From 9f97ffbc3b2e2770367cbc7a35b6d1d764199ae4 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Wed, 17 Feb 2021 10:00:05 -0600 Subject: [PATCH] Stage 1 changes for RFC 0014 - extend pe fields (#1256) (#1270) --- CHANGELOG.next.md | 1 + experimental/generated/beats/fields.ecs.yml | 1100 +++++++++- experimental/generated/csv/fields.csv | 124 ++ experimental/generated/ecs/ecs_flat.yml | 1536 +++++++++++++- experimental/generated/ecs/ecs_nested.yml | 1881 ++++++++++++++++- .../generated/elasticsearch/7/template.json | 544 +++++ .../elasticsearch/component/dll.json | 136 ++ .../elasticsearch/component/file.json | 136 ++ .../elasticsearch/component/process.json | 272 +++ experimental/schemas/pe.yml | 225 ++ 10 files changed, 5878 insertions(+), 77 deletions(-) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 6239379a43..8fe7df718f 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -22,6 +22,7 @@ Thanks, you're awesome :-) --> * Added `hash.ssdeep`. #1169 * Added additional host fields. #1248 * Added `geo.timezone`, `geo.postal_code`, and `geo.continent_code`. #1229 +* Extended `pe` fields added to experimental schema. #1256 #### Improvements diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index c044939ad9..bad2a56e1b 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -1040,6 +1040,13 @@ description: CPU architecture target for the file. example: x64 default_field: false + - name: pe.authentihash + level: extended + type: keyword + ignore_above: 1024 + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + default_field: false - name: pe.company level: extended type: keyword @@ -1047,6 +1054,67 @@ description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false + - name: pe.compile_timestamp + level: extended + type: date + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: pe.compiler.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the compiler + example: Clang + default_field: false + - name: pe.compiler.version + level: extended + type: keyword + ignore_above: 1024 + description: Version of the compiler. + example: 11.0.0 + default_field: false + - name: pe.creation_date + level: extended + type: date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: pe.debug + level: extended + type: nested + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix.' + default_field: false + - name: pe.debug.offset + level: extended + type: keyword + ignore_above: 1024 + description: Debug offset information. + example: 1296336 + default_field: false + - name: pe.debug.size + level: extended + type: long + format: bytes + description: Size of the debug information. + example: 816 + default_field: false + - name: pe.debug.timestamp + level: extended + type: date + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: pe.debug.type + level: extended + type: keyword + ignore_above: 1024 + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + default_field: false - name: pe.description level: extended type: keyword @@ -1054,6 +1122,20 @@ description: Internal description of the file, provided at compile-time. example: Paint default_field: false + - name: pe.entry_point + level: extended + type: keyword + ignore_above: 1024 + description: Relative byte offset to the base of the PE file. + example: 25856 + default_field: false + - name: pe.exports + level: extended + type: keyword + ignore_above: 1024 + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + default_field: false - name: pe.file_version level: extended type: keyword @@ -1061,6 +1143,14 @@ description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false + - name: pe.icon.hash.dhash + level: extended + type: keyword + ignore_above: 1024 + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + default_field: false - name: pe.imphash level: extended type: keyword @@ -1072,12 +1162,33 @@ Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf default_field: false + - name: pe.imports + level: extended + type: flattened + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + default_field: false + - name: pe.machine_type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + default_field: false - name: pe.original_file_name level: extended type: wildcard description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false + - name: pe.packers + level: extended + type: keyword + ignore_above: 1024 + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + default_field: false - name: pe.product level: extended type: keyword @@ -1085,6 +1196,105 @@ description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" default_field: false + - name: pe.resources + level: extended + type: nested + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' + default_field: false + - name: pe.resources.chi2 + level: extended + type: long + description: Chi-square probability distribution. + example: -1 + default_field: false + - name: pe.resources.entropy + level: extended + type: long + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + default_field: false + - name: pe.resources.filetype + level: extended + type: keyword + ignore_above: 1024 + description: File type of the resources section. + example: Data + default_field: false + - name: pe.resources.language + level: extended + type: keyword + ignore_above: 1024 + description: Language identification. + example: CHINESE SIMPLIFIED + default_field: false + - name: pe.resources.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + default_field: false + - name: pe.resources.type + level: extended + type: keyword + ignore_above: 1024 + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + default_field: false + - name: pe.rich_header.