_field: false + - name: pe.sections.raw_size + level: extended + type: long + format: bytes + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + default_field: false + - name: pe.sections.virtual_address + level: extended + type: long + format: bytes + description: Virtual address available to the file. + example: 8192 + default_field: false - name: size level: extended type: long @@ -3486,6 +3898,13 @@ description: CPU architecture target for the file. example: x64 default_field: false + - name: authentihash + level: extended + type: keyword + ignore_above: 1024 + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + default_field: false - name: company level: extended type: keyword @@ -3493,45 +3912,244 @@ description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false - - name: description + - name: compile_timestamp + level: extended + type: date + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: compiler.name level: extended type: keyword ignore_above: 1024 - description: Internal description of the file, provided at compile-time. - example: Paint + description: Name of the compiler + example: Clang default_field: false - - name: file_version + - name: compiler.version level: extended type: keyword ignore_above: 1024 - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 + description: Version of the compiler. + example: 11.0.0 default_field: false - - name: imphash + - name: creation_date + level: extended + type: date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: debug + level: extended + type: nested + description: Debug information, if present + default_field: false + - name: debug.offset level: extended type: keyword ignore_above: 1024 - description: 'A hash of the imports in a PE file. An imphash -- or import hash - -- can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf + description: Debug offset information. + example: 1296336 default_field: false - - name: original_file_name + - name: debug.size level: extended - type: wildcard - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE + type: long + format: bytes + description: Size of the debug information. + example: 816 default_field: false - - name: product + - name: debug.timestamp + level: extended + type: date + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: debug.type level: extended type: keyword ignore_above: 1024 - description: Internal product name of the file, provided at compile-time. - example: "Microsoft\xAE Windows\xAE Operating System" + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO default_field: false - - name: process + - name: description + level: extended + type: keyword + ignore_above: 1024 + description: Internal description of the file, provided at compile-time. + example: Paint + default_field: false + - name: entry_point + level: extended + type: keyword + ignore_above: 1024 + description: Relative byte offset to the base of the PE file. + example: 25856 + default_field: false + - name: exports + level: extended + type: keyword + ignore_above: 1024 + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + default_field: false + - name: file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: icon.hash.dhash + level: extended + type: keyword + ignore_above: 1024 + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + default_field: false + - name: imphash + level: extended + type: keyword + ignore_above: 1024 + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + default_field: false + - name: imports + level: extended + type: flattened + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + default_field: false + - name: machine_type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + default_field: false + - name: original_file_name + level: extended + type: wildcard + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: packers + level: extended + type: keyword + ignore_above: 1024 + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + default_field: false + - name: product + level: extended + type: keyword + ignore_above: 1024 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false + - name: resources + level: extended + type: nested + description: If the PE contains resources, some info about them + default_field: false + - name: resources.chi2 + level: extended + type: long + description: Chi-square probability distribution. + example: -1 + default_field: false + - name: resources.entropy + level: extended + type: long + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + default_field: false + - name: resources.filetype + level: extended + type: keyword + ignore_above: 1024 + description: File type of the resources section. + example: Data + default_field: false + - name: resources.language + level: extended + type: keyword + ignore_above: 1024 + description: Language identification. + example: CHINESE SIMPLIFIED + default_field: false + - name: resources.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + default_field: false + - name: resources.type + level: extended + type: keyword + ignore_above: 1024 + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + default_field: false + - name: rich_header.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + default_field: false + - name: sections + level: extended + type: nested + description: Data about sections of compiled binary PE + default_field: false + - name: sections.chi2 + level: extended + type: long + description: Chi-square probability distribution. + example: 3027194 + default_field: false + - name: sections.entropy + level: extended + type: float + description: Measurement of entropy randomness in the file. + example: 6.24 + default_field: false + - name: sections.flags + level: extended + type: keyword + ignore_above: 1024 + description: Section flags of the file. + example: rx + default_field: false + - name: sections.name + level: extended + type: keyword + ignore_above: 1024 + description: Section names of the file. + example: .text, .data + default_field: false + - name: sections.raw_size + level: extended + type: long + format: bytes + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + default_field: false + - name: sections.virtual_address + level: extended + type: long + format: bytes + description: Virtual address available to the file. + example: 8192 + default_field: false + - name: process title: Process group: 2 description: 'These fields contain information about a process. @@ -3845,6 +4463,13 @@ description: CPU architecture target for the file. example: x64 default_field: false + - name: parent.pe.authentihash + level: extended + type: keyword + ignore_above: 1024 + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + default_field: false - name: parent.pe.company level: extended type: keyword @@ -3852,6 +4477,65 @@ description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false + - name: parent.pe.compile_timestamp + level: extended + type: date + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: parent.pe.compiler.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the compiler + example: Clang + default_field: false + - name: parent.pe.compiler.version + level: extended + type: keyword + ignore_above: 1024 + description: Version of the compiler. + example: 11.0.0 + default_field: false + - name: parent.pe.creation_date + level: extended + type: date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: parent.pe.debug + level: extended + type: nested + description: Debug information, if present + default_field: false + - name: parent.pe.debug.offset + level: extended + type: keyword + ignore_above: 1024 + description: Debug offset information. + example: 1296336 + default_field: false + - name: parent.pe.debug.size + level: extended + type: long + format: bytes + description: Size of the debug information. + example: 816 + default_field: false + - name: parent.pe.debug.timestamp + level: extended + type: date + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: parent.pe.debug.type + level: extended + type: keyword + ignore_above: 1024 + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + default_field: false - name: parent.pe.description level: extended type: keyword @@ -3859,6 +4543,20 @@ description: Internal description of the file, provided at compile-time. example: Paint default_field: false + - name: parent.pe.entry_point + level: extended + type: keyword + ignore_above: 1024 + description: Relative byte offset to the base of the PE file. + example: 25856 + default_field: false + - name: parent.pe.exports + level: extended + type: keyword + ignore_above: 1024 + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + default_field: false - name: parent.pe.file_version level: extended type: keyword @@ -3866,6 +4564,14 @@ description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false + - name: parent.pe.icon.hash.dhash + level: extended + type: keyword + ignore_above: 1024 + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + default_field: false - name: parent.pe.imphash level: extended type: keyword @@ -3877,12 +4583,33 @@ Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf default_field: false + - name: parent.pe.imports + level: extended + type: flattened + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + default_field: false + - name: parent.pe.machine_type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + default_field: false - name: parent.pe.original_file_name level: extended type: wildcard description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false + - name: parent.pe.packers + level: extended + type: keyword + ignore_above: 1024 + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + default_field: false - name: parent.pe.product level: extended type: keyword @@ -3890,6 +4617,103 @@ description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" default_field: false + - name: parent.pe.resources + level: extended + type: nested + description: If the PE contains resources, some info about them + default_field: false + - name: parent.pe.resources.chi2 + level: extended + type: long + description: Chi-square probability distribution. + example: -1 + default_field: false + - name: parent.pe.resources.entropy + level: extended + type: long + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + default_field: false + - name: parent.pe.resources.filetype + level: extended + type: keyword + ignore_above: 1024 + description: File type of the resources section. + example: Data + default_field: false + - name: parent.pe.resources.language + level: extended + type: keyword + ignore_above: 1024 + description: Language identification. + example: CHINESE SIMPLIFIED + default_field: false + - name: parent.pe.resources.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + default_field: false + - name: parent.pe.resources.type + level: extended + type: keyword + ignore_above: 1024 + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + default_field: false + - name: parent.pe.rich_header.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + default_field: false + - name: parent.pe.sections + level: extended + type: nested + description: Data about sections of compiled binary PE + default_field: false + - name: parent.pe.sections.chi2 + level: extended + type: long + description: Chi-square probability distribution. + example: 3027194 + default_field: false + - name: parent.pe.sections.entropy + level: extended + type: float + description: Measurement of entropy randomness in the file. + example: 6.24 + default_field: false + - name: parent.pe.sections.flags + level: extended + type: keyword + ignore_above: 1024 + description: Section flags of the file. + example: rx + default_field: false + - name: parent.pe.sections.name + level: extended + type: keyword + ignore_above: 1024 + description: Section names of the file. + example: .text, .data + default_field: false + - name: parent.pe.sections.raw_size + level: extended + type: long + format: bytes + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + default_field: false + - name: parent.pe.sections.virtual_address + level: extended + type: long + format: bytes + description: Virtual address available to the file. + example: 8192 + default_field: false - name: parent.pgid level: extended type: long @@ -3964,6 +4788,13 @@ description: CPU architecture target for the file. example: x64 default_field: false + - name: pe.authentihash + level: extended + type: keyword + ignore_above: 1024 + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + default_field: false - name: pe.company level: extended type: keyword @@ -3971,6 +4802,65 @@ description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false + - name: pe.compile_timestamp + level: extended + type: date + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: pe.compiler.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the compiler + example: Clang + default_field: false + - name: pe.compiler.version + level: extended + type: keyword + ignore_above: 1024 + description: Version of the compiler. + example: 11.0.0 + default_field: false + - name: pe.creation_date + level: extended + type: date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: pe.debug + level: extended + type: nested + description: Debug information, if present + default_field: false + - name: pe.debug.offset + level: extended + type: keyword + ignore_above: 1024 + description: Debug offset information. + example: 1296336 + default_field: false + - name: pe.debug.size + level: extended + type: long + format: bytes + description: Size of the debug information. + example: 816 + default_field: false + - name: pe.debug.timestamp + level: extended + type: date + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: pe.debug.type + level: extended + type: keyword + ignore_above: 1024 + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + default_field: false - name: pe.description level: extended type: keyword @@ -3978,6 +4868,20 @@ description: Internal description of the file, provided at compile-time. example: Paint default_field: false + - name: pe.entry_point + level: extended + type: keyword + ignore_above: 1024 + description: Relative byte offset to the base of the PE file. + example: 25856 + default_field: false + - name: pe.exports + level: extended + type: keyword + ignore_above: 1024 + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + default_field: false - name: pe.file_version level: extended type: keyword @@ -3985,6 +4889,14 @@ description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false + - name: pe.icon.hash.dhash + level: extended + type: keyword + ignore_above: 1024 + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + default_field: false - name: pe.imphash level: extended type: keyword @@ -3996,12 +4908,33 @@ Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf default_field: false + - name: pe.imports + level: extended + type: flattened + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + default_field: false + - name: pe.machine_type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + default_field: false - name: pe.original_file_name level: extended type: wildcard description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false + - name: pe.packers + level: extended + type: keyword + ignore_above: 1024 + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + default_field: false - name: pe.product level: extended type: keyword @@ -4009,6 +4942,103 @@ description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" default_field: false + - name: pe.resources + level: extended + type: nested + description: If the PE contains resources, some info about them + default_field: false + - name: pe.resources.chi2 + level: extended + type: long + description: Chi-square probability distribution. + example: -1 + default_field: false + - name: pe.resources.entropy + level: extended + type: long + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + default_field: false + - name: pe.resources.filetype + level: extended + type: keyword + ignore_above: 1024 + description: File type of the resources section. + example: Data + default_field: false + - name: pe.resources.language + level: extended + type: keyword + ignore_above: 1024 + description: Language identification. + example: CHINESE SIMPLIFIED + default_field: false + - name: pe.resources.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + default_field: false + - name: pe.resources.type + level: extended + type: keyword + ignore_above: 1024 + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + default_field: false + - name: pe.rich_header.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + default_field: false + - name: pe.sections + level: extended + type: nested + description: Data about sections of compiled binary PE + default_field: false + - name: pe.sections.chi2 + level: extended + type: long + description: Chi-square probability distribution. + example: 3027194 + default_field: false + - name: pe.sections.entropy + level: extended + type: float + description: Measurement of entropy randomness in the file. + example: 6.24 + default_field: false + - name: pe.sections.flags + level: extended + type: keyword + ignore_above: 1024 + description: Section flags of the file. + example: rx + default_field: false + - name: pe.sections.name + level: extended + type: keyword + ignore_above: 1024 + description: Section names of the file. + example: .text, .data + default_field: false + - name: pe.sections.raw_size + level: extended + type: long + format: bytes + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + default_field: false + - name: pe.sections.virtual_address + level: extended + type: long + format: bytes + description: Virtual address available to the file. + example: 8192 + default_field: false - name: pgid level: extended type: long diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 6c9e5db81c..fe6d03bd8a 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -118,12 +118,43 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev+exp,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library. 2.0.0-dev+exp,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library. 2.0.0-dev+exp,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +2.0.0-dev+exp,true,dll,dll.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file. 2.0.0-dev+exp,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +2.0.0-dev+exp,true,dll,dll.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file. +2.0.0-dev+exp,true,dll,dll.pe.compiler.name,keyword,extended,,Clang,Name of the compiler +2.0.0-dev+exp,true,dll,dll.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler. +2.0.0-dev+exp,true,dll,dll.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date. +2.0.0-dev+exp,true,dll,dll.pe.debug,nested,extended,array,,Debug information +2.0.0-dev+exp,true,dll,dll.pe.debug.offset,keyword,extended,,1296336,Debug offset information. +2.0.0-dev+exp,true,dll,dll.pe.debug.size,long,extended,,816,Size of the debug information. +2.0.0-dev+exp,true,dll,dll.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information. +2.0.0-dev+exp,true,dll,dll.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options. 2.0.0-dev+exp,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +2.0.0-dev+exp,true,dll,dll.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file. +2.0.0-dev+exp,true,dll,dll.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE 2.0.0-dev+exp,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +2.0.0-dev+exp,true,dll,dll.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail. 2.0.0-dev+exp,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +2.0.0-dev+exp,true,dll,dll.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions +2.0.0-dev+exp,true,dll,dll.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file. 2.0.0-dev+exp,true,dll,dll.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +2.0.0-dev+exp,true,dll,dll.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used. 2.0.0-dev+exp,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +2.0.0-dev+exp,true,dll,dll.pe.resources,nested,extended,array,,"If the PE contains resources, some info about them" +2.0.0-dev+exp,true,dll,dll.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution. +2.0.0-dev+exp,true,dll,dll.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section. +2.0.0-dev+exp,true,dll,dll.pe.resources.filetype,keyword,extended,,Data,File type of the resources section. +2.0.0-dev+exp,true,dll,dll.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification. +2.0.0-dev+exp,true,dll,dll.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section. +2.0.0-dev+exp,true,dll,dll.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types. +2.0.0-dev+exp,true,dll,dll.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file. +2.0.0-dev+exp,true,dll,dll.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE +2.0.0-dev+exp,true,dll,dll.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution. +2.0.0-dev+exp,true,dll,dll.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file. +2.0.0-dev+exp,true,dll,dll.pe.sections.flags,keyword,extended,,rx,Section flags of the file. +2.0.0-dev+exp,true,dll,dll.pe.sections.name,keyword,extended,,".text, .data",Section names of the file. +2.0.0-dev+exp,true,dll,dll.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk. +2.0.0-dev+exp,true,dll,dll.