elastic · webmat · Feb 12, 2020 · Dec 5, 2019 · Dec 6, 2019 · Dec 6, 2019
diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
@@ -15,6 +15,7 @@ Thanks, you're awesome :-) -->
 #### Bugfixes
 
 #### Added
+* Added `library.*` fields (#679)
 
 #### Improvements
 

diff --git a/code/go/ecs/dll.go b/code/go/ecs/dll.go
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
@@ -757,6 +757,45 @@ example: `co.uk`
 // ===============================================================
 
 
+|=====
+
+[[ecs-dll]]
+=== DLL (Dynamically Linked Library) Fields
+
+These fields contain information about dynamically loaded libraries and may include both kernel-mode modules and process modules.
+
+==== DLL (Dynamically Linked Library) Field Details
+
+[options="header"]
+|=====
+| Field  | Description | Level
+
+// ===============================================================
+
+| dll.name
+| Name of the library.
+
+This generally maps to the name of the file on disk.
+
+type: keyword
+
+example: `kernel32.dll`
+
+| core
+
+// ===============================================================
+
+| dll.path
+| Full file path of the library.
+
+type: keyword
+
+example: `C:\Windows\System32\kernel32.dll`
+
+| extended
+
+// ===============================================================
+
 |=====
 
 [[ecs-dns]]

diff --git a/docs/fields.asciidoc b/docs/fields.asciidoc
@@ -32,6 +32,8 @@ all fields are defined.
 
 | <<ecs-destination,Destination>> | Fields about the destination side of a network connection, used with source.
 
+| <<ecs-dll,DLL (Dynamically Linked Library)>> | These fields contain information about dynamically loaded libraries and may include both kernel-mode modules and process modules.
+
 | <<ecs-dns,DNS>> | Fields describing DNS queries and answers.
 
 | <<ecs-ecs,ECS>> | Meta-information specific to ECS.

diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
@@ -692,6 +692,29 @@
         default_field: false
       description: Short name or login of the user.
       example: albert
+  - name: dll
+    title: DLL (Dynamically Linked Library)
+    group: 2
+    description: These fields contain information about dynamically loaded libraries
+      and may include both kernel-mode modules and process modules.
+    type: group
+    fields:
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the library.
+
+        This generally maps to the name of the file on disk.'
+      example: kernel32.dll
+      default_field: false
+    - name: path
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Full file path of the library.
+      example: C:\Windows\System32\kernel32.dll
+      default_field: false
   - name: dns
     title: DNS
     group: 2

diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
@@ -90,6 +90,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Example,Description
 1.5.0-dev,true,destination,destination.user.id,keyword,core,,One or multiple unique identifiers of the user.
 1.5.0-dev,true,destination,destination.user.name,keyword,core,albert,Short name or login of the user.
 1.5.0-dev,true,destination,destination.user.name.text,text,core,albert,Short name or login of the user.
+1.5.0-dev,true,dll,dll.name,keyword,core,kernel32.dll,Name of the library.
+1.5.0-dev,true,dll,dll.path,keyword,extended,C:\Windows\System32\kernel32.dll,Full file path of the library.
 1.5.0-dev,true,dns,dns.answers,object,extended,,Array of DNS answers.
 1.5.0-dev,true,dns,dns.answers.class,keyword,extended,IN,The class of DNS data contained in this resource record.
 1.5.0-dev,true,dns,dns.answers.data,keyword,extended,10.10.10.10,The data describing the resource.

diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
@@ -1028,6 +1028,30 @@ destination.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+dll.name:
+  dashed_name: dll-name
+  description: 'Name of the library.
+
+    This generally maps to the name of the file on disk.'
+  example: kernel32.dll
+  flat_name: dll.name
+  ignore_above: 1024
+  level: core
+  name: name
+  order: 0
+  short: Name of the library.
+  type: keyword
+dll.path:
+  dashed_name: dll-path
+  description: Full file path of the library.
+  example: C:\Windows\System32\kernel32.dll
+  flat_name: dll.path
+  ignore_above: 1024
+  level: extended
+  name: path
+  order: 1
+  short: Full file path of the library.
+  type: keyword
 dns.answers:
   dashed_name: dns-answers
   description: 'An array containing an object for each answer section returned by

diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
@@ -1190,6 +1190,41 @@ destination:
   short: Fields about the destination side of a network connection, used with source.
   title: Destination
   type: group
+dll:
+  description: These fields contain information about dynamically loaded libraries
+    and may include both kernel-mode modules and process modules.
+  fields:
+    name:
+      dashed_name: dll-name
+      description: 'Name of the library.
+
+        This generally maps to the name of the file on disk.'
+      example: kernel32.dll
+      flat_name: dll.name
+      ignore_above: 1024
+      level: core
+      name: name
+      order: 0
+      short: Name of the library.
+      type: keyword
+    path:
+      dashed_name: dll-path
+      description: Full file path of the library.
+      example: C:\Windows\System32\kernel32.dll
+      flat_name: dll.path
+      ignore_above: 1024
+      level: extended
+      name: path
+      order: 1
+      short: Full file path of the library.
+      type: keyword
+  group: 2
+  name: dll
+  prefix: dll.
+  short: These fields contain information about dynamically loaded libraries and may
+    include both kernel-mode modules and process modules.
+  title: DLL (Dynamically Linked Library)
+  type: group
 dns:
   description: 'Fields describing DNS queries and answers.
 

diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json
@@ -459,6 +459,18 @@
             }
           }
         },
+        "dll": {
+          "properties": {
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "path": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
         "dns": {
           "properties": {
             "answers": {

diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json
@@ -458,6 +458,18 @@
           }
         }
       },
+      "dll": {
+        "properties": {
+          "name": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "path": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
       "dns": {
         "properties": {
           "answers": {

diff --git a/schemas/dll.yml b/schemas/dll.yml
@@ -0,0 +1,24 @@
+---
+- name: dll
+  title: DLL (Dynamically Linked Library)
+  group: 2
+  description: These fields contain information about dynamically loaded libraries/process modules.
+  type: group
+
+  fields:
+
+    - name: name
+      level: core
+      type: keyword
+      short: Name of the library.
+      description: >
+        Name of the library.
+
+        This generally maps to the name of the file on disk.
+      example: kernel32.dll
+
+    - name: path
+      level: extended
+      type: keyword
+      description: Full file path of the library.
+      example: C:\Windows\System32\kernel32.dll