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + default_field: false + - name: pe.sections + level: extended + type: nested + description: Data about sections of compiled binary PE + default_field: false + - name: pe.sections.chi2 + level: extended + type: long + description: Chi-square probability distribution. + example: 3027194 + default_field: false + - name: pe.sections.entropy + level: extended + type: float + description: Measurement of entropy randomness in the file. + example: 6.24 + default_field: false + - name: pe.sections.flags + level: extended + type: keyword + ignore_above: 1024 + description: Section flags of the file. + example: rx + default_field: false + - name: pe.sections.name + level: extended + type: keyword + ignore_above: 1024 + description: Section names of the file. + example: .text, .data + default_field: false + - name: pe.sections.raw_size + level: extended + type: long + format: bytes + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + default_field: false + - name: pe.sections.virtual_address + level: extended + type: long + format: bytes + description: Virtual address available to the file. + example: 8192 + default_field: false - name: dns title: DNS group: 2 @@ -1809,6 +2019,13 @@ description: CPU architecture target for the file. example: x64 default_field: false + - name: pe.authentihash + level: extended + type: keyword + ignore_above: 1024 + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + default_field: false - name: pe.company level: extended type: keyword @@ -1816,6 +2033,67 @@ description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false + - name: pe.compile_timestamp + level: extended + type: date + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: pe.compiler.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the compiler + example: Clang + default_field: false + - name: pe.compiler.version + level: extended + type: keyword + ignore_above: 1024 + description: Version of the compiler. + example: 11.0.0 + default_field: false + - name: pe.creation_date + level: extended + type: date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: pe.debug + level: extended + type: nested + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix.' + default_field: false + - name: pe.debug.offset + level: extended + type: keyword + ignore_above: 1024 + description: Debug offset information. + example: 1296336 + default_field: false + - name: pe.debug.size + level: extended + type: long + format: bytes + description: Size of the debug information. + example: 816 + default_field: false + - name: pe.debug.timestamp + level: extended + type: date + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: pe.debug.type + level: extended + type: keyword + ignore_above: 1024 + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + default_field: false - name: pe.description level: extended type: keyword @@ -1823,6 +2101,20 @@ description: Internal description of the file, provided at compile-time. example: Paint default_field: false + - name: pe.entry_point + level: extended + type: keyword + ignore_above: 1024 + description: Relative byte offset to the base of the PE file. + example: 25856 + default_field: false + - name: pe.exports + level: extended + type: keyword + ignore_above: 1024 + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + default_field: false - name: pe.file_version level: extended type: keyword @@ -1830,6 +2122,14 @@ description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false + - name: pe.icon.hash.dhash + level: extended + type: keyword + ignore_above: 1024 + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + default_field: false - name: pe.imphash level: extended type: keyword @@ -1841,12 +2141,33 @@ Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf default_field: false + - name: pe.imports + level: extended + type: flattened + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + default_field: false + - name: pe.machine_type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + default_field: false - name: pe.original_file_name level: extended type: wildcard description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false + - name: pe.packers + level: extended + type: keyword + ignore_above: 1024 + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + default_field: false - name: pe.product level: extended type: keyword @@ -1854,6 +2175,105 @@ description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" default_field: false + - name: pe.resources + level: extended + type: nested + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' + default_field: false + - name: pe.resources.chi2 + level: extended + type: long + description: Chi-square probability distribution. + example: -1 + default_field: false + - name: pe.resources.entropy + level: extended + type: long + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + default_field: false + - name: pe.resources.filetype + level: extended + type: keyword + ignore_above: 1024 + description: File type of the resources section. + example: Data + default_field: false + - name: pe.resources.language + level: extended + type: keyword + ignore_above: 1024 + description: Language identification. + example: CHINESE SIMPLIFIED + default_field: false + - name: pe.resources.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + default_field: false + - name: pe.resources.type + level: extended + type: keyword + ignore_above: 1024 + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + default_field: false + - name: pe.rich_header.