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file. 2.0.0-dev+exp,true,dns,dns.answers,object,extended,array,,Array of DNS answers. 2.0.0-dev+exp,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record. 2.0.0-dev+exp,true,dns,dns.answers.data,wildcard,extended,,10.10.10.10,The data describing the resource. @@ -203,12 +234,43 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev+exp,true,file,file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name." 2.0.0-dev+exp,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name." 2.0.0-dev+exp,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +2.0.0-dev+exp,true,file,file.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file. 2.0.0-dev+exp,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +2.0.0-dev+exp,true,file,file.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file. +2.0.0-dev+exp,true,file,file.pe.compiler.name,keyword,extended,,Clang,Name of the compiler +2.0.0-dev+exp,true,file,file.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler. +2.0.0-dev+exp,true,file,file.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date. +2.0.0-dev+exp,true,file,file.pe.debug,nested,extended,array,,Debug information +2.0.0-dev+exp,true,file,file.pe.debug.offset,keyword,extended,,1296336,Debug offset information. +2.0.0-dev+exp,true,file,file.pe.debug.size,long,extended,,816,Size of the debug information. +2.0.0-dev+exp,true,file,file.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information. +2.0.0-dev+exp,true,file,file.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options. 2.0.0-dev+exp,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +2.0.0-dev+exp,true,file,file.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file. +2.0.0-dev+exp,true,file,file.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE 2.0.0-dev+exp,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +2.0.0-dev+exp,true,file,file.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail. 2.0.0-dev+exp,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +2.0.0-dev+exp,true,file,file.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions +2.0.0-dev+exp,true,file,file.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file. 2.0.0-dev+exp,true,file,file.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +2.0.0-dev+exp,true,file,file.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used. 2.0.0-dev+exp,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +2.0.0-dev+exp,true,file,file.pe.resources,nested,extended,array,,"If the PE contains resources, some info about them" +2.0.0-dev+exp,true,file,file.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution. +2.0.0-dev+exp,true,file,file.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section. +2.0.0-dev+exp,true,file,file.pe.resources.filetype,keyword,extended,,Data,File type of the resources section. +2.0.0-dev+exp,true,file,file.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification. +2.0.0-dev+exp,true,file,file.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section. +2.0.0-dev+exp,true,file,file.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types. +2.0.0-dev+exp,true,file,file.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file. +2.0.0-dev+exp,true,file,file.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE +2.0.0-dev+exp,true,file,file.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution. +2.0.0-dev+exp,true,file,file.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file. +2.0.0-dev+exp,true,file,file.pe.sections.flags,keyword,extended,,rx,Section flags of the file. +2.0.0-dev+exp,true,file,file.pe.sections.name,keyword,extended,,".text, .data",Section names of the file. +2.0.0-dev+exp,true,file,file.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk. +2.0.0-dev+exp,true,file,file.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file. 2.0.0-dev+exp,true,file,file.size,long,extended,,16384,File size in bytes. 2.0.0-dev+exp,true,file,file.target_path,wildcard,extended,,,Target path for symlinks. 2.0.0-dev+exp,true,file,file.target_path.text,text,extended,,,Target path for symlinks. @@ -433,12 +495,43 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev+exp,true,process,process.parent.name,wildcard,extended,,ssh,Process name. 2.0.0-dev+exp,true,process,process.parent.name.text,text,extended,,ssh,Process name. 2.0.0-dev+exp,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +2.0.0-dev+exp,true,process,process.parent.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file. 2.0.0-dev+exp,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +2.0.0-dev+exp,true,process,process.parent.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file. +2.0.0-dev+exp,true,process,process.parent.pe.compiler.name,keyword,extended,,Clang,Name of the compiler +2.0.0-dev+exp,true,process,process.parent.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler. +2.0.0-dev+exp,true,process,process.parent.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date. +2.0.0-dev+exp,true,process,process.parent.pe.debug,nested,extended,array,,Debug information +2.0.0-dev+exp,true,process,process.parent.pe.debug.offset,keyword,extended,,1296336,Debug offset information. +2.0.0-dev+exp,true,process,process.parent.pe.debug.size,long,extended,,816,Size of the debug information. +2.0.0-dev+exp,true,process,process.parent.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information. +2.0.0-dev+exp,true,process,process.parent.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options. 2.0.0-dev+exp,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +2.0.0-dev+exp,true,process,process.parent.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file. +2.0.0-dev+exp,true,process,process.parent.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE 2.0.0-dev+exp,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +2.0.0-dev+exp,true,process,process.parent.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail. 2.0.0-dev+exp,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +2.0.0-dev+exp,true,process,process.parent.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions +2.0.0-dev+exp,true,process,process.parent.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file. 2.0.0-dev+exp,true,process,process.parent.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +2.0.0-dev+exp,true,process,process.parent.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used. 2.0.0-dev+exp,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +2.0.0-dev+exp,true,process,process.parent.pe.resources,nested,extended,array,,"If the PE contains resources, some info about them" +2.0.0-dev+exp,true,process,process.parent.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution. +2.0.0-dev+exp,true,process,process.parent.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section. +2.0.0-dev+exp,true,process,process.parent.pe.resources.filetype,keyword,extended,,Data,File type of the resources section. +2.0.0-dev+exp,true,process,process.parent.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification. +2.0.0-dev+exp,true,process,process.parent.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section. +2.0.0-dev+exp,true,process,process.parent.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types. +2.0.0-dev+exp,true,process,process.parent.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file. +2.0.0-dev+exp,true,process,process.parent.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE +2.0.0-dev+exp,true,process,process.parent.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution. +2.0.0-dev+exp,true,process,process.parent.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file. +2.0.0-dev+exp,true,process,process.parent.pe.sections.flags,keyword,extended,,rx,Section flags of the file. +2.0.0-dev+exp,true,process,process.parent.pe.sections.name,keyword,extended,,".text, .data",Section names of the file. +2.0.0-dev+exp,true,process,process.parent.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk. +2.0.0-dev+exp,true,process,process.parent.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file. 2.0.0-dev+exp,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to. 2.0.0-dev+exp,true,process,process.parent.pid,long,core,,4242,Process id. 2.0.0-dev+exp,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid. @@ -451,12 +544,43 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev+exp,true,process,process.parent.working_directory,wildcard,extended,,/home/alice,The working directory of the process. 2.0.0-dev+exp,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process. 2.0.0-dev+exp,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +2.0.0-dev+exp,true,process,process.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file. 2.0.0-dev+exp,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +2.0.0-dev+exp,true,process,process.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file. +2.0.0-dev+exp,true,process,process.pe.compiler.name,keyword,extended,,Clang,Name of the compiler +2.0.0-dev+exp,true,process,process.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler. +2.0.0-dev+exp,true,process,process.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date. +2.0.0-dev+exp,true,process,process.pe.debug,nested,extended,array,,Debug information +2.0.0-dev+exp,true,process,process.pe.debug.offset,keyword,extended,,1296336,Debug offset information. +2.0.0-dev+exp,true,process,process.pe.debug.size,long,extended,,816,Size of the debug information. +2.0.0-dev+exp,true,process,process.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information. +2.0.0-dev+exp,true,process,process.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options. 2.0.0-dev+exp,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +2.0.0-dev+exp,true,process,process.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file. +2.0.0-dev+exp,true,process,process.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE 2.0.0-dev+exp,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +2.0.0-dev+exp,true,process,process.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail. 2.0.0-dev+exp,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +2.0.0-dev+exp,true,process,process.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions +2.0.0-dev+exp,true,process,process.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file. 2.0.0-dev+exp,true,process,process.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +2.0.0-dev+exp,true,process,process.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used. 2.0.0-dev+exp,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +2.0.0-dev+exp,true,process,process.pe.resources,nested,extended,array,,"If the PE contains resources, some info about them" +2.0.0-dev+exp,true,process,process.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution. +2.0.0-dev+exp,true,process,process.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section. +2.0.0-dev+exp,true,process,process.pe.resources.filetype,keyword,extended,,Data,File type of the resources section. +2.0.0-dev+exp,true,process,process.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification. +2.0.0-dev+exp,true,process,process.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section. +2.0.0-dev+exp,true,process,process.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types. +2.0.0-dev+exp,true,process,process.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file. +2.0.0-dev+exp,true,process,process.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE +2.0.0-dev+exp,true,process,process.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution. +2.0.0-dev+exp,true,process,process.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file. +2.0.0-dev+exp,true,process,process.pe.sections.flags,keyword,extended,,rx,Section flags of the file. +2.0.0-dev+exp,true,process,process.pe.sections.name,keyword,extended,,".text, .data",Section names of the file. +2.0.0-dev+exp,true,process,process.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk. +2.0.0-dev+exp,true,process,process.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file. 2.0.0-dev+exp,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to. 2.0.0-dev+exp,true,process,process.pid,long,core,,4242,Process id. 2.0.0-dev+exp,true,process,process.ppid,long,extended,,4241,Parent process' pid. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 54583bb5ad..54f5580d6c 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -1403,6 +1403,18 @@ dll.pe.architecture: original_fieldset: pe short: CPU architecture target for the file. type: keyword +dll.pe.authentihash: + dashed_name: dll-pe-authentihash + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + flat_name: dll.pe.authentihash + ignore_above: 1024 + level: extended + name: authentihash + normalize: [] + original_fieldset: pe + short: Authentihash of the PE file. + type: keyword dll.pe.company: dashed_name: dll-pe-company description: Internal company name of the file, provided at compile-time. @@ -1415,6 +1427,111 @@ dll.pe.company: original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword +dll.pe.compile_timestamp: + dashed_name: dll-pe-compile-timestamp + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + flat_name: dll.pe.compile_timestamp + level: extended + name: compile_timestamp + normalize: [] + original_fieldset: pe + short: Compile timestamp of the PE file. + type: date +dll.pe.compiler.name: + dashed_name: dll-pe-compiler-name + description: Name of the compiler + example: Clang + flat_name: dll.pe.compiler.name + ignore_above: 1024 + level: extended + name: compiler.name + normalize: [] + original_fieldset: pe + short: Name of the compiler + type: keyword +dll.pe.compiler.version: + dashed_name: dll-pe-compiler-version + description: Version of the compiler. + example: 11.0.0 + flat_name: dll.pe.compiler.version + ignore_above: 1024 + level: extended + name: compiler.version + normalize: [] + original_fieldset: pe + short: Version of the compiler. + type: keyword +dll.pe.creation_date: + dashed_name: dll-pe-creation-date + description: Extracted when possible from the file's metadata. Indicates when it + was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + flat_name: dll.pe.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: pe + short: Build or compile date. + type: date +dll.pe.debug: + dashed_name: dll-pe-debug + description: Debug information, if present + flat_name: dll.pe.debug + level: extended + name: debug + normalize: + - array + original_fieldset: pe + short: Debug information + type: nested +dll.pe.debug.offset: + dashed_name: dll-pe-debug-offset + description: Debug offset information. + example: 1296336 + flat_name: dll.pe.debug.offset + ignore_above: 1024 + level: extended + name: debug.offset + normalize: [] + original_fieldset: pe + short: Debug offset information. + type: keyword +dll.pe.debug.size: + dashed_name: dll-pe-debug-size + description: Size of the debug information. + example: 816 + flat_name: dll.pe.debug.size + format: bytes + level: extended + name: debug.size + normalize: [] + original_fieldset: pe + short: Size of the debug information. + type: long +dll.pe.debug.timestamp: + dashed_name: dll-pe-debug-timestamp + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + flat_name: dll.pe.debug.timestamp + level: extended + name: debug.timestamp + normalize: [] + original_fieldset: pe + short: Timestamp of the debug information. + type: date +dll.pe.debug.type: + dashed_name: dll-pe-debug-type + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + flat_name: dll.pe.debug.type + ignore_above: 1024 + level: extended + name: debug.type + normalize: [] + original_fieldset: pe + short: Information type generated by the debug options. + type: keyword dll.pe.description: dashed_name: dll-pe-description description: Internal description of the file, provided at compile-time. @@ -1427,6 +1544,31 @@ dll.pe.description: original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword +dll.pe.entry_point: + dashed_name: dll-pe-entry-point + description: Relative byte offset to the base of the PE file. + example: 25856 + flat_name: dll.pe.entry_point + ignore_above: 1024 + level: extended + name: entry_point + normalize: [] + original_fieldset: pe + short: Relative byte offset to the base of the PE file. + type: keyword +dll.pe.exports: + dashed_name: dll-pe-exports + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + flat_name: dll.pe.exports + ignore_above: 1024 + level: extended + name: exports + normalize: + - array + original_fieldset: pe + short: List of symbols exported by PE + type: keyword dll.pe.file_version: dashed_name: dll-pe-file-version description: Internal version of the file, provided at compile-time. @@ -1439,6 +1581,19 @@ dll.pe.file_version: original_fieldset: pe short: Process name. type: keyword +dll.pe.icon.hash.dhash: + dashed_name: dll-pe-icon-hash-dhash + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + flat_name: dll.pe.icon.hash.dhash + ignore_above: 1024 + level: extended + name: icon.hash.dhash + normalize: [] + original_fieldset: pe + short: Difference Hash (dhash) to find files with a visually similar icon or thumbnail. + type: keyword dll.pe.imphash: dashed_name: dll-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash -- @@ -1455,6 +1610,30 @@ dll.pe.imphash: original_fieldset: pe short: A hash of the imports in a PE file. type: keyword +dll.pe.imports: + dashed_name: dll-pe-imports + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + flat_name: dll.pe.imports + level: extended + name: imports + normalize: [] + original_fieldset: pe + short: List of all imported functions + type: flattened +dll.pe.machine_type: + dashed_name: dll-pe-machine-type + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + flat_name: dll.pe.machine_type + ignore_above: 1024 + level: extended + name: machine_type + normalize: [] + original_fieldset: pe + short: Machine type of the PE file. + type: keyword dll.pe.original_file_name: dashed_name: dll-pe-original-file-name description: Internal name of the file, provided at compile-time. @@ -1466,6 +1645,19 @@ dll.pe.original_file_name: original_fieldset: pe short: Internal name of the file, provided at compile-time. type: wildcard +dll.pe.packers: + dashed_name: dll-pe-packers + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + flat_name: dll.pe.packers + ignore_above: 1024 + level: extended + name: packers + normalize: + - array + original_fieldset: pe + short: List of packers and tools used. + type: keyword dll.pe.product: dashed_name: dll-pe-product description: Internal product name of the file, provided at compile-time. @@ -1478,6 +1670,181 @@ dll.pe.product: original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword +dll.pe.resources: + dashed_name: dll-pe-resources + description: If the PE contains resources, some info about them + flat_name: dll.pe.resources + level: extended + name: resources + normalize: + - array + original_fieldset: pe + short: If the PE contains resources, some info about them + type: nested +dll.pe.resources.chi2: + dashed_name: dll-pe-resources-chi2 + description: Chi-square probability distribution. + example: -1 + flat_name: dll.pe.resources.chi2 + level: extended + name: resources.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long +dll.pe.resources.entropy: + dashed_name: dll-pe-resources-entropy + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + flat_name: dll.pe.resources.entropy + level: extended + name: resources.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the resources section. + type: long +dll.pe.resources.filetype: + dashed_name: dll-pe-resources-filetype + description: File type of the resources section. + example: Data + flat_name: dll.pe.resources.filetype + ignore_above: 1024 + level: extended + name: resources.filetype + normalize: [] + original_fieldset: pe + short: File type of the resources section. + type: keyword +dll.pe.resources.language: + dashed_name: dll-pe-resources-language + description: Language identification. + example: CHINESE SIMPLIFIED + flat_name: dll.pe.resources.language + ignore_above: 1024 + level: extended + name: resources.language + normalize: [] + original_fieldset: pe + short: Language identification. + type: keyword +dll.pe.resources.sha256: + dashed_name: dll-pe-resources-sha256 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + flat_name: dll.pe.resources.sha256 + ignore_above: 1024 + level: extended + name: resources.sha256 + normalize: [] + original_fieldset: pe + short: SHA256 hash of resources section. + type: keyword +dll.pe.resources.type: + dashed_name: dll-pe-resources-type + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + flat_name: dll.pe.resources.type + ignore_above: 1024 + level: extended + name: resources.type + normalize: + - array + original_fieldset: pe + short: List of resource types. + type: keyword +dll.pe.rich_header.hash.md5: + dashed_name: dll-pe-rich-header-hash-md5 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + flat_name: dll.pe.rich_header.hash.md5 + ignore_above: 1024 + level: extended + name: rich_header.hash.md5 + normalize: [] + original_fieldset: pe + short: MD5 hash of the header for the PE file. + type: keyword +dll.pe.sections: + dashed_name: dll-pe-sections + description: Data about sections of compiled binary PE + flat_name: dll.