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + default_field: false + - name: pe.sections + level: extended + type: nested + description: Data about sections of compiled binary PE + default_field: false + - name: pe.sections.chi2 + level: extended + type: long + description: Chi-square probability distribution. + example: 3027194 + default_field: false + - name: pe.sections.entropy + level: extended + type: float + description: Measurement of entropy randomness in the file. + example: 6.24 + default_field: false + - name: pe.sections.flags + level: extended + type: keyword + ignore_above: 1024 + description: Section flags of the file. + example: rx + default_field: false + - name: pe.sections.name + level: extended + type: keyword + ignore_above: 1024 + description: Section names of the file. + example: .text, .data + default_field: false + - name: pe.sections.raw_size + level: extended + type: long + format: bytes + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + default_field: false + - name: pe.sections.virtual_address + level: extended + type: long + format: bytes + description: Virtual address available to the file. + example: 8192 + default_field: false - name: size level: extended type: long @@ -3486,6 +3906,13 @@ description: CPU architecture target for the file. example: x64 default_field: false + - name: authentihash + level: extended + type: keyword + ignore_above: 1024 + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + default_field: false - name: company level: extended type: keyword @@ -3493,47 +3920,250 @@ description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false - - name: description + - name: compile_timestamp level: extended - type: keyword - ignore_above: 1024 - description: Internal description of the file, provided at compile-time. - example: Paint + type: date + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' default_field: false - - name: file_version + - name: compiler.name level: extended type: keyword ignore_above: 1024 - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 + description: Name of the compiler + example: Clang default_field: false - - name: imphash + - name: compiler.version level: extended type: keyword ignore_above: 1024 - description: 'A hash of the imports in a PE file. An imphash -- or import hash - -- can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf + description: Version of the compiler. + example: 11.0.0 default_field: false - - name: original_file_name + - name: creation_date level: extended - type: wildcard - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE + type: date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' default_field: false - - name: product + - name: debug + level: extended + type: nested + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix.' + default_field: false + - name: debug.offset level: extended type: keyword ignore_above: 1024 - description: Internal product name of the file, provided at compile-time. - example: "Microsoft\xAE Windows\xAE Operating System" + description: Debug offset information. + example: 1296336 default_field: false - - name: process - title: Process - group: 2 + - name: debug.size + level: extended + type: long + format: bytes + description: Size of the debug information. + example: 816 + default_field: false + - name: debug.timestamp + level: extended + type: date + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: debug.type + level: extended + type: keyword + ignore_above: 1024 + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + default_field: false + - name: description + level: extended + type: keyword + ignore_above: 1024 + description: Internal description of the file, provided at compile-time. + example: Paint + default_field: false + - name: entry_point + level: extended + type: keyword + ignore_above: 1024 + description: Relative byte offset to the base of the PE file. + example: 25856 + default_field: false + - name: exports + level: extended + type: keyword + ignore_above: 1024 + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + default_field: false + - name: file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: icon.hash.dhash + level: extended + type: keyword + ignore_above: 1024 + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + default_field: false + - name: imphash + level: extended + type: keyword + ignore_above: 1024 + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + default_field: false + - name: imports + level: extended + type: flattened + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + default_field: false + - name: machine_type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + default_field: false + - name: original_file_name + level: extended + type: wildcard + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: packers + level: extended + type: keyword + ignore_above: 1024 + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + default_field: false + - name: product + level: extended + type: keyword + ignore_above: 1024 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false + - name: resources + level: extended + type: nested + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' + default_field: false + - name: resources.chi2 + level: extended + type: long + description: Chi-square probability distribution. + example: -1 + default_field: false + - name: resources.entropy + level: extended + type: long + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + default_field: false + - name: resources.filetype + level: extended + type: keyword + ignore_above: 1024 + description: File type of the resources section. + example: Data + default_field: false + - name: resources.language + level: extended + type: keyword + ignore_above: 1024 + description: Language identification. + example: CHINESE SIMPLIFIED + default_field: false + - name: resources.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + default_field: false + - name: resources.type + level: extended + type: keyword + ignore_above: 1024 + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + default_field: false + - name: rich_header.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + default_field: false + - name: sections + level: extended + type: nested + description: Data about sections of compiled binary PE + default_field: false + - name: sections.chi2 + level: extended + type: long + description: Chi-square probability distribution. + example: 3027194 + default_field: false + - name: sections.entropy + level: extended + type: float + description: Measurement of entropy randomness in the file. + example: 6.24 + default_field: false + - name: sections.flags + level: extended + type: keyword + ignore_above: 1024 + description: Section flags of the file. + example: rx + default_field: false + - name: sections.name + level: extended + type: keyword + ignore_above: 1024 + description: Section names of the file. + example: .text, .data + default_field: false + - name: sections.raw_size + level: extended + type: long + format: bytes + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + default_field: false + - name: sections.virtual_address + level: extended + type: long + format: bytes + description: Virtual address available to the file. + example: 8192 + default_field: false + - name: process + title: Process + group: 2 description: 'These fields contain information about a process. These fields can help you correlate metrics information with a process id/name @@ -3845,6 +4475,13 @@ description: CPU architecture target for the file. example: x64 default_field: false + - name: parent.pe.authentihash + level: extended + type: keyword + ignore_above: 1024 + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + default_field: false - name: parent.pe.company level: extended type: keyword @@ -3852,6 +4489,67 @@ description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false + - name: parent.pe.compile_timestamp + level: extended + type: date + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: parent.pe.compiler.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the compiler + example: Clang + default_field: false + - name: parent.pe.compiler.version + level: extended + type: keyword + ignore_above: 1024 + description: Version of the compiler. + example: 11.0.0 + default_field: false + - name: parent.pe.creation_date + level: extended + type: date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: parent.pe.debug + level: extended + type: nested + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix.' + default_field: false + - name: parent.pe.debug.offset + level: extended + type: keyword + ignore_above: 1024 + description: Debug offset information. + example: 1296336 + default_field: false + - name: parent.pe.debug.size + level: extended + type: long + format: bytes + description: Size of the debug information. + example: 816 + default_field: false + - name: parent.pe.debug.timestamp + level: extended + type: date + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: parent.pe.debug.type + level: extended + type: keyword + ignore_above: 1024 + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + default_field: false - name: parent.pe.description level: extended type: keyword @@ -3859,6 +4557,20 @@ description: Internal description of the file, provided at compile-time. example: Paint default_field: false + - name: parent.pe.entry_point + level: extended + type: keyword + ignore_above: 1024 + description: Relative byte offset to the base of the PE file. + example: 25856 + default_field: false + - name: parent.pe.exports + level: extended + type: keyword + ignore_above: 1024 + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + default_field: false - name: parent.pe.file_version level: extended type: keyword @@ -3866,6 +4578,14 @@ description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false + - name: parent.pe.icon.hash.dhash + level: extended + type: keyword + ignore_above: 1024 + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + default_field: false - name: parent.pe.imphash level: extended type: keyword @@ -3877,12 +4597,33 @@ Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf default_field: false + - name: parent.pe.imports + level: extended + type: flattened + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + default_field: false + - name: parent.pe.machine_type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + default_field: false - name: parent.pe.original_file_name level: extended type: wildcard description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false + - name: parent.pe.packers + level: extended + type: keyword + ignore_above: 1024 + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + default_field: false - name: parent.pe.product level: extended type: keyword @@ -3890,6 +4631,105 @@ description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" default_field: false + - name: parent.pe.resources + level: extended + type: nested + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' + default_field: false + - name: parent.pe.resources.chi2 + level: extended + type: long + description: Chi-square probability distribution. + example: -1 + default_field: false + - name: parent.pe.resources.entropy + level: extended + type: long + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + default_field: false + - name: parent.pe.resources.filetype + level: extended + type: keyword + ignore_above: 1024 + description: File type of the resources section. + example: Data + default_field: false + - name: parent.pe.resources.language + level: extended + type: keyword + ignore_above: 1024 + description: Language identification. + example: CHINESE SIMPLIFIED + default_field: false + - name: parent.pe.resources.