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Data about sections of the compiled binary PE + type: nested +dll.pe.sections.chi2: + dashed_name: dll-pe-sections-chi2 + description: Chi-square probability distribution. + example: 3027194 + flat_name: dll.pe.sections.chi2 + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long +dll.pe.sections.entropy: + dashed_name: dll-pe-sections-entropy + description: Measurement of entropy randomness in the file. + example: 6.24 + flat_name: dll.pe.sections.entropy + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the file. + type: float +dll.pe.sections.flags: + dashed_name: dll-pe-sections-flags + description: Section flags of the file. + example: rx + flat_name: dll.pe.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: pe + short: Section flags of the file. + type: keyword +dll.pe.sections.name: + dashed_name: dll-pe-sections-name + description: Section names of the file. + example: .text, .data + flat_name: dll.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: Section names of the file. + type: keyword +dll.pe.sections.raw_size: + dashed_name: dll-pe-sections-raw-size + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + flat_name: dll.pe.sections.raw_size + format: bytes + level: extended + name: sections.raw_size + normalize: [] + original_fieldset: pe + short: Size of the section or the dize of the initialized data on disk. + type: long +dll.pe.sections.virtual_address: + dashed_name: dll-pe-sections-virtual-address + description: Virtual address available to the file. + example: 8192 + flat_name: dll.pe.sections.virtual_address + format: bytes + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: pe + short: Virtual address available to the file. + type: long dns.answers: dashed_name: dns-answers description: 'An array containing an object for each answer section returned by @@ -2884,6 +3251,18 @@ file.pe.architecture: original_fieldset: pe short: CPU architecture target for the file. type: keyword +file.pe.authentihash: + dashed_name: file-pe-authentihash + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + flat_name: file.pe.authentihash + ignore_above: 1024 + level: extended + name: authentihash + normalize: [] + original_fieldset: pe + short: Authentihash of the PE file. + type: keyword file.pe.company: dashed_name: file-pe-company description: Internal company name of the file, provided at compile-time. @@ -2896,6 +3275,111 @@ file.pe.company: original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword +file.pe.compile_timestamp: + dashed_name: file-pe-compile-timestamp + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + flat_name: file.pe.compile_timestamp + level: extended + name: compile_timestamp + normalize: [] + original_fieldset: pe + short: Compile timestamp of the PE file. + type: date +file.pe.compiler.name: + dashed_name: file-pe-compiler-name + description: Name of the compiler + example: Clang + flat_name: file.pe.compiler.name + ignore_above: 1024 + level: extended + name: compiler.name + normalize: [] + original_fieldset: pe + short: Name of the compiler + type: keyword +file.pe.compiler.version: + dashed_name: file-pe-compiler-version + description: Version of the compiler. + example: 11.0.0 + flat_name: file.pe.compiler.version + ignore_above: 1024 + level: extended + name: compiler.version + normalize: [] + original_fieldset: pe + short: Version of the compiler. + type: keyword +file.pe.creation_date: + dashed_name: file-pe-creation-date + description: Extracted when possible from the file's metadata. Indicates when it + was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + flat_name: file.pe.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: pe + short: Build or compile date. + type: date +file.pe.debug: + dashed_name: file-pe-debug + description: Debug information, if present + flat_name: file.pe.debug + level: extended + name: debug + normalize: + - array + original_fieldset: pe + short: Debug information + type: nested +file.pe.debug.offset: + dashed_name: file-pe-debug-offset + description: Debug offset information. + example: 1296336 + flat_name: file.pe.debug.offset + ignore_above: 1024 + level: extended + name: debug.offset + normalize: [] + original_fieldset: pe + short: Debug offset information. + type: keyword +file.pe.debug.size: + dashed_name: file-pe-debug-size + description: Size of the debug information. + example: 816 + flat_name: file.pe.debug.size + format: bytes + level: extended + name: debug.size + normalize: [] + original_fieldset: pe + short: Size of the debug information. + type: long +file.pe.debug.timestamp: + dashed_name: file-pe-debug-timestamp + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + flat_name: file.pe.debug.timestamp + level: extended + name: debug.timestamp + normalize: [] + original_fieldset: pe + short: Timestamp of the debug information. + type: date +file.pe.debug.type: + dashed_name: file-pe-debug-type + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + flat_name: file.pe.debug.type + ignore_above: 1024 + level: extended + name: debug.type + normalize: [] + original_fieldset: pe + short: Information type generated by the debug options. + type: keyword file.pe.description: dashed_name: file-pe-description description: Internal description of the file, provided at compile-time. @@ -2908,6 +3392,31 @@ file.pe.description: original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword +file.pe.entry_point: + dashed_name: file-pe-entry-point + description: Relative byte offset to the base of the PE file. + example: 25856 + flat_name: file.pe.entry_point + ignore_above: 1024 + level: extended + name: entry_point + normalize: [] + original_fieldset: pe + short: Relative byte offset to the base of the PE file. + type: keyword +file.pe.exports: + dashed_name: file-pe-exports + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + flat_name: file.pe.exports + ignore_above: 1024 + level: extended + name: exports + normalize: + - array + original_fieldset: pe + short: List of symbols exported by PE + type: keyword file.pe.file_version: dashed_name: file-pe-file-version description: Internal version of the file, provided at compile-time. @@ -2920,6 +3429,19 @@ file.pe.file_version: original_fieldset: pe short: Process name. type: keyword +file.pe.icon.hash.dhash: + dashed_name: file-pe-icon-hash-dhash + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + flat_name: file.pe.icon.hash.dhash + ignore_above: 1024 + level: extended + name: icon.hash.dhash + normalize: [] + original_fieldset: pe + short: Difference Hash (dhash) to find files with a visually similar icon or thumbnail. + type: keyword file.pe.imphash: dashed_name: file-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash -- @@ -2936,6 +3458,30 @@ file.pe.imphash: original_fieldset: pe short: A hash of the imports in a PE file. type: keyword +file.pe.imports: + dashed_name: file-pe-imports + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + flat_name: file.pe.imports + level: extended + name: imports + normalize: [] + original_fieldset: pe + short: List of all imported functions + type: flattened +file.pe.machine_type: + dashed_name: file-pe-machine-type + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + flat_name: file.pe.machine_type + ignore_above: 1024 + level: extended + name: machine_type + normalize: [] + original_fieldset: pe + short: Machine type of the PE file. + type: keyword file.pe.original_file_name: dashed_name: file-pe-original-file-name description: Internal name of the file, provided at compile-time. @@ -2947,6 +3493,19 @@ file.pe.original_file_name: original_fieldset: pe short: Internal name of the file, provided at compile-time. type: wildcard +file.pe.packers: + dashed_name: file-pe-packers + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + flat_name: file.pe.packers + ignore_above: 1024 + level: extended + name: packers + normalize: + - array + original_fieldset: pe + short: List of packers and tools used. + type: keyword file.pe.product: dashed_name: file-pe-product description: Internal product name of the file, provided at compile-time. @@ -2959,40 +3518,215 @@ file.pe.product: original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword -file.size: - dashed_name: file-size - description: 'File size in bytes. - - Only relevant when `file.type` is "file".' - example: 16384 - flat_name: file.size +file.pe.resources: + dashed_name: file-pe-resources + description: If the PE contains resources, some info about them + flat_name: file.pe.resources level: extended - name: size + name: resources + normalize: + - array + original_fieldset: pe + short: If the PE contains resources, some info about them + type: nested +file.pe.resources.chi2: + dashed_name: file-pe-resources-chi2 + description: Chi-square probability distribution. + example: -1 + flat_name: file.pe.resources.chi2 + level: extended + name: resources.chi2 normalize: [] - short: File size in bytes. + original_fieldset: pe + short: Chi-square probability distribution. type: long -file.target_path: - dashed_name: file-target-path - description: Target path for symlinks. - flat_name: file.target_path +file.pe.resources.entropy: + dashed_name: file-pe-resources-entropy + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + flat_name: file.pe.resources.entropy level: extended - multi_fields: - - flat_name: file.target_path.text - name: text - norms: false - type: text - name: target_path + name: resources.entropy normalize: [] - short: Target path for symlinks. - type: wildcard -file.type: - dashed_name: file-type - description: File type (file, dir, or symlink). - example: file - flat_name: file.type + original_fieldset: pe + short: Measurement of entropy randomness in the resources section. + type: long +file.pe.resources.filetype: + dashed_name: file-pe-resources-filetype + description: File type of the resources section. + example: Data + flat_name: file.pe.resources.filetype ignore_above: 1024 level: extended - name: type + name: resources.filetype + normalize: [] + original_fieldset: pe + short: File type of the resources section. + type: keyword +file.pe.resources.language: + dashed_name: file-pe-resources-language + description: Language identification. + example: CHINESE SIMPLIFIED + flat_name: file.pe.resources.language + ignore_above: 1024 + level: extended + name: resources.language + normalize: [] + original_fieldset: pe + short: Language identification. + type: keyword +file.pe.resources.sha256: + dashed_name: file-pe-resources-sha256 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + flat_name: file.pe.resources.sha256 + ignore_above: 1024 + level: extended + name: resources.sha256 + normalize: [] + original_fieldset: pe + short: SHA256 hash of resources section. + type: keyword +file.pe.resources.type: + dashed_name: file-pe-resources-type + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + flat_name: file.pe.resources.type + ignore_above: 1024 + level: extended + name: resources.type + normalize: + - array + original_fieldset: pe + short: List of resource types. + type: keyword +file.pe.rich_header.hash.md5: + dashed_name: file-pe-rich-header-hash-md5 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + flat_name: file.pe.rich_header.hash.md5 + ignore_above: 1024 + level: extended + name: rich_header.hash.md5 + normalize: [] + original_fieldset: pe + short: MD5 hash of the header for the PE file. + type: keyword +file.pe.sections: + dashed_name: file-pe-sections + description: Data about sections of compiled binary PE + flat_name: file.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Data about sections of the compiled binary PE + type: nested +file.pe.sections.chi2: + dashed_name: file-pe-sections-chi2 + description: Chi-square probability distribution. + example: 3027194 + flat_name: file.pe.sections.chi2 + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long +file.pe.sections.entropy: + dashed_name: file-pe-sections-entropy + description: Measurement of entropy randomness in the file. + example: 6.24 + flat_name: file.pe.sections.entropy + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the file. + type: float +file.pe.sections.flags: + dashed_name: file-pe-sections-flags + description: Section flags of the file. + example: rx + flat_name: file.pe.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: pe + short: Section flags of the file. + type: keyword +file.pe.sections.name: + dashed_name: file-pe-sections-name + description: Section names of the file. + example: .text, .data + flat_name: file.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: Section names of the file. + type: keyword +file.pe.sections.raw_size: + dashed_name: file-pe-sections-raw-size + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + flat_name: file.pe.sections.raw_size + format: bytes + level: extended + name: sections.raw_size + normalize: [] + original_fieldset: pe + short: Size of the section or the dize of the initialized data on disk. + type: long +file.pe.sections.virtual_address: + dashed_name: file-pe-sections-virtual-address + description: Virtual address available to the file. + example: 8192 + flat_name: file.pe.sections.virtual_address + format: bytes + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: pe + short: Virtual address available to the file. + type: long +file.size: + dashed_name: file-size + description: 'File size in bytes. + + Only relevant when `file.type` is "file".' + example: 16384 + flat_name: file.size + level: extended + name: size + normalize: [] + short: File size in bytes. + type: long +file.target_path: + dashed_name: file-target-path + description: Target path for symlinks. + flat_name: file.target_path + level: extended + multi_fields: + - flat_name: file.target_path.text + name: text + norms: false + type: text + name: target_path + normalize: [] + short: Target path for symlinks. + type: wildcard +file.type: + dashed_name: file-type + description: File type (file, dir, or symlink). + example: file + flat_name: file.type + ignore_above: 1024 + level: extended + name: type normalize: [] short: File type (file, dir, or symlink). type: keyword @@ -5682,6 +6416,18 @@ process.parent.pe.architecture: original_fieldset: pe short: CPU architecture target for the file. type: keyword +process.parent.pe.authentihash: + dashed_name: process-parent-pe-authentihash + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + flat_name: process.parent.pe.authentihash + ignore_above: 1024 + level: extended + name: authentihash + normalize: [] + original_fieldset: pe + short: Authentihash of the PE file. + type: keyword process.parent.pe.company: dashed_name: process-parent-pe-company description: Internal company name of the file, provided at compile-time. @@ -5694,6 +6440,111 @@ process.parent.pe.company: original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword +process.parent.pe.compile_timestamp: + dashed_name: process-parent-pe-compile-timestamp + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + flat_name: process.parent.pe.compile_timestamp + level: extended + name: compile_timestamp + normalize: [] + original_fieldset: pe + short: Compile timestamp of the PE file. + type: date +process.parent.pe.compiler.name: + dashed_name: process-parent-pe-compiler-name + description: Name of the compiler + example: Clang + flat_name: process.parent.pe.compiler.name + ignore_above: 1024 + level: extended + name: compiler.name + normalize: [] + original_fieldset: pe + short: Name of the compiler + type: keyword +process.parent.pe.compiler.version: + dashed_name: process-parent-pe-compiler-version + description: Version of the compiler. + example: 11.0.0 + flat_name: process.parent.pe.compiler.version + ignore_above: 1024 + level: extended + name: compiler.version + normalize: [] + original_fieldset: pe + short: Version of the compiler. + type: keyword +process.parent.pe.creation_date: + dashed_name: process-parent-pe-creation-date + description: Extracted when possible from the file's metadata. Indicates when it + was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + flat_name: process.parent.pe.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: pe + short: Build or compile date. + type: date +process.parent.pe.debug: + dashed_name: process-parent-pe-debug + description: Debug information, if present + flat_name: process.parent.pe.debug + level: extended + name: debug + normalize: + - array + original_fieldset: pe + short: Debug information + type: nested +process.parent.pe.debug.offset: + dashed_name: process-parent-pe-debug-offset + description: Debug offset information. + example: 1296336 + flat_name: process.parent.pe.debug.offset + ignore_above: 1024 + level: extended + name: debug.offset + normalize: [] + original_fieldset: pe + short: Debug offset information. + type: keyword +process.parent.pe.debug.size: + dashed_name: process-parent-pe-debug-size + description: Size of the debug information. + example: 816 + flat_name: process.parent.pe.debug.size + format: bytes + level: extended + name: debug.size + normalize: [] + original_fieldset: pe + short: Size of the debug information. + type: long +process.parent.pe.debug.timestamp: + dashed_name: process-parent-pe-debug-timestamp + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + flat_name: process.parent.pe.debug.timestamp + level: extended + name: debug.timestamp + normalize: [] + original_fieldset: pe + short: Timestamp of the debug information. + type: date +process.parent.pe.debug.type: + dashed_name: process-parent-pe-debug-type + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + flat_name: process.parent.pe.debug.type + ignore_above: 1024 + level: extended + name: debug.type + normalize: [] + original_fieldset: pe + short: Information type generated by the debug options. + type: keyword process.parent.pe.description: dashed_name: process-parent-pe-description description: Internal description of the file, provided at compile-time. @@ -5706,6 +6557,31 @@ process.parent.pe.description: original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword +process.parent.pe.entry_point: + dashed_name: process-parent-pe-entry-point + description: Relative byte offset to the base of the PE file. + example: 25856 + flat_name: process.parent.pe.entry_point + ignore_above: 1024 + level: extended + name: entry_point + normalize: [] + original_fieldset: pe + short: Relative byte offset to the base of the PE file. + type: keyword +process.parent.pe.exports: + dashed_name: process-parent-pe-exports + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + flat_name: process.parent.pe.exports + ignore_above: 1024 + level: extended + name: exports + normalize: + - array + original_fieldset: pe + short: List of symbols exported by PE + type: keyword process.parent.pe.file_version: dashed_name: process-parent-pe-file-version description: Internal version of the file, provided at compile-time. @@ -5718,6 +6594,19 @@ process.parent.pe.file_version: original_fieldset: pe short: Process name. type: keyword +process.parent.pe.icon.hash.dhash: + dashed_name: process-parent-pe-icon-hash-dhash + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + flat_name: process.parent.pe.icon.hash.dhash + ignore_above: 1024 + level: extended + name: icon.hash.dhash + normalize: [] + original_fieldset: pe + short: Difference Hash (dhash) to find files with a visually similar icon or thumbnail. + type: keyword process.parent.pe.imphash: dashed_name: process-parent-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash -- @@ -5734,6 +6623,30 @@ process.parent.pe.imphash: original_fieldset: pe short: A hash of the imports in a PE file. type: keyword +process.parent.pe.imports: + dashed_name: process-parent-pe-imports + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + flat_name: process.parent.pe.imports + level: extended + name: imports + normalize: [] + original_fieldset: pe + short: List of all imported functions + type: flattened +process.parent.pe.machine_type: + dashed_name: process-parent-pe-machine-type + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + flat_name: process.parent.pe.machine_type + ignore_above: 1024 + level: extended + name: machine_type + normalize: [] + original_fieldset: pe + short: Machine type of the PE file. + type: keyword process.parent.pe.original_file_name: dashed_name: process-parent-pe-original-file-name description: Internal name of the file, provided at compile-time. @@ -5745,6 +6658,19 @@ process.parent.pe.original_file_name: original_fieldset: pe short: Internal name of the file, provided at compile-time. type: wildcard +process.parent.pe.packers: + dashed_name: process-parent-pe-packers + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + flat_name: process.parent.pe.packers + ignore_above: 1024 + level: extended + name: packers + normalize: + - array + original_fieldset: pe + short: List of packers and tools used. + type: keyword process.parent.pe.product: dashed_name: process-parent-pe-product description: Internal product name of the file, provided at compile-time. @@ -5757,6 +6683,181 @@ process.parent.pe.product: original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword +process.parent.pe.resources: + dashed_name: process-parent-pe-resources + description: If the PE contains resources, some info about them + flat_name: process.parent.pe.resources + level: extended + name: resources + normalize: + - array + original_fieldset: pe + short: If the PE contains resources, some info about them + type: nested +process.parent.pe.resources.chi2: + dashed_name: process-parent-pe-resources-chi2 + description: Chi-square probability distribution. + example: -1 + flat_name: process.parent.pe.resources.chi2 + level: extended + name: resources.