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + default_field: false + - name: parent.pe.resources.type + level: extended + type: keyword + ignore_above: 1024 + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + default_field: false + - name: parent.pe.rich_header.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + default_field: false + - name: parent.pe.sections + level: extended + type: nested + description: Data about sections of compiled binary PE + default_field: false + - name: parent.pe.sections.chi2 + level: extended + type: long + description: Chi-square probability distribution. + example: 3027194 + default_field: false + - name: parent.pe.sections.entropy + level: extended + type: float + description: Measurement of entropy randomness in the file. + example: 6.24 + default_field: false + - name: parent.pe.sections.flags + level: extended + type: keyword + ignore_above: 1024 + description: Section flags of the file. + example: rx + default_field: false + - name: parent.pe.sections.name + level: extended + type: keyword + ignore_above: 1024 + description: Section names of the file. + example: .text, .data + default_field: false + - name: parent.pe.sections.raw_size + level: extended + type: long + format: bytes + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + default_field: false + - name: parent.pe.sections.virtual_address + level: extended + type: long + format: bytes + description: Virtual address available to the file. + example: 8192 + default_field: false - name: parent.pgid level: extended type: long @@ -3964,6 +4804,13 @@ description: CPU architecture target for the file. example: x64 default_field: false + - name: pe.authentihash + level: extended + type: keyword + ignore_above: 1024 + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + default_field: false - name: pe.company level: extended type: keyword @@ -3971,6 +4818,67 @@ description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false + - name: pe.compile_timestamp + level: extended + type: date + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: pe.compiler.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the compiler + example: Clang + default_field: false + - name: pe.compiler.version + level: extended + type: keyword + ignore_above: 1024 + description: Version of the compiler. + example: 11.0.0 + default_field: false + - name: pe.creation_date + level: extended + type: date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: pe.debug + level: extended + type: nested + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix.' + default_field: false + - name: pe.debug.offset + level: extended + type: keyword + ignore_above: 1024 + description: Debug offset information. + example: 1296336 + default_field: false + - name: pe.debug.size + level: extended + type: long + format: bytes + description: Size of the debug information. + example: 816 + default_field: false + - name: pe.debug.timestamp + level: extended + type: date + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: pe.debug.type + level: extended + type: keyword + ignore_above: 1024 + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + default_field: false - name: pe.description level: extended type: keyword @@ -3978,6 +4886,20 @@ description: Internal description of the file, provided at compile-time. example: Paint default_field: false + - name: pe.entry_point + level: extended + type: keyword + ignore_above: 1024 + description: Relative byte offset to the base of the PE file. + example: 25856 + default_field: false + - name: pe.exports + level: extended + type: keyword + ignore_above: 1024 + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + default_field: false - name: pe.file_version level: extended type: keyword @@ -3985,6 +4907,14 @@ description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false + - name: pe.icon.hash.dhash + level: extended + type: keyword + ignore_above: 1024 + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + default_field: false - name: pe.imphash level: extended type: keyword @@ -3996,12 +4926,33 @@ Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf default_field: false + - name: pe.imports + level: extended + type: flattened + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + default_field: false + - name: pe.machine_type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + default_field: false - name: pe.original_file_name level: extended type: wildcard description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false + - name: pe.packers + level: extended + type: keyword + ignore_above: 1024 + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + default_field: false - name: pe.product level: extended type: keyword @@ -4009,6 +4960,105 @@ description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" default_field: false + - name: pe.resources + level: extended + type: nested + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' + default_field: false + - name: pe.resources.chi2 + level: extended + type: long + description: Chi-square probability distribution. + example: -1 + default_field: false + - name: pe.resources.entropy + level: extended + type: long + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + default_field: false + - name: pe.resources.filetype + level: extended + type: keyword + ignore_above: 1024 + description: File type of the resources section. + example: Data + default_field: false + - name: pe.resources.language + level: extended + type: keyword + ignore_above: 1024 + description: Language identification. + example: CHINESE SIMPLIFIED + default_field: false + - name: pe.resources.