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long +process.parent.pe.resources.entropy: + dashed_name: process-parent-pe-resources-entropy + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + flat_name: process.parent.pe.resources.entropy + level: extended + name: resources.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the resources section. + type: long +process.parent.pe.resources.filetype: + dashed_name: process-parent-pe-resources-filetype + description: File type of the resources section. + example: Data + flat_name: process.parent.pe.resources.filetype + ignore_above: 1024 + level: extended + name: resources.filetype + normalize: [] + original_fieldset: pe + short: File type of the resources section. + type: keyword +process.parent.pe.resources.language: + dashed_name: process-parent-pe-resources-language + description: Language identification. + example: CHINESE SIMPLIFIED + flat_name: process.parent.pe.resources.language + ignore_above: 1024 + level: extended + name: resources.language + normalize: [] + original_fieldset: pe + short: Language identification. + type: keyword +process.parent.pe.resources.sha256: + dashed_name: process-parent-pe-resources-sha256 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + flat_name: process.parent.pe.resources.sha256 + ignore_above: 1024 + level: extended + name: resources.sha256 + normalize: [] + original_fieldset: pe + short: SHA256 hash of resources section. + type: keyword +process.parent.pe.resources.type: + dashed_name: process-parent-pe-resources-type + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + flat_name: process.parent.pe.resources.type + ignore_above: 1024 + level: extended + name: resources.type + normalize: + - array + original_fieldset: pe + short: List of resource types. + type: keyword +process.parent.pe.rich_header.hash.md5: + dashed_name: process-parent-pe-rich-header-hash-md5 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + flat_name: process.parent.pe.rich_header.hash.md5 + ignore_above: 1024 + level: extended + name: rich_header.hash.md5 + normalize: [] + original_fieldset: pe + short: MD5 hash of the header for the PE file. + type: keyword +process.parent.pe.sections: + dashed_name: process-parent-pe-sections + description: Data about sections of compiled binary PE + flat_name: process.parent.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Data about sections of the compiled binary PE + type: nested +process.parent.pe.sections.chi2: + dashed_name: process-parent-pe-sections-chi2 + description: Chi-square probability distribution. + example: 3027194 + flat_name: process.parent.pe.sections.chi2 + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long +process.parent.pe.sections.entropy: + dashed_name: process-parent-pe-sections-entropy + description: Measurement of entropy randomness in the file. + example: 6.24 + flat_name: process.parent.pe.sections.entropy + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the file. + type: float +process.parent.pe.sections.flags: + dashed_name: process-parent-pe-sections-flags + description: Section flags of the file. + example: rx + flat_name: process.parent.pe.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: pe + short: Section flags of the file. + type: keyword +process.parent.pe.sections.name: + dashed_name: process-parent-pe-sections-name + description: Section names of the file. + example: .text, .data + flat_name: process.parent.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: Section names of the file. + type: keyword +process.parent.pe.sections.raw_size: + dashed_name: process-parent-pe-sections-raw-size + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + flat_name: process.parent.pe.sections.raw_size + format: bytes + level: extended + name: sections.raw_size + normalize: [] + original_fieldset: pe + short: Size of the section or the dize of the initialized data on disk. + type: long +process.parent.pe.sections.virtual_address: + dashed_name: process-parent-pe-sections-virtual-address + description: Virtual address available to the file. + example: 8192 + flat_name: process.parent.pe.sections.virtual_address + format: bytes + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: pe + short: Virtual address available to the file. + type: long process.parent.pgid: dashed_name: process-parent-pgid description: Identifier of the group of processes the process belongs to. @@ -5883,6 +6984,18 @@ process.pe.architecture: original_fieldset: pe short: CPU architecture target for the file. type: keyword +process.pe.authentihash: + dashed_name: process-pe-authentihash + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + flat_name: process.pe.authentihash + ignore_above: 1024 + level: extended + name: authentihash + normalize: [] + original_fieldset: pe + short: Authentihash of the PE file. + type: keyword process.pe.company: dashed_name: process-pe-company description: Internal company name of the file, provided at compile-time. @@ -5895,6 +7008,111 @@ process.pe.company: original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword +process.pe.compile_timestamp: + dashed_name: process-pe-compile-timestamp + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + flat_name: process.pe.compile_timestamp + level: extended + name: compile_timestamp + normalize: [] + original_fieldset: pe + short: Compile timestamp of the PE file. + type: date +process.pe.compiler.name: + dashed_name: process-pe-compiler-name + description: Name of the compiler + example: Clang + flat_name: process.pe.compiler.name + ignore_above: 1024 + level: extended + name: compiler.name + normalize: [] + original_fieldset: pe + short: Name of the compiler + type: keyword +process.pe.compiler.version: + dashed_name: process-pe-compiler-version + description: Version of the compiler. + example: 11.0.0 + flat_name: process.pe.compiler.version + ignore_above: 1024 + level: extended + name: compiler.version + normalize: [] + original_fieldset: pe + short: Version of the compiler. + type: keyword +process.pe.creation_date: + dashed_name: process-pe-creation-date + description: Extracted when possible from the file's metadata. Indicates when it + was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + flat_name: process.pe.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: pe + short: Build or compile date. + type: date +process.pe.debug: + dashed_name: process-pe-debug + description: Debug information, if present + flat_name: process.pe.debug + level: extended + name: debug + normalize: + - array + original_fieldset: pe + short: Debug information + type: nested +process.pe.debug.offset: + dashed_name: process-pe-debug-offset + description: Debug offset information. + example: 1296336 + flat_name: process.pe.debug.offset + ignore_above: 1024 + level: extended + name: debug.offset + normalize: [] + original_fieldset: pe + short: Debug offset information. + type: keyword +process.pe.debug.size: + dashed_name: process-pe-debug-size + description: Size of the debug information. + example: 816 + flat_name: process.pe.debug.size + format: bytes + level: extended + name: debug.size + normalize: [] + original_fieldset: pe + short: Size of the debug information. + type: long +process.pe.debug.timestamp: + dashed_name: process-pe-debug-timestamp + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + flat_name: process.pe.debug.timestamp + level: extended + name: debug.timestamp + normalize: [] + original_fieldset: pe + short: Timestamp of the debug information. + type: date +process.pe.debug.type: + dashed_name: process-pe-debug-type + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + flat_name: process.pe.debug.type + ignore_above: 1024 + level: extended + name: debug.type + normalize: [] + original_fieldset: pe + short: Information type generated by the debug options. + type: keyword process.pe.description: dashed_name: process-pe-description description: Internal description of the file, provided at compile-time. @@ -5907,6 +7125,31 @@ process.pe.description: original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword +process.pe.entry_point: + dashed_name: process-pe-entry-point + description: Relative byte offset to the base of the PE file. + example: 25856 + flat_name: process.pe.entry_point + ignore_above: 1024 + level: extended + name: entry_point + normalize: [] + original_fieldset: pe + short: Relative byte offset to the base of the PE file. + type: keyword +process.pe.exports: + dashed_name: process-pe-exports + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + flat_name: process.pe.exports + ignore_above: 1024 + level: extended + name: exports + normalize: + - array + original_fieldset: pe + short: List of symbols exported by PE + type: keyword process.pe.file_version: dashed_name: process-pe-file-version description: Internal version of the file, provided at compile-time. @@ -5919,6 +7162,19 @@ process.pe.file_version: original_fieldset: pe short: Process name. type: keyword +process.pe.icon.hash.dhash: + dashed_name: process-pe-icon-hash-dhash + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + flat_name: process.pe.icon.hash.dhash + ignore_above: 1024 + level: extended + name: icon.hash.dhash + normalize: [] + original_fieldset: pe + short: Difference Hash (dhash) to find files with a visually similar icon or thumbnail. + type: keyword process.pe.imphash: dashed_name: process-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash -- @@ -5935,6 +7191,30 @@ process.pe.imphash: original_fieldset: pe short: A hash of the imports in a PE file. type: keyword +process.pe.imports: + dashed_name: process-pe-imports + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + flat_name: process.pe.imports + level: extended + name: imports + normalize: [] + original_fieldset: pe + short: List of all imported functions + type: flattened +process.pe.machine_type: + dashed_name: process-pe-machine-type + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + flat_name: process.pe.machine_type + ignore_above: 1024 + level: extended + name: machine_type + normalize: [] + original_fieldset: pe + short: Machine type of the PE file. + type: keyword process.pe.original_file_name: dashed_name: process-pe-original-file-name description: Internal name of the file, provided at compile-time. @@ -5946,6 +7226,19 @@ process.pe.original_file_name: original_fieldset: pe short: Internal name of the file, provided at compile-time. type: wildcard +process.pe.packers: + dashed_name: process-pe-packers + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + flat_name: process.pe.packers + ignore_above: 1024 + level: extended + name: packers + normalize: + - array + original_fieldset: pe + short: List of packers and tools used. + type: keyword process.pe.product: dashed_name: process-pe-product description: Internal product name of the file, provided at compile-time. @@ -5958,6 +7251,181 @@ process.pe.product: original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword +process.pe.resources: + dashed_name: process-pe-resources + description: If the PE contains resources, some info about them + flat_name: process.pe.resources + level: extended + name: resources + normalize: + - array + original_fieldset: pe + short: If the PE contains resources, some info about them + type: nested +process.pe.resources.chi2: + dashed_name: process-pe-resources-chi2 + description: Chi-square probability distribution. + example: -1 + flat_name: process.pe.resources.chi2 + level: extended + name: resources.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long +process.pe.resources.entropy: + dashed_name: process-pe-resources-entropy + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + flat_name: process.pe.resources.entropy + level: extended + name: resources.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the resources section. + type: long +process.pe.resources.filetype: + dashed_name: process-pe-resources-filetype + description: File type of the resources section. + example: Data + flat_name: process.pe.resources.filetype + ignore_above: 1024 + level: extended + name: resources.filetype + normalize: [] + original_fieldset: pe + short: File type of the resources section. + type: keyword +process.pe.resources.language: + dashed_name: process-pe-resources-language + description: Language identification. + example: CHINESE SIMPLIFIED + flat_name: process.pe.resources.language + ignore_above: 1024 + level: extended + name: resources.language + normalize: [] + original_fieldset: pe + short: Language identification. + type: keyword +process.pe.resources.sha256: + dashed_name: process-pe-resources-sha256 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + flat_name: process.pe.resources.sha256 + ignore_above: 1024 + level: extended + name: resources.sha256 + normalize: [] + original_fieldset: pe + short: SHA256 hash of resources section. + type: keyword +process.pe.resources.type: + dashed_name: process-pe-resources-type + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + flat_name: process.pe.resources.type + ignore_above: 1024 + level: extended + name: resources.type + normalize: + - array + original_fieldset: pe + short: List of resource types. + type: keyword +process.pe.rich_header.hash.md5: + dashed_name: process-pe-rich-header-hash-md5 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + flat_name: process.pe.rich_header.hash.md5 + ignore_above: 1024 + level: extended + name: rich_header.hash.md5 + normalize: [] + original_fieldset: pe + short: MD5 hash of the header for the PE file. + type: keyword +process.pe.sections: + dashed_name: process-pe-sections + description: Data about sections of compiled binary PE + flat_name: process.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Data about sections of the compiled binary PE + type: nested +process.pe.sections.chi2: + dashed_name: process-pe-sections-chi2 + description: Chi-square probability distribution. + example: 3027194 + flat_name: process.pe.sections.chi2 + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long +process.pe.sections.entropy: + dashed_name: process-pe-sections-entropy + description: Measurement of entropy randomness in the file. + example: 6.24 + flat_name: process.pe.sections.entropy + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the file. + type: float +process.pe.sections.flags: + dashed_name: process-pe-sections-flags + description: Section flags of the file. + example: rx + flat_name: process.pe.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: pe + short: Section flags of the file. + type: keyword +process.pe.sections.name: + dashed_name: process-pe-sections-name + description: Section names of the file. + example: .text, .data + flat_name: process.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: Section names of the file. + type: keyword +process.pe.sections.raw_size: + dashed_name: process-pe-sections-raw-size + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + flat_name: process.pe.sections.raw_size + format: bytes + level: extended + name: sections.raw_size + normalize: [] + original_fieldset: pe + short: Size of the section or the dize of the initialized data on disk. + type: long +process.pe.sections.virtual_address: + dashed_name: process-pe-sections-virtual-address + description: Virtual address available to the file. + example: 8192 + flat_name: process.pe.sections.virtual_address + format: bytes + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: pe + short: Virtual address available to the file. + type: long process.pgid: dashed_name: process-pgid description: Identifier of the group of processes the process belongs to. diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index a0bb8d6a76..52b2aaee29 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -1749,6 +1749,18 @@ dll: original_fieldset: pe short: CPU architecture target for the file. type: keyword + dll.pe.authentihash: + dashed_name: dll-pe-authentihash + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + flat_name: dll.pe.authentihash + ignore_above: 1024 + level: extended + name: authentihash + normalize: [] + original_fieldset: pe + short: Authentihash of the PE file. + type: keyword dll.pe.company: dashed_name: dll-pe-company description: Internal company name of the file, provided at compile-time. @@ -1761,6 +1773,111 @@ dll: original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword + dll.pe.compile_timestamp: + dashed_name: dll-pe-compile-timestamp + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + flat_name: dll.pe.compile_timestamp + level: extended + name: compile_timestamp + normalize: [] + original_fieldset: pe + short: Compile timestamp of the PE file. + type: date + dll.pe.compiler.name: + dashed_name: dll-pe-compiler-name + description: Name of the compiler + example: Clang + flat_name: dll.pe.compiler.name + ignore_above: 1024 + level: extended + name: compiler.name + normalize: [] + original_fieldset: pe + short: Name of the compiler + type: keyword + dll.pe.compiler.version: + dashed_name: dll-pe-compiler-version + description: Version of the compiler. + example: 11.0.0 + flat_name: dll.pe.compiler.version + ignore_above: 1024 + level: extended + name: compiler.version + normalize: [] + original_fieldset: pe + short: Version of the compiler. + type: keyword + dll.pe.creation_date: + dashed_name: dll-pe-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + flat_name: dll.pe.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: pe + short: Build or compile date. + type: date + dll.pe.debug: + dashed_name: dll-pe-debug + description: Debug information, if present + flat_name: dll.pe.debug + level: extended + name: debug + normalize: + - array + original_fieldset: pe + short: Debug information + type: nested + dll.pe.debug.offset: + dashed_name: dll-pe-debug-offset + description: Debug offset information. + example: 1296336 + flat_name: dll.pe.debug.offset + ignore_above: 1024 + level: extended + name: debug.offset + normalize: [] + original_fieldset: pe + short: Debug offset information. + type: keyword + dll.pe.debug.size: + dashed_name: dll-pe-debug-size + description: Size of the debug information. + example: 816 + flat_name: dll.pe.debug.size + format: bytes + level: extended + name: debug.size + normalize: [] + original_fieldset: pe + short: Size of the debug information. + type: long + dll.pe.debug.timestamp: + dashed_name: dll-pe-debug-timestamp + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + flat_name: dll.pe.debug.timestamp + level: extended + name: debug.timestamp + normalize: [] + original_fieldset: pe + short: Timestamp of the debug information. + type: date + dll.pe.debug.type: + dashed_name: dll-pe-debug-type + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + flat_name: dll.pe.debug.type + ignore_above: 1024 + level: extended + name: debug.type + normalize: [] + original_fieldset: pe + short: Information type generated by the debug options. + type: keyword dll.pe.description: dashed_name: dll-pe-description description: Internal description of the file, provided at compile-time. @@ -1773,6 +1890,31 @@ dll: original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword + dll.pe.entry_point: + dashed_name: dll-pe-entry-point + description: Relative byte offset to the base of the PE file. + example: 25856 + flat_name: dll.pe.entry_point + ignore_above: 1024 + level: extended + name: entry_point + normalize: [] + original_fieldset: pe + short: Relative byte offset to the base of the PE file. + type: keyword + dll.pe.exports: + dashed_name: dll-pe-exports + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + flat_name: dll.pe.exports + ignore_above: 1024 + level: extended + name: exports + normalize: + - array + original_fieldset: pe + short: List of symbols exported by PE + type: keyword dll.pe.file_version: dashed_name: dll-pe-file-version description: Internal version of the file, provided at compile-time. @@ -1785,6 +1927,20 @@ dll: original_fieldset: pe short: Process name. type: keyword + dll.pe.icon.hash.dhash: + dashed_name: dll-pe-icon-hash-dhash + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + flat_name: dll.pe.icon.hash.dhash + ignore_above: 1024 + level: extended + name: icon.hash.dhash + normalize: [] + original_fieldset: pe + short: Difference Hash (dhash) to find files with a visually similar icon or + thumbnail. + type: keyword dll.pe.imphash: dashed_name: dll-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash @@ -1801,6 +1957,30 @@ dll: original_fieldset: pe short: A hash of the imports in a PE file. type: keyword + dll.pe.imports: + dashed_name: dll-pe-imports + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + flat_name: dll.pe.imports + level: extended + name: imports + normalize: [] + original_fieldset: pe + short: List of all imported functions + type: flattened + dll.pe.machine_type: + dashed_name: dll-pe-machine-type + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + flat_name: dll.pe.machine_type + ignore_above: 1024 + level: extended + name: machine_type + normalize: [] + original_fieldset: pe + short: Machine type of the PE file. + type: keyword dll.pe.original_file_name: dashed_name: dll-pe-original-file-name description: Internal name of the file, provided at compile-time. @@ -1812,6 +1992,19 @@ dll: original_fieldset: pe short: Internal name of the file, provided at compile-time. type: wildcard + dll.pe.packers: + dashed_name: dll-pe-packers + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + flat_name: dll.pe.packers + ignore_above: 1024 + level: extended + name: packers + normalize: + - array + original_fieldset: pe + short: List of packers and tools used. + type: keyword dll.pe.product: dashed_name: dll-pe-product description: Internal product name of the file, provided at compile-time. @@ -1824,6 +2017,181 @@ dll: original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword + dll.pe.resources: + dashed_name: dll-pe-resources + description: If the PE contains resources, some info about them + flat_name: dll.pe.resources + level: extended + name: resources + normalize: + - array + original_fieldset: pe + short: If the PE contains resources, some info about them + type: nested + dll.pe.resources.chi2: + dashed_name: dll-pe-resources-chi2 + description: Chi-square probability distribution. + example: -1 + flat_name: dll.pe.resources.chi2 + level: extended + name: resources.