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + default_field: false + - name: pe.resources.type + level: extended + type: keyword + ignore_above: 1024 + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + default_field: false + - name: pe.rich_header.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + default_field: false + - name: pe.sections + level: extended + type: nested + description: Data about sections of compiled binary PE + default_field: false + - name: pe.sections.chi2 + level: extended + type: long + description: Chi-square probability distribution. + example: 3027194 + default_field: false + - name: pe.sections.entropy + level: extended + type: float + description: Measurement of entropy randomness in the file. + example: 6.24 + default_field: false + - name: pe.sections.flags + level: extended + type: keyword + ignore_above: 1024 + description: Section flags of the file. + example: rx + default_field: false + - name: pe.sections.name + level: extended + type: keyword + ignore_above: 1024 + description: Section names of the file. + example: .text, .data + default_field: false + - name: pe.sections.raw_size + level: extended + type: long + format: bytes + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + default_field: false + - name: pe.sections.virtual_address + level: extended + type: long + format: bytes + description: Virtual address available to the file. + example: 8192 + default_field: false - name: pgid level: extended type: long diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 2ab59c260c..0bde23311a 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -118,12 +118,43 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev+exp,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library. 1.9.0-dev+exp,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library. 1.9.0-dev+exp,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +1.9.0-dev+exp,true,dll,dll.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file. 1.9.0-dev+exp,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.9.0-dev+exp,true,dll,dll.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file. +1.9.0-dev+exp,true,dll,dll.pe.compiler.name,keyword,extended,,Clang,Name of the compiler +1.9.0-dev+exp,true,dll,dll.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler. +1.9.0-dev+exp,true,dll,dll.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date. +1.9.0-dev+exp,true,dll,dll.pe.debug,nested,extended,array,,Debug information +1.9.0-dev+exp,true,dll,dll.pe.debug.offset,keyword,extended,,1296336,Debug offset information. +1.9.0-dev+exp,true,dll,dll.pe.debug.size,long,extended,,816,Size of the debug information. +1.9.0-dev+exp,true,dll,dll.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information. +1.9.0-dev+exp,true,dll,dll.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options. 1.9.0-dev+exp,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.9.0-dev+exp,true,dll,dll.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file. +1.9.0-dev+exp,true,dll,dll.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE 1.9.0-dev+exp,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.9.0-dev+exp,true,dll,dll.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail. 1.9.0-dev+exp,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +1.9.0-dev+exp,true,dll,dll.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions +1.9.0-dev+exp,true,dll,dll.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file. 1.9.0-dev+exp,true,dll,dll.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.9.0-dev+exp,true,dll,dll.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used. 1.9.0-dev+exp,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.9.0-dev+exp,true,dll,dll.pe.resources,nested,extended,array,,PE resource information +1.9.0-dev+exp,true,dll,dll.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution. +1.9.0-dev+exp,true,dll,dll.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section. +1.9.0-dev+exp,true,dll,dll.pe.resources.filetype,keyword,extended,,Data,File type of the resources section. +1.9.0-dev+exp,true,dll,dll.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification. +1.9.0-dev+exp,true,dll,dll.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section. +1.9.0-dev+exp,true,dll,dll.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types. +1.9.0-dev+exp,true,dll,dll.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file. +1.9.0-dev+exp,true,dll,dll.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE +1.9.0-dev+exp,true,dll,dll.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution. +1.9.0-dev+exp,true,dll,dll.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file. +1.9.0-dev+exp,true,dll,dll.pe.sections.flags,keyword,extended,,rx,Section flags of the file. +1.9.0-dev+exp,true,dll,dll.pe.sections.name,keyword,extended,,".text, .data",Section names of the file. +1.9.0-dev+exp,true,dll,dll.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk. +1.9.0-dev+exp,true,dll,dll.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file. 1.9.0-dev+exp,true,dns,dns.answers,object,extended,array,,Array of DNS answers. 1.9.0-dev+exp,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record. 1.9.0-dev+exp,true,dns,dns.answers.data,wildcard,extended,,10.10.10.10,The data describing the resource. @@ -203,12 +234,43 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev+exp,true,file,file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name." 1.9.0-dev+exp,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name." 1.9.0-dev+exp,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +1.9.0-dev+exp,true,file,file.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file. 1.9.0-dev+exp,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.9.0-dev+exp,true,file,file.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file. +1.9.0-dev+exp,true,file,file.pe.compiler.name,keyword,extended,,Clang,Name of the compiler +1.9.0-dev+exp,true,file,file.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler. +1.9.0-dev+exp,true,file,file.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date. +1.9.0-dev+exp,true,file,file.pe.debug,nested,extended,array,,Debug information +1.9.0-dev+exp,true,file,file.pe.debug.offset,keyword,extended,,1296336,Debug offset information. +1.9.0-dev+exp,true,file,file.pe.debug.size,long,extended,,816,Size of the debug information. +1.9.0-dev+exp,true,file,file.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information. +1.9.0-dev+exp,true,file,file.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options. 1.9.0-dev+exp,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.9.0-dev+exp,true,file,file.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file. +1.9.0-dev+exp,true,file,file.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE 1.9.0-dev+exp,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.9.0-dev+exp,true,file,file.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail. 1.9.0-dev+exp,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +1.9.0-dev+exp,true,file,file.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions +1.9.0-dev+exp,true,file,file.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file. 1.9.0-dev+exp,true,file,file.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.9.0-dev+exp,true,file,file.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used. 1.9.0-dev+exp,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.9.0-dev+exp,true,file,file.pe.resources,nested,extended,array,,PE resource information +1.9.0-dev+exp,true,file,file.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution. +1.9.0-dev+exp,true,file,file.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section. +1.9.0-dev+exp,true,file,file.pe.resources.filetype,keyword,extended,,Data,File type of the resources section. +1.9.0-dev+exp,true,file,file.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification. +1.9.0-dev+exp,true,file,file.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section. +1.9.0-dev+exp,true,file,file.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types. +1.9.0-dev+exp,true,file,file.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file. +1.9.0-dev+exp,true,file,file.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE +1.9.0-dev+exp,true,file,file.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution. +1.9.0-dev+exp,true,file,file.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file. +1.9.0-dev+exp,true,file,file.pe.sections.flags,keyword,extended,,rx,Section flags of the file. +1.9.0-dev+exp,true,file,file.pe.sections.name,keyword,extended,,".text, .data",Section names of the file. +1.9.0-dev+exp,true,file,file.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk. +1.9.0-dev+exp,true,file,file.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file. 1.9.0-dev+exp,true,file,file.size,long,extended,,16384,File size in bytes. 1.9.0-dev+exp,true,file,file.target_path,wildcard,extended,,,Target path for symlinks. 1.9.0-dev+exp,true,file,file.target_path.text,text,extended,,,Target path for symlinks. @@ -433,12 +495,43 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev+exp,true,process,process.parent.name,wildcard,extended,,ssh,Process name. 1.9.0-dev+exp,true,process,process.parent.name.text,text,extended,,ssh,Process name. 1.9.0-dev+exp,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +1.9.0-dev+exp,true,process,process.parent.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file. 1.9.0-dev+exp,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.9.0-dev+exp,true,process,process.parent.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file. +1.9.0-dev+exp,true,process,process.parent.pe.compiler.name,keyword,extended,,Clang,Name of the compiler +1.9.0-dev+exp,true,process,process.parent.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler. +1.9.0-dev+exp,true,process,process.parent.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date. +1.9.0-dev+exp,true,process,process.parent.pe.debug,nested,extended,array,,Debug information +1.9.0-dev+exp,true,process,process.parent.pe.debug.offset,keyword,extended,,1296336,Debug offset information. +1.9.0-dev+exp,true,process,process.parent.pe.debug.size,long,extended,,816,Size of the debug information. +1.9.0-dev+exp,true,process,process.parent.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information. +1.9.0-dev+exp,true,process,process.parent.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options. 1.9.0-dev+exp,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.9.0-dev+exp,true,process,process.parent.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file. +1.9.0-dev+exp,true,process,process.parent.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE 1.9.0-dev+exp,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.9.0-dev+exp,true,process,process.parent.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail. 1.9.0-dev+exp,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +1.9.0-dev+exp,true,process,process.parent.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions +1.9.0-dev+exp,true,process,process.parent.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file. 1.9.0-dev+exp,true,process,process.parent.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.9.0-dev+exp,true,process,process.parent.