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long + dll.pe.resources.entropy: + dashed_name: dll-pe-resources-entropy + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + flat_name: dll.pe.resources.entropy + level: extended + name: resources.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the resources section. + type: long + dll.pe.resources.filetype: + dashed_name: dll-pe-resources-filetype + description: File type of the resources section. + example: Data + flat_name: dll.pe.resources.filetype + ignore_above: 1024 + level: extended + name: resources.filetype + normalize: [] + original_fieldset: pe + short: File type of the resources section. + type: keyword + dll.pe.resources.language: + dashed_name: dll-pe-resources-language + description: Language identification. + example: CHINESE SIMPLIFIED + flat_name: dll.pe.resources.language + ignore_above: 1024 + level: extended + name: resources.language + normalize: [] + original_fieldset: pe + short: Language identification. + type: keyword + dll.pe.resources.sha256: + dashed_name: dll-pe-resources-sha256 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + flat_name: dll.pe.resources.sha256 + ignore_above: 1024 + level: extended + name: resources.sha256 + normalize: [] + original_fieldset: pe + short: SHA256 hash of resources section. + type: keyword + dll.pe.resources.type: + dashed_name: dll-pe-resources-type + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + flat_name: dll.pe.resources.type + ignore_above: 1024 + level: extended + name: resources.type + normalize: + - array + original_fieldset: pe + short: List of resource types. + type: keyword + dll.pe.rich_header.hash.md5: + dashed_name: dll-pe-rich-header-hash-md5 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + flat_name: dll.pe.rich_header.hash.md5 + ignore_above: 1024 + level: extended + name: rich_header.hash.md5 + normalize: [] + original_fieldset: pe + short: MD5 hash of the header for the PE file. + type: keyword + dll.pe.sections: + dashed_name: dll-pe-sections + description: Data about sections of compiled binary PE + flat_name: dll.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Data about sections of the compiled binary PE + type: nested + dll.pe.sections.chi2: + dashed_name: dll-pe-sections-chi2 + description: Chi-square probability distribution. + example: 3027194 + flat_name: dll.pe.sections.chi2 + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long + dll.pe.sections.entropy: + dashed_name: dll-pe-sections-entropy + description: Measurement of entropy randomness in the file. + example: 6.24 + flat_name: dll.pe.sections.entropy + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the file. + type: float + dll.pe.sections.flags: + dashed_name: dll-pe-sections-flags + description: Section flags of the file. + example: rx + flat_name: dll.pe.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: pe + short: Section flags of the file. + type: keyword + dll.pe.sections.name: + dashed_name: dll-pe-sections-name + description: Section names of the file. + example: .text, .data + flat_name: dll.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: Section names of the file. + type: keyword + dll.pe.sections.raw_size: + dashed_name: dll-pe-sections-raw-size + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + flat_name: dll.pe.sections.raw_size + format: bytes + level: extended + name: sections.raw_size + normalize: [] + original_fieldset: pe + short: Size of the section or the dize of the initialized data on disk. + type: long + dll.pe.sections.virtual_address: + dashed_name: dll-pe-sections-virtual-address + description: Virtual address available to the file. + example: 8192 + flat_name: dll.pe.sections.virtual_address + format: bytes + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: pe + short: Virtual address available to the file. + type: long group: 2 name: dll nestings: @@ -3332,6 +3700,18 @@ file: original_fieldset: pe short: CPU architecture target for the file. type: keyword + file.pe.authentihash: + dashed_name: file-pe-authentihash + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + flat_name: file.pe.authentihash + ignore_above: 1024 + level: extended + name: authentihash + normalize: [] + original_fieldset: pe + short: Authentihash of the PE file. + type: keyword file.pe.company: dashed_name: file-pe-company description: Internal company name of the file, provided at compile-time. @@ -3344,6 +3724,111 @@ file: original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword + file.pe.compile_timestamp: + dashed_name: file-pe-compile-timestamp + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + flat_name: file.pe.compile_timestamp + level: extended + name: compile_timestamp + normalize: [] + original_fieldset: pe + short: Compile timestamp of the PE file. + type: date + file.pe.compiler.name: + dashed_name: file-pe-compiler-name + description: Name of the compiler + example: Clang + flat_name: file.pe.compiler.name + ignore_above: 1024 + level: extended + name: compiler.name + normalize: [] + original_fieldset: pe + short: Name of the compiler + type: keyword + file.pe.compiler.version: + dashed_name: file-pe-compiler-version + description: Version of the compiler. + example: 11.0.0 + flat_name: file.pe.compiler.version + ignore_above: 1024 + level: extended + name: compiler.version + normalize: [] + original_fieldset: pe + short: Version of the compiler. + type: keyword + file.pe.creation_date: + dashed_name: file-pe-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + flat_name: file.pe.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: pe + short: Build or compile date. + type: date + file.pe.debug: + dashed_name: file-pe-debug + description: Debug information, if present + flat_name: file.pe.debug + level: extended + name: debug + normalize: + - array + original_fieldset: pe + short: Debug information + type: nested + file.pe.debug.offset: + dashed_name: file-pe-debug-offset + description: Debug offset information. + example: 1296336 + flat_name: file.pe.debug.offset + ignore_above: 1024 + level: extended + name: debug.offset + normalize: [] + original_fieldset: pe + short: Debug offset information. + type: keyword + file.pe.debug.size: + dashed_name: file-pe-debug-size + description: Size of the debug information. + example: 816 + flat_name: file.pe.debug.size + format: bytes + level: extended + name: debug.size + normalize: [] + original_fieldset: pe + short: Size of the debug information. + type: long + file.pe.debug.timestamp: + dashed_name: file-pe-debug-timestamp + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + flat_name: file.pe.debug.timestamp + level: extended + name: debug.timestamp + normalize: [] + original_fieldset: pe + short: Timestamp of the debug information. + type: date + file.pe.debug.type: + dashed_name: file-pe-debug-type + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + flat_name: file.pe.debug.type + ignore_above: 1024 + level: extended + name: debug.type + normalize: [] + original_fieldset: pe + short: Information type generated by the debug options. + type: keyword file.pe.description: dashed_name: file-pe-description description: Internal description of the file, provided at compile-time. @@ -3356,6 +3841,31 @@ file: original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword + file.pe.entry_point: + dashed_name: file-pe-entry-point + description: Relative byte offset to the base of the PE file. + example: 25856 + flat_name: file.pe.entry_point + ignore_above: 1024 + level: extended + name: entry_point + normalize: [] + original_fieldset: pe + short: Relative byte offset to the base of the PE file. + type: keyword + file.pe.exports: + dashed_name: file-pe-exports + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + flat_name: file.pe.exports + ignore_above: 1024 + level: extended + name: exports + normalize: + - array + original_fieldset: pe + short: List of symbols exported by PE + type: keyword file.pe.file_version: dashed_name: file-pe-file-version description: Internal version of the file, provided at compile-time. @@ -3368,6 +3878,20 @@ file: original_fieldset: pe short: Process name. type: keyword + file.pe.icon.hash.dhash: + dashed_name: file-pe-icon-hash-dhash + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + flat_name: file.pe.icon.hash.dhash + ignore_above: 1024 + level: extended + name: icon.hash.dhash + normalize: [] + original_fieldset: pe + short: Difference Hash (dhash) to find files with a visually similar icon or + thumbnail. + type: keyword file.pe.imphash: dashed_name: file-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash @@ -3384,6 +3908,30 @@ file: original_fieldset: pe short: A hash of the imports in a PE file. type: keyword + file.pe.imports: + dashed_name: file-pe-imports + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + flat_name: file.pe.imports + level: extended + name: imports + normalize: [] + original_fieldset: pe + short: List of all imported functions + type: flattened + file.pe.machine_type: + dashed_name: file-pe-machine-type + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + flat_name: file.pe.machine_type + ignore_above: 1024 + level: extended + name: machine_type + normalize: [] + original_fieldset: pe + short: Machine type of the PE file. + type: keyword file.pe.original_file_name: dashed_name: file-pe-original-file-name description: Internal name of the file, provided at compile-time. @@ -3395,6 +3943,19 @@ file: original_fieldset: pe short: Internal name of the file, provided at compile-time. type: wildcard + file.pe.packers: + dashed_name: file-pe-packers + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + flat_name: file.pe.packers + ignore_above: 1024 + level: extended + name: packers + normalize: + - array + original_fieldset: pe + short: List of packers and tools used. + type: keyword file.pe.product: dashed_name: file-pe-product description: Internal product name of the file, provided at compile-time. @@ -3407,40 +3968,215 @@ file: original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword - file.size: - dashed_name: file-size - description: 'File size in bytes. - - Only relevant when `file.type` is "file".' - example: 16384 - flat_name: file.size + file.pe.resources: + dashed_name: file-pe-resources + description: If the PE contains resources, some info about them + flat_name: file.pe.resources level: extended - name: size + name: resources + normalize: + - array + original_fieldset: pe + short: If the PE contains resources, some info about them + type: nested + file.pe.resources.chi2: + dashed_name: file-pe-resources-chi2 + description: Chi-square probability distribution. + example: -1 + flat_name: file.pe.resources.chi2 + level: extended + name: resources.chi2 normalize: [] - short: File size in bytes. + original_fieldset: pe + short: Chi-square probability distribution. type: long - file.target_path: - dashed_name: file-target-path - description: Target path for symlinks. - flat_name: file.target_path + file.pe.resources.entropy: + dashed_name: file-pe-resources-entropy + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + flat_name: file.pe.resources.entropy level: extended - multi_fields: - - flat_name: file.target_path.text - name: text - norms: false - type: text - name: target_path + name: resources.entropy normalize: [] - short: Target path for symlinks. - type: wildcard - file.type: - dashed_name: file-type - description: File type (file, dir, or symlink). - example: file - flat_name: file.type + original_fieldset: pe + short: Measurement of entropy randomness in the resources section. + type: long + file.pe.resources.filetype: + dashed_name: file-pe-resources-filetype + description: File type of the resources section. + example: Data + flat_name: file.pe.resources.filetype ignore_above: 1024 level: extended - name: type + name: resources.filetype + normalize: [] + original_fieldset: pe + short: File type of the resources section. + type: keyword + file.pe.resources.language: + dashed_name: file-pe-resources-language + description: Language identification. + example: CHINESE SIMPLIFIED + flat_name: file.pe.resources.language + ignore_above: 1024 + level: extended + name: resources.language + normalize: [] + original_fieldset: pe + short: Language identification. + type: keyword + file.pe.resources.sha256: + dashed_name: file-pe-resources-sha256 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + flat_name: file.pe.resources.sha256 + ignore_above: 1024 + level: extended + name: resources.sha256 + normalize: [] + original_fieldset: pe + short: SHA256 hash of resources section. + type: keyword + file.pe.resources.type: + dashed_name: file-pe-resources-type + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + flat_name: file.pe.resources.type + ignore_above: 1024 + level: extended + name: resources.type + normalize: + - array + original_fieldset: pe + short: List of resource types. + type: keyword + file.pe.rich_header.hash.md5: + dashed_name: file-pe-rich-header-hash-md5 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + flat_name: file.pe.rich_header.hash.md5 + ignore_above: 1024 + level: extended + name: rich_header.hash.md5 + normalize: [] + original_fieldset: pe + short: MD5 hash of the header for the PE file. + type: keyword + file.pe.sections: + dashed_name: file-pe-sections + description: Data about sections of compiled binary PE + flat_name: file.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Data about sections of the compiled binary PE + type: nested + file.pe.sections.chi2: + dashed_name: file-pe-sections-chi2 + description: Chi-square probability distribution. + example: 3027194 + flat_name: file.pe.sections.chi2 + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long + file.pe.sections.entropy: + dashed_name: file-pe-sections-entropy + description: Measurement of entropy randomness in the file. + example: 6.24 + flat_name: file.pe.sections.entropy + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the file. + type: float + file.pe.sections.flags: + dashed_name: file-pe-sections-flags + description: Section flags of the file. + example: rx + flat_name: file.pe.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: pe + short: Section flags of the file. + type: keyword + file.pe.sections.name: + dashed_name: file-pe-sections-name + description: Section names of the file. + example: .text, .data + flat_name: file.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: Section names of the file. + type: keyword + file.pe.sections.raw_size: + dashed_name: file-pe-sections-raw-size + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + flat_name: file.pe.sections.raw_size + format: bytes + level: extended + name: sections.raw_size + normalize: [] + original_fieldset: pe + short: Size of the section or the dize of the initialized data on disk. + type: long + file.pe.sections.virtual_address: + dashed_name: file-pe-sections-virtual-address + description: Virtual address available to the file. + example: 8192 + flat_name: file.pe.sections.virtual_address + format: bytes + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: pe + short: Virtual address available to the file. + type: long + file.size: + dashed_name: file-size + description: 'File size in bytes. + + Only relevant when `file.type` is "file".' + example: 16384 + flat_name: file.size + level: extended + name: size + normalize: [] + short: File size in bytes. + type: long + file.target_path: + dashed_name: file-target-path + description: Target path for symlinks. + flat_name: file.target_path + level: extended + multi_fields: + - flat_name: file.target_path.text + name: text + norms: false + type: text + name: target_path + normalize: [] + short: Target path for symlinks. + type: wildcard + file.type: + dashed_name: file-type + description: File type (file, dir, or symlink). + example: file + flat_name: file.type + ignore_above: 1024 + level: extended + name: type normalize: [] short: File type (file, dir, or symlink). type: keyword @@ -6243,6 +6979,17 @@ pe: normalize: [] short: CPU architecture target for the file. type: keyword + pe.authentihash: + dashed_name: pe-authentihash + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + flat_name: pe.authentihash + ignore_above: 1024 + level: extended + name: authentihash + normalize: [] + short: Authentihash of the PE file. + type: keyword pe.company: dashed_name: pe-company description: Internal company name of the file, provided at compile-time. @@ -6254,6 +7001,102 @@ pe: normalize: [] short: Internal company name of the file, provided at compile-time. type: keyword + pe.compile_timestamp: + dashed_name: pe-compile-timestamp + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + flat_name: pe.compile_timestamp + level: extended + name: compile_timestamp + normalize: [] + short: Compile timestamp of the PE file. + type: date + pe.compiler.name: + dashed_name: pe-compiler-name + description: Name of the compiler + example: Clang + flat_name: pe.compiler.name + ignore_above: 1024 + level: extended + name: compiler.name + normalize: [] + short: Name of the compiler + type: keyword + pe.compiler.version: + dashed_name: pe-compiler-version + description: Version of the compiler. + example: 11.0.0 + flat_name: pe.compiler.version + ignore_above: 1024 + level: extended + name: compiler.version + normalize: [] + short: Version of the compiler. + type: keyword + pe.creation_date: + dashed_name: pe-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + flat_name: pe.creation_date + level: extended + name: creation_date + normalize: [] + short: Build or compile date. + type: date + pe.debug: + dashed_name: pe-debug + description: Debug information, if present + flat_name: pe.debug + level: extended + name: debug + normalize: + - array + short: Debug information + type: nested + pe.debug.offset: + dashed_name: pe-debug-offset + description: Debug offset information. + example: 1296336 + flat_name: pe.debug.offset + ignore_above: 1024 + level: extended + name: debug.offset + normalize: [] + short: Debug offset information. + type: keyword + pe.debug.size: + dashed_name: pe-debug-size + description: Size of the debug information. + example: 816 + flat_name: pe.debug.size + format: bytes + level: extended + name: debug.size + normalize: [] + short: Size of the debug information. + type: long + pe.debug.timestamp: + dashed_name: pe-debug-timestamp + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + flat_name: pe.debug.timestamp + level: extended + name: debug.timestamp + normalize: [] + short: Timestamp of the debug information. + type: date + pe.debug.type: + dashed_name: pe-debug-type + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + flat_name: pe.debug.type + ignore_above: 1024 + level: extended + name: debug.type + normalize: [] + short: Information type generated by the debug options. + type: keyword pe.description: dashed_name: pe-description description: Internal description of the file, provided at compile-time. @@ -6265,6 +7108,29 @@ pe: normalize: [] short: Internal description of the file, provided at compile-time. type: keyword + pe.entry_point: + dashed_name: pe-entry-point + description: Relative byte offset to the base of the PE file. + example: 25856 + flat_name: pe.entry_point + ignore_above: 1024 + level: extended + name: entry_point + normalize: [] + short: Relative byte offset to the base of the PE file. + type: keyword + pe.exports: + dashed_name: pe-exports + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + flat_name: pe.exports + ignore_above: 1024 + level: extended + name: exports + normalize: + - array + short: List of symbols exported by PE + type: keyword pe.file_version: dashed_name: pe-file-version description: Internal version of the file, provided at compile-time. @@ -6276,6 +7142,19 @@ pe: normalize: [] short: Process name. type: keyword + pe.icon.hash.dhash: + dashed_name: pe-icon-hash-dhash + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + flat_name: pe.icon.hash.dhash + ignore_above: 1024 + level: extended + name: icon.hash.dhash + normalize: [] + short: Difference Hash (dhash) to find files with a visually similar icon or + thumbnail. + type: keyword pe.imphash: dashed_name: pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash @@ -6291,6 +7170,28 @@ pe: normalize: [] short: A hash of the imports in a PE file. type: keyword + pe.imports: + dashed_name: pe-imports + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + flat_name: pe.imports + level: extended + name: imports + normalize: [] + short: List of all imported functions + type: flattened + pe.machine_type: + dashed_name: pe-machine-type + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + flat_name: pe.machine_type + ignore_above: 1024 + level: extended + name: machine_type + normalize: [] + short: Machine type of the PE file. + type: keyword pe.original_file_name: dashed_name: pe-original-file-name description: Internal name of the file, provided at compile-time. @@ -6301,6 +7202,18 @@ pe: normalize: [] short: Internal name of the file, provided at compile-time. type: wildcard + pe.packers: + dashed_name: pe-packers + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + flat_name: pe.packers + ignore_above: 1024 + level: extended + name: packers + normalize: + - array + short: List of packers and tools used. + type: keyword pe.product: dashed_name: pe-product description: Internal product name of the file, provided at compile-time. @@ -6312,6 +7225,166 @@ pe: normalize: [] short: Internal product name of the file, provided at compile-time. type: keyword + pe.resources: + dashed_name: pe-resources + description: If the PE contains resources, some info about them + flat_name: pe.resources + level: extended + name: resources + normalize: + - array + short: If the PE contains resources, some info about them + type: nested + pe.resources.chi2: + dashed_name: pe-resources-chi2 + description: Chi-square probability distribution. + example: -1 + flat_name: pe.resources.chi2 + level: extended + name: resources.chi2 + normalize: [] + short: Chi-square probability distribution. + type: long + pe.resources.entropy: + dashed_name: pe-resources-entropy + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + flat_name: pe.resources.entropy + level: extended + name: resources.entropy + normalize: [] + short: Measurement of entropy randomness in the resources section. + type: long + pe.resources.filetype: + dashed_name: pe-resources-filetype + description: File type of the resources section. + example: Data + flat_name: pe.resources.filetype + ignore_above: 1024 + level: extended + name: resources.filetype + normalize: [] + short: File type of the resources section. + type: keyword + pe.resources.language: + dashed_name: pe-resources-language + description: Language identification. + example: CHINESE SIMPLIFIED + flat_name: pe.resources.language + ignore_above: 1024 + level: extended + name: resources.language + normalize: [] + short: Language identification. + type: keyword + pe.resources.sha256: + dashed_name: pe-resources-sha256 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + flat_name: pe.resources.sha256 + ignore_above: 1024 + level: extended + name: resources.sha256 + normalize: [] + short: SHA256 hash of resources section. + type: keyword + pe.resources.type: + dashed_name: pe-resources-type + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + flat_name: pe.resources.type + ignore_above: 1024 + level: extended + name: resources.type + normalize: + - array + short: List of resource types. + type: keyword + pe.rich_header.hash.md5: + dashed_name: pe-rich-header-hash-md5 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + flat_name: pe.rich_header.hash.md5 + ignore_above: 1024 + level: extended + name: rich_header.hash.md5 + normalize: [] + short: MD5 hash of the header for the PE file. + type: keyword + pe.sections: + dashed_name: pe-sections + description: Data about sections of compiled binary PE + flat_name: pe.sections + level: extended + name: sections + normalize: + - array + short: Data about sections of the compiled binary PE + type: nested + pe.sections.chi2: + dashed_name: pe-sections-chi2 + description: Chi-square probability distribution. + example: 3027194 + flat_name: pe.sections.chi2 + level: extended + name: sections.chi2 + normalize: [] + short: Chi-square probability distribution. + type: long + pe.sections.entropy: + dashed_name: pe-sections-entropy + description: Measurement of entropy randomness in the file. + example: 6.24 + flat_name: pe.sections.entropy + level: extended + name: sections.entropy + normalize: [] + short: Measurement of entropy randomness in the file. + type: float + pe.sections.flags: + dashed_name: pe-sections-flags + description: Section flags of the file. + example: rx + flat_name: pe.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + short: Section flags of the file. + type: keyword + pe.sections.name: + dashed_name: pe-sections-name + description: Section names of the file. + example: .text, .data + flat_name: pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + short: Section names of the file. + type: keyword + pe.sections.raw_size: + dashed_name: pe-sections-raw-size + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + flat_name: pe.sections.raw_size + format: bytes + level: extended + name: sections.raw_size + normalize: [] + short: Size of the section or the dize of the initialized data on disk. + type: long + pe.sections.virtual_address: + dashed_name: pe-sections-virtual-address + description: Virtual address available to the file. + example: 8192 + flat_name: pe.sections.virtual_address + format: bytes + level: extended + name: sections.virtual_address + normalize: [] + short: Virtual address available to the file. + type: long group: 2 name: pe prefix: pe. @@ -6824,6 +7897,18 @@ process: original_fieldset: pe short: CPU architecture target for the file. type: keyword + process.parent.pe.authentihash: + dashed_name: process-parent-pe-authentihash + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + flat_name: process.parent.pe.authentihash + ignore_above: 1024 + level: extended + name: authentihash + normalize: [] + original_fieldset: pe + short: Authentihash of the PE file. + type: keyword process.parent.pe.company: dashed_name: process-parent-pe-company description: Internal company name of the file, provided at compile-time. @@ -6836,6 +7921,111 @@ process: original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword + process.parent.pe.compile_timestamp: + dashed_name: process-parent-pe-compile-timestamp + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + flat_name: process.parent.pe.compile_timestamp + level: extended + name: compile_timestamp + normalize: [] + original_fieldset: pe + short: Compile timestamp of the PE file. + type: date + process.parent.pe.compiler.name: + dashed_name: process-parent-pe-compiler-name + description: Name of the compiler + example: Clang + flat_name: process.parent.pe.compiler.name + ignore_above: 1024 + level: extended + name: compiler.name + normalize: [] + original_fieldset: pe + short: Name of the compiler + type: keyword + process.parent.pe.compiler.version: + dashed_name: process-parent-pe-compiler-version + description: Version of the compiler. + example: 11.0.0 + flat_name: process.parent.pe.compiler.version + ignore_above: 1024 + level: extended + name: compiler.version + normalize: [] + original_fieldset: pe + short: Version of the compiler. + type: keyword + process.parent.pe.creation_date: + dashed_name: process-parent-pe-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + flat_name: process.parent.pe.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: pe + short: Build or compile date. + type: date + process.parent.pe.debug: + dashed_name: process-parent-pe-debug + description: Debug information, if present + flat_name: process.parent.pe.debug + level: extended + name: debug + normalize: + - array + original_fieldset: pe + short: Debug information + type: nested + process.parent.pe.debug.offset: + dashed_name: process-parent-pe-debug-offset + description: Debug offset information. + example: 1296336 + flat_name: process.parent.pe.debug.offset + ignore_above: 1024 + level: extended + name: debug.offset + normalize: [] + original_fieldset: pe + short: Debug offset information. + type: keyword + process.parent.pe.debug.size: + dashed_name: process-parent-pe-debug-size + description: Size of the debug information. + example: 816 + flat_name: process.parent.pe.debug.size + format: bytes + level: extended + name: debug.size + normalize: [] + original_fieldset: pe + short: Size of the debug information. + type: long + process.parent.pe.debug.timestamp: + dashed_name: process-parent-pe-debug-timestamp + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + flat_name: process.parent.pe.debug.timestamp + level: extended + name: debug.timestamp + normalize: [] + original_fieldset: pe + short: Timestamp of the debug information. + type: date + process.parent.pe.debug.type: + dashed_name: process-parent-pe-debug-type + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + flat_name: process.parent.pe.debug.type + ignore_above: 1024 + level: extended + name: debug.type + normalize: [] + original_fieldset: pe + short: Information type generated by the debug options. + type: keyword process.parent.pe.description: dashed_name: process-parent-pe-description description: Internal description of the file, provided at compile-time. @@ -6848,6 +8038,31 @@ process: original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword + process.parent.pe.entry_point: + dashed_name: process-parent-pe-entry-point + description: Relative byte offset to the base of the PE file. + example: 25856 + flat_name: process.parent.pe.entry_point + ignore_above: 1024 + level: extended + name: entry_point + normalize: [] + original_fieldset: pe + short: Relative byte offset to the base of the PE file. + type: keyword + process.parent.pe.exports: + dashed_name: process-parent-pe-exports + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + flat_name: process.parent.pe.exports + ignore_above: 1024 + level: extended + name: exports + normalize: + - array + original_fieldset: pe + short: List of symbols exported by PE + type: keyword process.parent.pe.file_version: dashed_name: process-parent-pe-file-version description: Internal version of the file, provided at compile-time. @@ -6860,6 +8075,20 @@ process: original_fieldset: pe short: Process name. type: keyword + process.parent.pe.icon.hash.dhash: + dashed_name: process-parent-pe-icon-hash-dhash + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + flat_name: process.parent.pe.icon.hash.dhash + ignore_above: 1024 + level: extended + name: icon.hash.dhash + normalize: [] + original_fieldset: pe + short: Difference Hash (dhash) to find files with a visually similar icon or + thumbnail. + type: keyword process.parent.pe.imphash: dashed_name: process-parent-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash @@ -6876,6 +8105,30 @@ process: original_fieldset: pe short: A hash of the imports in a PE file. type: keyword + process.parent.pe.imports: + dashed_name: process-parent-pe-imports + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + flat_name: process.parent.pe.imports + level: extended + name: imports + normalize: [] + original_fieldset: pe + short: List of all imported functions + type: flattened + process.parent.pe.machine_type: + dashed_name: process-parent-pe-machine-type + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + flat_name: process.parent.pe.machine_type + ignore_above: 1024 + level: extended + name: machine_type + normalize: [] + original_fieldset: pe + short: Machine type of the PE file. + type: keyword process.parent.pe.original_file_name: dashed_name: process-parent-pe-original-file-name description: Internal name of the file, provided at compile-time. @@ -6887,6 +8140,19 @@ process: original_fieldset: pe short: Internal name of the file, provided at compile-time. type: wildcard + process.parent.pe.packers: + dashed_name: process-parent-pe-packers + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + flat_name: process.parent.pe.packers + ignore_above: 1024 + level: extended + name: packers + normalize: + - array + original_fieldset: pe + short: List of packers and tools used. + type: keyword process.parent.pe.product: dashed_name: process-parent-pe-product description: Internal product name of the file, provided at compile-time. @@ -6899,6 +8165,181 @@ process: original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword + process.parent.pe.resources: + dashed_name: process-parent-pe-resources + description: If the PE contains resources, some info about them + flat_name: process.parent.pe.resources + level: extended + name: resources + normalize: + - array + original_fieldset: pe + short: If the PE contains resources, some info about them + type: nested + process.parent.pe.resources.chi2: + dashed_name: process-parent-pe-resources-chi2 + description: Chi-square probability distribution. + example: -1 + flat_name: process.parent.pe.resources.chi2 + level: extended + name: resources.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long + process.parent.pe.resources.entropy: + dashed_name: process-parent-pe-resources-entropy + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + flat_name: process.parent.pe.resources.entropy + level: extended + name: resources.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the resources section. + type: long + process.parent.pe.resources.filetype: + dashed_name: process-parent-pe-resources-filetype + description: File type of the resources section. + example: Data + flat_name: process.parent.pe.resources.filetype + ignore_above: 1024 + level: extended + name: resources.filetype + normalize: [] + original_fieldset: pe + short: File type of the resources section. + type: keyword + process.parent.pe.resources.language: + dashed_name: process-parent-pe-resources-language + description: Language identification. + example: CHINESE SIMPLIFIED + flat_name: process.parent.pe.resources.language + ignore_above: 1024 + level: extended + name: resources.language + normalize: [] + original_fieldset: pe + short: Language identification. + type: keyword + process.parent.pe.resources.sha256: + dashed_name: process-parent-pe-resources-sha256 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + flat_name: process.parent.pe.resources.sha256 + ignore_above: 1024 + level: extended + name: resources.sha256 + normalize: [] + original_fieldset: pe + short: SHA256 hash of resources section. + type: keyword + process.parent.pe.resources.type: + dashed_name: process-parent-pe-resources-type + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + flat_name: process.parent.pe.resources.type + ignore_above: 1024 + level: extended + name: resources.type + normalize: + - array + original_fieldset: pe + short: List of resource types. + type: keyword + process.parent.pe.rich_header.hash.md5: + dashed_name: process-parent-pe-rich-header-hash-md5 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + flat_name: process.parent.pe.rich_header.hash.md5 + ignore_above: 1024 + level: extended + name: rich_header.hash.md5 + normalize: [] + original_fieldset: pe + short: MD5 hash of the header for the PE file. + type: keyword + process.parent.pe.sections: + dashed_name: process-parent-pe-sections + description: Data about sections of compiled binary PE + flat_name: process.parent.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Data about sections of the compiled binary PE + type: nested + process.parent.pe.sections.chi2: + dashed_name: process-parent-pe-sections-chi2 + description: Chi-square probability distribution. + example: 3027194 + flat_name: process.parent.pe.sections.chi2 + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long + process.parent.pe.sections.entropy: + dashed_name: process-parent-pe-sections-entropy + description: Measurement of entropy randomness in the file. + example: 6.24 + flat_name: process.parent.pe.sections.entropy + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the file. + type: float + process.parent.pe.sections.flags: + dashed_name: process-parent-pe-sections-flags + description: Section flags of the file. + example: rx + flat_name: process.parent.pe.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: pe + short: Section flags of the file. + type: keyword + process.parent.pe.sections.name: + dashed_name: process-parent-pe-sections-name + description: Section names of the file. + example: .text, .data + flat_name: process.parent.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: Section names of the file. + type: keyword + process.parent.pe.sections.raw_size: + dashed_name: process-parent-pe-sections-raw-size + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + flat_name: process.parent.pe.sections.raw_size + format: bytes + level: extended + name: sections.raw_size + normalize: [] + original_fieldset: pe + short: Size of the section or the dize of the initialized data on disk. + type: long + process.parent.pe.sections.virtual_address: + dashed_name: process-parent-pe-sections-virtual-address + description: Virtual address available to the file. + example: 8192 + flat_name: process.parent.pe.sections.virtual_address + format: bytes + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: pe + short: Virtual address available to the file. + type: long process.parent.pgid: dashed_name: process-parent-pgid description: Identifier of the group of processes the process belongs to. @@ -7025,6 +8466,18 @@ process: original_fieldset: pe short: CPU architecture target for the file. type: keyword + process.pe.authentihash: + dashed_name: process-pe-authentihash + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + flat_name: process.pe.authentihash + ignore_above: 1024 + level: extended + name: authentihash + normalize: [] + original_fieldset: pe + short: Authentihash of the PE file. + type: keyword process.pe.company: dashed_name: process-pe-company description: Internal company name of the file, provided at compile-time. @@ -7037,6 +8490,111 @@ process: original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword + process.pe.compile_timestamp: + dashed_name: process-pe-compile-timestamp + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + flat_name: process.pe.compile_timestamp + level: extended + name: compile_timestamp + normalize: [] + original_fieldset: pe + short: Compile timestamp of the PE file. + type: date + process.pe.compiler.name: + dashed_name: process-pe-compiler-name + description: Name of the compiler + example: Clang + flat_name: process.pe.compiler.name + ignore_above: 1024 + level: extended + name: compiler.name + normalize: [] + original_fieldset: pe + short: Name of the compiler + type: keyword + process.pe.compiler.version: + dashed_name: process-pe-compiler-version + description: Version of the compiler. + example: 11.0.0 + flat_name: process.pe.compiler.version + ignore_above: 1024 + level: extended + name: compiler.version + normalize: [] + original_fieldset: pe + short: Version of the compiler. + type: keyword + process.pe.creation_date: + dashed_name: process-pe-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + flat_name: process.pe.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: pe + short: Build or compile date. + type: date + process.pe.debug: + dashed_name: process-pe-debug + description: Debug information, if present + flat_name: process.pe.debug + level: extended + name: debug + normalize: + - array + original_fieldset: pe + short: Debug information + type: nested + process.pe.debug.offset: + dashed_name: process-pe-debug-offset + description: Debug offset information. + example: 1296336 + flat_name: process.pe.debug.offset + ignore_above: 1024 + level: extended + name: debug.offset + normalize: [] + original_fieldset: pe + short: Debug offset information. + type: keyword + process.pe.debug.size: + dashed_name: process-pe-debug-size + description: Size of the debug information. + example: 816 + flat_name: process.pe.debug.size + format: bytes + level: extended + name: debug.size + normalize: [] + original_fieldset: pe + short: Size of the debug information. + type: long + process.pe.debug.timestamp: + dashed_name: process-pe-debug-timestamp + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + flat_name: process.pe.debug.timestamp + level: extended + name: debug.timestamp + normalize: [] + original_fieldset: pe + short: Timestamp of the debug information. + type: date + process.pe.debug.type: + dashed_name: process-pe-debug-type + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + flat_name: process.pe.debug.type + ignore_above: 1024 + level: extended + name: debug.type + normalize: [] + original_fieldset: pe + short: Information type generated by the debug options. + type: keyword process.pe.description: dashed_name: process-pe-description description: Internal description of the file, provided at compile-time. @@ -7049,6 +8607,31 @@ process: original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword + process.pe.entry_point: + dashed_name: process-pe-entry-point + description: Relative byte offset to the base of the PE file. + example: 25856 + flat_name: process.pe.entry_point + ignore_above: 1024 + level: extended + name: entry_point + normalize: [] + original_fieldset: pe + short: Relative byte offset to the base of the PE file. + type: keyword + process.pe.exports: + dashed_name: process-pe-exports + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + flat_name: process.pe.exports + ignore_above: 1024 + level: extended + name: exports + normalize: + - array + original_fieldset: pe + short: List of symbols exported by PE + type: keyword process.pe.file_version: dashed_name: process-pe-file-version description: Internal version of the file, provided at compile-time. @@ -7061,6 +8644,20 @@ process: original_fieldset: pe short: Process name. type: keyword + process.pe.icon.hash.dhash: + dashed_name: process-pe-icon-hash-dhash + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + flat_name: process.pe.icon.hash.dhash + ignore_above: 1024 + level: extended + name: icon.hash.dhash + normalize: [] + original_fieldset: pe + short: Difference Hash (dhash) to find files with a visually similar icon or + thumbnail. + type: keyword process.pe.imphash: dashed_name: process-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash @@ -7077,6 +8674,30 @@ process: original_fieldset: pe short: A hash of the imports in a PE file. type: keyword + process.pe.imports: + dashed_name: process-pe-imports + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + flat_name: process.pe.imports + level: extended + name: imports + normalize: [] + original_fieldset: pe + short: List of all imported functions + type: flattened + process.pe.machine_type: + dashed_name: process-pe-machine-type + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + flat_name: process.pe.machine_type + ignore_above: 1024 + level: extended + name: machine_type + normalize: [] + original_fieldset: pe + short: Machine type of the PE file. + type: keyword process.pe.original_file_name: dashed_name: process-pe-original-file-name description: Internal name of the file, provided at compile-time. @@ -7088,6 +8709,19 @@ process: original_fieldset: pe short: Internal name of the file, provided at compile-time. type: wildcard + process.pe.packers: + dashed_name: process-pe-packers + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + flat_name: process.pe.packers + ignore_above: 1024 + level: extended + name: packers + normalize: + - array + original_fieldset: pe + short: List of packers and tools used. + type: keyword process.pe.product: dashed_name: process-pe-product description: Internal product name of the file, provided at compile-time. @@ -7100,6 +8734,181 @@ process: original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword + process.pe.resources: + dashed_name: process-pe-resources + description: If the PE contains resources, some info about them + flat_name: process.pe.resources + level: extended + name: resources + normalize: + - array + original_fieldset: pe + short: If the PE contains resources, some info about them + type: nested + process.pe.resources.chi2: + dashed_name: process-pe-resources-chi2 + description: Chi-square probability distribution. + example: -1 + flat_name: process.pe.resources.chi2 + level: extended + name: resources.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long + process.pe.resources.entropy: + dashed_name: process-pe-resources-entropy + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + flat_name: process.pe.resources.entropy + level: extended + name: resources.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the resources section. + type: long + process.pe.resources.filetype: + dashed_name: process-pe-resources-filetype + description: File type of the resources section. + example: Data + flat_name: process.pe.resources.filetype + ignore_above: 1024 + level: extended + name: resources.filetype + normalize: [] + original_fieldset: pe + short: File type of the resources section. + type: keyword + process.pe.resources.language: + dashed_name: process-pe-resources-language + description: Language identification. + example: CHINESE SIMPLIFIED + flat_name: process.pe.resources.language + ignore_above: 1024 + level: extended + name: resources.language + normalize: [] + original_fieldset: pe + short: Language identification. + type: keyword + process.pe.resources.sha256: + dashed_name: process-pe-resources-sha256 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + flat_name: process.pe.resources.sha256 + ignore_above: 1024 + level: extended + name: resources.sha256 + normalize: [] + original_fieldset: pe + short: SHA256 hash of resources section. + type: keyword + process.pe.resources.type: + dashed_name: process-pe-resources-type + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + flat_name: process.pe.resources.type + ignore_above: 1024 + level: extended + name: resources.type + normalize: + - array + original_fieldset: pe + short: List of resource types. + type: keyword + process.pe.rich_header.hash.md5: + dashed_name: process-pe-rich-header-hash-md5 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + flat_name: process.pe.rich_header.hash.md5 + ignore_above: 1024 + level: extended + name: rich_header.hash.md5 + normalize: [] + original_fieldset: pe + short: MD5 hash of the header for the PE file. + type: keyword + process.pe.sections: + dashed_name: process-pe-sections + description: Data about sections of compiled binary PE + flat_name: process.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Data about sections of the compiled binary PE + type: nested + process.pe.sections.chi2: + dashed_name: process-pe-sections-chi2 + description: Chi-square probability distribution. + example: 3027194 + flat_name: process.pe.sections.chi2 + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long + process.pe.sections.entropy: + dashed_name: process-pe-sections-entropy + description: Measurement of entropy randomness in the file. + example: 6.24 + flat_name: process.pe.sections.entropy + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the file. + type: float + process.pe.sections.flags: + dashed_name: process-pe-sections-flags + description: Section flags of the file. + example: rx + flat_name: process.pe.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: pe + short: Section flags of the file. + type: keyword + process.pe.sections.name: + dashed_name: process-pe-sections-name + description: Section names of the file. + example: .text, .data + flat_name: process.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: Section names of the file. + type: keyword + process.pe.sections.raw_size: + dashed_name: process-pe-sections-raw-size + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + flat_name: process.pe.sections.raw_size + format: bytes + level: extended + name: sections.raw_size + normalize: [] + original_fieldset: pe + short: Size of the section or the dize of the initialized data on disk. + type: long + process.pe.sections.virtual_address: + dashed_name: process-pe-sections-virtual-address + description: Virtual address available to the file. + example: 8192 + flat_name: process.pe.sections.virtual_address + format: bytes + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: pe + short: Virtual address available to the file. + type: long process.pgid: dashed_name: process-pgid description: Identifier of the group of processes the process belongs to. diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json index 0eabce58f9..f060d7423f 100644 --- a/experimental/generated/elasticsearch/7/template.json +++ b/experimental/generated/elasticsearch/7/template.json @@ -568,28 +568,164 @@ "ignore_above": 1024, "type": "keyword" }, + "authentihash": { + "ignore_above": 1024, + "type": "keyword" + }, "company": { "ignore_above": 1024, "type": "keyword" }, + "compile_timestamp": { + "type": "date" + }, + "compiler": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "creation_date": { + "type": "date" + }, + "debug": { + "properties": { + "offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "timestamp": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, "description": { "ignore_above": 1024, "type": "keyword" }, + "entry_point": { + "ignore_above": 1024, + "type": "keyword" + }, + "exports": { + "ignore_above": 1024, + "type": "keyword" + }, "file_version": { "ignore_above": 1024, "type": "keyword" }, + "icon": { + "properties": { + "hash": { + "properties": { + "dhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, "imphash": { "ignore_above": 1024, "type": "keyword" }, + "imports": { + "type": "flattened" + }, + "machine_type": { + "ignore_above": 1024, + "type": "keyword" + }, "original_file_name": { "type": "wildcard" }, + "packers": { + "ignore_above": 1024, + "type": "keyword" + }, "product": { "ignore_above": 1024, "type": "keyword" + }, + "resources": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "filetype": { + "ignore_above": 1024, + "type": "keyword" + }, + "language": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "rich_header": { + "properties": { + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "float" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_size": { + "type": "long" + }, + "virtual_address": { + "type": "long" + } + }, + "type": "nested" } } } @@ -926,28 +1062,164 @@ "ignore_above": 1024, "type": "keyword" }, + "authentihash": { + "ignore_above": 1024, + "type": "keyword" + }, "company": { "ignore_above": 1024, "type": "keyword" }, + "compile_timestamp": { + "type": "date" + }, + "compiler": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "creation_date": { + "type": "date" + }, + "debug": { + "properties": { + "offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "timestamp": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, "description": { "ignore_above": 1024, "type": "keyword" }, + "entry_point": { + "ignore_above": 1024, + "type": "keyword" + }, + "exports": { + "ignore_above": 1024, + "type": "keyword" + }, "file_version": { "ignore_above": 1024, "type": "keyword" }, + "icon": { + "properties": { + "hash": { + "properties": { + "dhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, "imphash": { "ignore_above": 1024, "type": "keyword" }, + "imports": { + "type": "flattened" + }, + "machine_type": { + "ignore_above": 1024, + "type": "keyword" + }, "original_file_name": { "type": "wildcard" }, + "packers": { + "ignore_above": 1024, + "type": "keyword" + }, "product": { "ignore_above": 1024, "type": "keyword" + }, + "resources": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "filetype": { + "ignore_above": 1024, + "type": "keyword" + }, + "language": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "rich_header": { + "properties": { + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "float" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_size": { + "type": "long" + }, + "virtual_address": { + "type": "long" + } + }, + "type": "nested" } } }, @@ -2009,28 +2281,164 @@ "ignore_above": 1024, "type": "keyword" }, + "authentihash": { + "ignore_above": 1024, + "type": "keyword" + }, "company": { "ignore_above": 1024, "type": "keyword" }, + "compile_timestamp": { + "type": "date" + }, + "compiler": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "creation_date": { + "type": "date" + }, + "debug": { + "properties": { + "offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "timestamp": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, "description": { "ignore_above": 1024, "type": "keyword" }, + "entry_point": { + "ignore_above": 1024, + "type": "keyword" + }, + "exports": { + "ignore_above": 1024, + "type": "keyword" + }, "file_version": { "ignore_above": 1024, "type": "keyword" }, + "icon": { + "properties": { + "hash": { + "properties": { + "dhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, "imphash": { "ignore_above": 1024, "type": "keyword" }, + "imports": { + "type": "flattened" + }, + "machine_type": { + "ignore_above": 1024, + "type": "keyword" + }, "original_file_name": { "type": "wildcard" }, + "packers": { + "ignore_above": 1024, + "type": "keyword" + }, "product": { "ignore_above": 1024, "type": "keyword" + }, + "resources": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "filetype": { + "ignore_above": 1024, + "type": "keyword" + }, + "language": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "rich_header": { + "properties": { + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "float" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_size": { + "type": "long" + }, + "virtual_address": { + "type": "long" + } + }, + "type": "nested" } } }, @@ -2085,28 +2493,164 @@ "ignore_above": 1024, "type": "keyword" }, + "authentihash": { + "ignore_above": 1024, + "type": "keyword" + }, "company": { "ignore_above": 1024, "type": "keyword" }, + "compile_timestamp": { + "type": "date" + }, + "compiler": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "creation_date": { + "type": "date" + }, + "debug": { + "properties": { + "offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "timestamp": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, "description": { "ignore_above": 1024, "type": "keyword" }, + "entry_point": { + "ignore_above": 1024, + "type": "keyword" + }, + "exports": { + "ignore_above": 1024, + "type": "keyword" + }, "file_version": { "ignore_above": 1024, "type": "keyword" }, + "icon": { + "properties": { + "hash": { + "properties": { + "dhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, "imphash": { "ignore_above": 1024, "type": "keyword" }, + "imports": { + "type": "flattened" + }, + "machine_type": { + "ignore_above": 1024, + "type": "keyword" + }, "original_file_name": { "type": "wildcard" }, + "packers": { + "ignore_above": 1024, + "type": "keyword" + }, "product": { "ignore_above": 1024, "type": "keyword" + }, + "resources": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "filetype": { + "ignore_above": 1024, + "type": "keyword" + }, + "language": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "rich_header": { + "properties": { + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "float" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_size": { + "type": "long" + }, + "virtual_address": { + "type": "long" + } + }, + "type": "nested" } } }, diff --git a/experimental/generated/elasticsearch/component/dll.json b/experimental/generated/elasticsearch/component/dll.json index d6a6ad6899..88ea559a76 100644 --- a/experimental/generated/elasticsearch/component/dll.json +++ b/experimental/generated/elasticsearch/component/dll.json @@ -67,28 +67,164 @@ "ignore_above": 1024, "type": "keyword" }, + "authentihash": { + "ignore_above": 1024, + "type": "keyword" + }, "company": { "ignore_above": 1024, "type": "keyword" }, + "compile_timestamp": { + "type": "date" + }, + "compiler": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "creation_date": { + "type": "date" + }, + "debug": { + "properties": { + "offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "timestamp": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, "description": { "ignore_above": 1024, "type": "keyword" }, + "entry_point": { + "ignore_above": 1024, + "type": "keyword" + }, + "exports": { + "ignore_above": 1024, + "type": "keyword" + }, "file_version": { "ignore_above": 1024, "type": "keyword" }, + "icon": { + "properties": { + "hash": { + "properties": { + "dhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, "imphash": { "ignore_above": 1024, "type": "keyword" }, + "imports": { + "type": "flattened" + }, + "machine_type": { + "ignore_above": 1024, + "type": "keyword" + }, "original_file_name": { "type": "wildcard" }, + "packers": { + "ignore_above": 1024, + "type": "keyword" + }, "product": { "ignore_above": 1024, "type": "keyword" + }, + "resources": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "filetype": { + "ignore_above": 1024, + "type": "keyword" + }, + "language": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "rich_header": { + "properties": { + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "float" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_size": { + "type": "long" + }, + "virtual_address": { + "type": "long" + } + }, + "type": "nested" } } } diff --git a/experimental/generated/elasticsearch/component/file.json b/experimental/generated/elasticsearch/component/file.json index 8d771b34fc..af6cc74ab1 100644 --- a/experimental/generated/elasticsearch/component/file.json +++ b/experimental/generated/elasticsearch/component/file.json @@ -127,28 +127,164 @@ "ignore_above": 1024, "type": "keyword" }, + "authentihash": { + "ignore_above": 1024, + "type": "keyword" + }, "company": { "ignore_above": 1024, "type": "keyword" }, + "compile_timestamp": { + "type": "date" + }, + "compiler": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "creation_date": { + "type": "date" + }, + "debug": { + "properties": { + "offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "timestamp": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, "description": { "ignore_above": 1024, "type": "keyword" }, + "entry_point": { + "ignore_above": 1024, + "type": "keyword" + }, + "exports": { + "ignore_above": 1024, + "type": "keyword" + }, "file_version": { "ignore_above": 1024, "type": "keyword" }, + "icon": { + "properties": { + "hash": { + "properties": { + "dhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, "imphash": { "ignore_above": 1024, "type": "keyword" }, + "imports": { + "type": "flattened" + }, + "machine_type": { + "ignore_above": 1024, + "type": "keyword" + }, "original_file_name": { "type": "wildcard" }, + "packers": { + "ignore_above": 1024, + "type": "keyword" + }, "product": { "ignore_above": 1024, "type": "keyword" + }, + "resources": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "filetype": { + "ignore_above": 1024, + "type": "keyword" + }, + "language": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "rich_header": { + "properties": { + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "float" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_size": { + "type": "long" + }, + "virtual_address": { + "type": "long" + } + }, + "type": "nested" } } }, diff --git a/experimental/generated/elasticsearch/component/process.json b/experimental/generated/elasticsearch/component/process.json index 54b6700f89..db55345f29 100644 --- a/experimental/generated/elasticsearch/component/process.json +++ b/experimental/generated/elasticsearch/component/process.json @@ -188,28 +188,164 @@ "ignore_above": 1024, "type": "keyword" }, + "authentihash": { + "ignore_above": 1024, + "type": "keyword" + }, "company": { "ignore_above": 1024, "type": "keyword" }, + "compile_timestamp": { + "type": "date" + }, + "compiler": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "creation_date": { + "type": "date" + }, + "debug": { + "properties": { + "offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "timestamp": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, "description": { "ignore_above": 1024, "type": "keyword" }, + "entry_point": { + "ignore_above": 1024, + "type": "keyword" + }, + "exports": { + "ignore_above": 1024, + "type": "keyword" + }, "file_version": { "ignore_above": 1024, "type": "keyword" }, + "icon": { + "properties": { + "hash": { + "properties": { + "dhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, "imphash": { "ignore_above": 1024, "type": "keyword" }, + "imports": { + "type": "flattened" + }, + "machine_type": { + "ignore_above": 1024, + "type": "keyword" + }, "original_file_name": { "type": "wildcard" }, + "packers": { + "ignore_above": 1024, + "type": "keyword" + }, "product": { "ignore_above": 1024, "type": "keyword" + }, + "resources": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "filetype": { + "ignore_above": 1024, + "type": "keyword" + }, + "language": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "rich_header": { + "properties": { + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "float" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_size": { + "type": "long" + }, + "virtual_address": { + "type": "long" + } + }, + "type": "nested" } } }, @@ -264,28 +400,164 @@ "ignore_above": 1024, "type": "keyword" }, + "authentihash": { + "ignore_above": 1024, + "type": "keyword" + }, "company": { "ignore_above": 1024, "type": "keyword" }, + "compile_timestamp": { + "type": "date" + }, + "compiler": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "creation_date": { + "type": "date" + }, + "debug": { + "properties": { + "offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "timestamp": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, "description": { "ignore_above": 1024, "type": "keyword" }, + "entry_point": { + "ignore_above": 1024, + "type": "keyword" + }, + "exports": { + "ignore_above": 1024, + "type": "keyword" + }, "file_version": { "ignore_above": 1024, "type": "keyword" }, + "icon": { + "properties": { + "hash": { + "properties": { + "dhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, "imphash": { "ignore_above": 1024, "type": "keyword" }, + "imports": { + "type": "flattened" + }, + "machine_type": { + "ignore_above": 1024, + "type": "keyword" + }, "original_file_name": { "type": "wildcard" }, + "packers": { + "ignore_above": 1024, + "type": "keyword" + }, "product": { "ignore_above": 1024, "type": "keyword" + }, + "resources": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "filetype": { + "ignore_above": 1024, + "type": "keyword" + }, + "language": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "rich_header": { + "properties": { + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "float" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_size": { + "type": "long" + }, + "virtual_address": { + "type": "long" + } + }, + "type": "nested" } } }, From b8739afcd8ce03224f111f65c979f2e87014c218 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Tue, 9 Feb 2021 16:02:15 -0600 Subject: [PATCH 3/5] improve descriptions for nested fields --- experimental/generated/beats/fields.ecs.yml | 45 +++++++++++++---- experimental/generated/csv/fields.csv | 8 +-- experimental/generated/ecs/ecs_flat.yml | 40 ++++++++++----- experimental/generated/ecs/ecs_nested.yml | 55 +++++++++++++++------ experimental/schemas/pe.yml | 9 +++- 5 files changed, 114 insertions(+), 43 deletions(-) diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 84c5bdce2d..e4efd43521 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -1084,7 +1084,10 @@ - name: pe.debug level: extended type: nested - description: Debug information, if present + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix. + .' default_field: false - name: pe.debug.offset level: extended @@ -1197,7 +1200,9 @@ - name: pe.resources level: extended type: nested - description: If the PE contains resources, some info about them + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' default_field: false - name: pe.resources.chi2 level: extended @@ -2059,7 +2064,10 @@ - name: pe.debug level: extended type: nested - description: Debug information, if present + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix. + .' default_field: false - name: pe.debug.offset level: extended @@ -2172,7 +2180,9 @@ - name: pe.resources level: extended type: nested - description: If the PE contains resources, some info about them + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' default_field: false - name: pe.resources.chi2 level: extended @@ -3942,7 +3952,10 @@ - name: debug level: extended type: nested - description: Debug information, if present + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix. + .' default_field: false - name: debug.offset level: extended @@ -4055,7 +4068,9 @@ - name: resources level: extended type: nested - description: If the PE contains resources, some info about them + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' default_field: false - name: resources.chi2 level: extended @@ -4507,7 +4522,10 @@ - name: parent.pe.debug level: extended type: nested - description: Debug information, if present + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix. + .' default_field: false - name: parent.pe.debug.offset level: extended @@ -4620,7 +4638,9 @@ - name: parent.pe.resources level: extended type: nested - description: If the PE contains resources, some info about them + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' default_field: false - name: parent.pe.resources.chi2 level: extended @@ -4832,7 +4852,10 @@ - name: pe.debug level: extended type: nested - description: Debug information, if present + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix. + .' default_field: false - name: pe.debug.offset level: extended @@ -4945,7 +4968,9 @@ - name: pe.resources level: extended type: nested - description: If the PE contains resources, some info about them + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' default_field: false - name: pe.resources.chi2 level: extended diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index fe6d03bd8a..22a4bcc849 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -140,7 +140,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev+exp,true,dll,dll.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." 2.0.0-dev+exp,true,dll,dll.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used. 2.0.0-dev+exp,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -2.0.0-dev+exp,true,dll,dll.pe.resources,nested,extended,array,,"If the PE contains resources, some info about them" +2.0.0-dev+exp,true,dll,dll.pe.resources,nested,extended,array,,PE resource information 2.0.0-dev+exp,true,dll,dll.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution. 2.0.0-dev+exp,true,dll,dll.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section. 2.0.0-dev+exp,true,dll,dll.pe.resources.filetype,keyword,extended,,Data,File type of the resources section. @@ -256,7 +256,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev+exp,true,file,file.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." 2.0.0-dev+exp,true,file,file.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used. 2.0.0-dev+exp,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -2.0.0-dev+exp,true,file,file.pe.resources,nested,extended,array,,"If the PE contains resources, some info about them" +2.0.0-dev+exp,true,file,file.pe.resources,nested,extended,array,,PE resource information 2.0.0-dev+exp,true,file,file.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution. 2.0.0-dev+exp,true,file,file.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section. 2.0.0-dev+exp,true,file,file.pe.resources.filetype,keyword,extended,,Data,File type of the resources section. @@ -517,7 +517,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev+exp,true,process,process.parent.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." 2.0.0-dev+exp,true,process,process.parent.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used. 2.0.0-dev+exp,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -2.0.0-dev+exp,true,process,process.parent.pe.resources,nested,extended,array,,"If the PE contains resources, some info about them" +2.0.0-dev+exp,true,process,process.parent.pe.resources,nested,extended,array,,PE resource information 2.0.0-dev+exp,true,process,process.parent.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution. 2.0.0-dev+exp,true,process,process.parent.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section. 2.0.0-dev+exp,true,process,process.parent.pe.resources.filetype,keyword,extended,,Data,File type of the resources section. @@ -566,7 +566,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev+exp,true,process,process.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." 2.0.0-dev+exp,true,process,process.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used. 2.0.0-dev+exp,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -2.0.0-dev+exp,true,process,process.pe.resources,nested,extended,array,,"If the PE contains resources, some info about them" +2.0.0-dev+exp,true,process,process.pe.resources,nested,extended,array,,PE resource information 2.0.0-dev+exp,true,process,process.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution. 2.0.0-dev+exp,true,process,process.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section. 2.0.0-dev+exp,true,process,process.pe.resources.filetype,keyword,extended,,Data,File type of the resources section. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 54f5580d6c..8457b8b483 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -1476,7 +1476,9 @@ dll.pe.creation_date: type: date dll.pe.debug: dashed_name: dll-pe-debug - description: Debug information, if present + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix. .' flat_name: dll.pe.debug level: extended name: debug @@ -1672,14 +1674,16 @@ dll.pe.product: type: keyword dll.pe.resources: dashed_name: dll-pe-resources - description: If the PE contains resources, some info about them + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' flat_name: dll.pe.resources level: extended name: resources normalize: - array original_fieldset: pe - short: If the PE contains resources, some info about them + short: PE resource information type: nested dll.pe.resources.chi2: dashed_name: dll-pe-resources-chi2 @@ -3324,7 +3328,9 @@ file.pe.creation_date: type: date file.pe.debug: dashed_name: file-pe-debug - description: Debug information, if present + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix. .' flat_name: file.pe.debug level: extended name: debug @@ -3520,14 +3526,16 @@ file.pe.product: type: keyword file.pe.resources: dashed_name: file-pe-resources - description: If the PE contains resources, some info about them + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' flat_name: file.pe.resources level: extended name: resources normalize: - array original_fieldset: pe - short: If the PE contains resources, some info about them + short: PE resource information type: nested file.pe.resources.chi2: dashed_name: file-pe-resources-chi2 @@ -6489,7 +6497,9 @@ process.parent.pe.creation_date: type: date process.parent.pe.debug: dashed_name: process-parent-pe-debug - description: Debug information, if present + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix. .' flat_name: process.parent.pe.debug level: extended name: debug @@ -6685,14 +6695,16 @@ process.parent.pe.product: type: keyword process.parent.pe.resources: dashed_name: process-parent-pe-resources - description: If the PE contains resources, some info about them + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' flat_name: process.parent.pe.resources level: extended name: resources normalize: - array original_fieldset: pe - short: If the PE contains resources, some info about them + short: PE resource information type: nested process.parent.pe.resources.chi2: dashed_name: process-parent-pe-resources-chi2 @@ -7057,7 +7069,9 @@ process.pe.creation_date: type: date process.pe.debug: dashed_name: process-pe-debug - description: Debug information, if present + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix. .' flat_name: process.pe.debug level: extended name: debug @@ -7253,14 +7267,16 @@ process.pe.product: type: keyword process.pe.resources: dashed_name: process-pe-resources - description: If the PE contains resources, some info about them + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' flat_name: process.pe.resources level: extended name: resources normalize: - array original_fieldset: pe - short: If the PE contains resources, some info about them + short: PE resource information type: nested process.pe.resources.chi2: dashed_name: process-pe-resources-chi2 diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 52b2aaee29..124f05d1ff 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -1822,7 +1822,10 @@ dll: type: date dll.pe.debug: dashed_name: dll-pe-debug - description: Debug information, if present + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix. + .' flat_name: dll.pe.debug level: extended name: debug @@ -2019,14 +2022,16 @@ dll: type: keyword dll.pe.resources: dashed_name: dll-pe-resources - description: If the PE contains resources, some info about them + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' flat_name: dll.pe.resources level: extended name: resources normalize: - array original_fieldset: pe - short: If the PE contains resources, some info about them + short: PE resource information type: nested dll.pe.resources.chi2: dashed_name: dll-pe-resources-chi2 @@ -3773,7 +3778,10 @@ file: type: date file.pe.debug: dashed_name: file-pe-debug - description: Debug information, if present + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix. + .' flat_name: file.pe.debug level: extended name: debug @@ -3970,14 +3978,16 @@ file: type: keyword file.pe.resources: dashed_name: file-pe-resources - description: If the PE contains resources, some info about them + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' flat_name: file.pe.resources level: extended name: resources normalize: - array original_fieldset: pe - short: If the PE contains resources, some info about them + short: PE resource information type: nested file.pe.resources.chi2: dashed_name: file-pe-resources-chi2 @@ -7046,7 +7056,10 @@ pe: type: date pe.debug: dashed_name: pe-debug - description: Debug information, if present + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix. + .' flat_name: pe.debug level: extended name: debug @@ -7227,13 +7240,15 @@ pe: type: keyword pe.resources: dashed_name: pe-resources - description: If the PE contains resources, some info about them + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' flat_name: pe.resources level: extended name: resources normalize: - array - short: If the PE contains resources, some info about them + short: PE resource information type: nested pe.resources.chi2: dashed_name: pe-resources-chi2 @@ -7970,7 +7985,10 @@ process: type: date process.parent.pe.debug: dashed_name: process-parent-pe-debug - description: Debug information, if present + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix. + .' flat_name: process.parent.pe.debug level: extended name: debug @@ -8167,14 +8185,16 @@ process: type: keyword process.parent.pe.resources: dashed_name: process-parent-pe-resources - description: If the PE contains resources, some info about them + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' flat_name: process.parent.pe.resources level: extended name: resources normalize: - array original_fieldset: pe - short: If the PE contains resources, some info about them + short: PE resource information type: nested process.parent.pe.resources.chi2: dashed_name: process-parent-pe-resources-chi2 @@ -8539,7 +8559,10 @@ process: type: date process.pe.debug: dashed_name: process-pe-debug - description: Debug information, if present + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix. + .' flat_name: process.pe.debug level: extended name: debug @@ -8736,14 +8759,16 @@ process: type: keyword process.pe.resources: dashed_name: process-pe-resources - description: If the PE contains resources, some info about them + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' flat_name: process.pe.resources level: extended name: resources normalize: - array original_fieldset: pe - short: If the PE contains resources, some info about them + short: PE resource information type: nested process.pe.resources.chi2: dashed_name: process-pe-resources-chi2 diff --git a/experimental/schemas/pe.yml b/experimental/schemas/pe.yml index 88105892fa..ef95391d57 100644 --- a/experimental/schemas/pe.yml +++ b/experimental/schemas/pe.yml @@ -17,7 +17,9 @@ type: nested short: Debug information description: > - Debug information, if present + An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix. . normalize: - array @@ -103,8 +105,11 @@ - name: resources level: extended type: nested + short: PE resource information description: > - If the PE contains resources, some info about them + An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix. normalize: - array From 4577aec1a42343550e80a422a98097361bd2428f Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Tue, 9 Feb 2021 16:07:08 -0600 Subject: [PATCH 4/5] changelog --- CHANGELOG.next.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 6239379a43..8fe7df718f 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -22,6 +22,7 @@ Thanks, you're awesome :-) --> * Added `hash.ssdeep`. #1169 * Added additional host fields. #1248 * Added `geo.timezone`, `geo.postal_code`, and `geo.continent_code`. #1229 +* Extended `pe` fields added to experimental schema. #1256 #### Improvements From e1781b73f61f4bf098a622316a74dc2fe47da6ee Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Wed, 10 Feb 2021 13:37:57 -0600 Subject: [PATCH 5/5] formatting --- experimental/generated/beats/fields.ecs.yml | 15 +++++---------- experimental/generated/ecs/ecs_flat.yml | 8 ++++---- experimental/generated/ecs/ecs_nested.yml | 15 +++++---------- experimental/schemas/pe.yml | 3 +-- 4 files changed, 15 insertions(+), 26 deletions(-) diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index e4efd43521..3b4107c0c5 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -1086,8 +1086,7 @@ type: nested description: 'An array containing an object for each debug entry, if present. - The expected fields for this nested object fall under the `debug.` prefix. - .' + The expected fields for this nested object fall under the `debug.` prefix.' default_field: false - name: pe.debug.offset level: extended @@ -2066,8 +2065,7 @@ type: nested description: 'An array containing an object for each debug entry, if present. - The expected fields for this nested object fall under the `debug.` prefix. - .' + The expected fields for this nested object fall under the `debug.` prefix.' default_field: false - name: pe.debug.offset level: extended @@ -3954,8 +3952,7 @@ type: nested description: 'An array containing an object for each debug entry, if present. - The expected fields for this nested object fall under the `debug.` prefix. - .' + The expected fields for this nested object fall under the `debug.` prefix.' default_field: false - name: debug.offset level: extended @@ -4524,8 +4521,7 @@ type: nested description: 'An array containing an object for each debug entry, if present. - The expected fields for this nested object fall under the `debug.` prefix. - .' + The expected fields for this nested object fall under the `debug.` prefix.' default_field: false - name: parent.pe.debug.offset level: extended @@ -4854,8 +4850,7 @@ type: nested description: 'An array containing an object for each debug entry, if present. - The expected fields for this nested object fall under the `debug.` prefix. - .' + The expected fields for this nested object fall under the `debug.` prefix.' default_field: false - name: pe.debug.offset level: extended diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 8457b8b483..ee97af19e6 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -1478,7 +1478,7 @@ dll.pe.debug: dashed_name: dll-pe-debug description: 'An array containing an object for each debug entry, if present. - The expected fields for this nested object fall under the `debug.` prefix. .' + The expected fields for this nested object fall under the `debug.` prefix.' flat_name: dll.pe.debug level: extended name: debug @@ -3330,7 +3330,7 @@ file.pe.debug: dashed_name: file-pe-debug description: 'An array containing an object for each debug entry, if present. - The expected fields for this nested object fall under the `debug.` prefix. .' + The expected fields for this nested object fall under the `debug.` prefix.' flat_name: file.pe.debug level: extended name: debug @@ -6499,7 +6499,7 @@ process.parent.pe.debug: dashed_name: process-parent-pe-debug description: 'An array containing an object for each debug entry, if present. - The expected fields for this nested object fall under the `debug.` prefix. .' + The expected fields for this nested object fall under the `debug.` prefix.' flat_name: process.parent.pe.debug level: extended name: debug @@ -7071,7 +7071,7 @@ process.pe.debug: dashed_name: process-pe-debug description: 'An array containing an object for each debug entry, if present. - The expected fields for this nested object fall under the `debug.` prefix. .' + The expected fields for this nested object fall under the `debug.` prefix.' flat_name: process.pe.debug level: extended name: debug diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 124f05d1ff..4ce5d1a3ea 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -1824,8 +1824,7 @@ dll: dashed_name: dll-pe-debug description: 'An array containing an object for each debug entry, if present. - The expected fields for this nested object fall under the `debug.` prefix. - .' + The expected fields for this nested object fall under the `debug.` prefix.' flat_name: dll.pe.debug level: extended name: debug @@ -3780,8 +3779,7 @@ file: dashed_name: file-pe-debug description: 'An array containing an object for each debug entry, if present. - The expected fields for this nested object fall under the `debug.` prefix. - .' + The expected fields for this nested object fall under the `debug.` prefix.' flat_name: file.pe.debug level: extended name: debug @@ -7058,8 +7056,7 @@ pe: dashed_name: pe-debug description: 'An array containing an object for each debug entry, if present. - The expected fields for this nested object fall under the `debug.` prefix. - .' + The expected fields for this nested object fall under the `debug.` prefix.' flat_name: pe.debug level: extended name: debug @@ -7987,8 +7984,7 @@ process: dashed_name: process-parent-pe-debug description: 'An array containing an object for each debug entry, if present. - The expected fields for this nested object fall under the `debug.` prefix. - .' + The expected fields for this nested object fall under the `debug.` prefix.' flat_name: process.parent.pe.debug level: extended name: debug @@ -8561,8 +8557,7 @@ process: dashed_name: process-pe-debug description: 'An array containing an object for each debug entry, if present. - The expected fields for this nested object fall under the `debug.` prefix. - .' + The expected fields for this nested object fall under the `debug.` prefix.' flat_name: process.pe.debug level: extended name: debug diff --git a/experimental/schemas/pe.yml b/experimental/schemas/pe.yml index ef95391d57..9ed4b4da8c 100644 --- a/experimental/schemas/pe.yml +++ b/experimental/schemas/pe.yml @@ -19,8 +19,7 @@ description: > An array containing an object for each debug entry, if present. - The expected fields for this nested object fall under the `debug.` prefix. . - + The expected fields for this nested object fall under the `debug.` prefix. normalize: - array