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used. 1.9.0-dev+exp,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.9.0-dev+exp,true,process,process.parent.pe.resources,nested,extended,array,,PE resource information +1.9.0-dev+exp,true,process,process.parent.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution. +1.9.0-dev+exp,true,process,process.parent.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section. +1.9.0-dev+exp,true,process,process.parent.pe.resources.filetype,keyword,extended,,Data,File type of the resources section. +1.9.0-dev+exp,true,process,process.parent.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification. +1.9.0-dev+exp,true,process,process.parent.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section. +1.9.0-dev+exp,true,process,process.parent.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types. +1.9.0-dev+exp,true,process,process.parent.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file. +1.9.0-dev+exp,true,process,process.parent.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE +1.9.0-dev+exp,true,process,process.parent.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution. +1.9.0-dev+exp,true,process,process.parent.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file. +1.9.0-dev+exp,true,process,process.parent.pe.sections.flags,keyword,extended,,rx,Section flags of the file. +1.9.0-dev+exp,true,process,process.parent.pe.sections.name,keyword,extended,,".text, .data",Section names of the file. +1.9.0-dev+exp,true,process,process.parent.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk. +1.9.0-dev+exp,true,process,process.parent.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file. 1.9.0-dev+exp,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to. 1.9.0-dev+exp,true,process,process.parent.pid,long,core,,4242,Process id. 1.9.0-dev+exp,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid. @@ -451,12 +544,43 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev+exp,true,process,process.parent.working_directory,wildcard,extended,,/home/alice,The working directory of the process. 1.9.0-dev+exp,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process. 1.9.0-dev+exp,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +1.9.0-dev+exp,true,process,process.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file. 1.9.0-dev+exp,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.9.0-dev+exp,true,process,process.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file. +1.9.0-dev+exp,true,process,process.pe.compiler.name,keyword,extended,,Clang,Name of the compiler +1.9.0-dev+exp,true,process,process.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler. +1.9.0-dev+exp,true,process,process.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date. +1.9.0-dev+exp,true,process,process.pe.debug,nested,extended,array,,Debug information +1.9.0-dev+exp,true,process,process.pe.debug.offset,keyword,extended,,1296336,Debug offset information. +1.9.0-dev+exp,true,process,process.pe.debug.size,long,extended,,816,Size of the debug information. +1.9.0-dev+exp,true,process,process.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information. +1.9.0-dev+exp,true,process,process.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options. 1.9.0-dev+exp,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.9.0-dev+exp,true,process,process.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file. +1.9.0-dev+exp,true,process,process.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE 1.9.0-dev+exp,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.9.0-dev+exp,true,process,process.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail. 1.9.0-dev+exp,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +1.9.0-dev+exp,true,process,process.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions +1.9.0-dev+exp,true,process,process.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file. 1.9.0-dev+exp,true,process,process.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.9.0-dev+exp,true,process,process.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used. 1.9.0-dev+exp,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.9.0-dev+exp,true,process,process.pe.resources,nested,extended,array,,PE resource information +1.9.0-dev+exp,true,process,process.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution. +1.9.0-dev+exp,true,process,process.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section. +1.9.0-dev+exp,true,process,process.pe.resources.filetype,keyword,extended,,Data,File type of the resources section. +1.9.0-dev+exp,true,process,process.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification. +1.9.0-dev+exp,true,process,process.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section. +1.9.0-dev+exp,true,process,process.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types. +1.9.0-dev+exp,true,process,process.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file. +1.9.0-dev+exp,true,process,process.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE +1.9.0-dev+exp,true,process,process.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution. +1.9.0-dev+exp,true,process,process.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file. +1.9.0-dev+exp,true,process,process.pe.sections.flags,keyword,extended,,rx,Section flags of the file. +1.9.0-dev+exp,true,process,process.pe.sections.name,keyword,extended,,".text, .data",Section names of the file. +1.9.0-dev+exp,true,process,process.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk. +1.9.0-dev+exp,true,process,process.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file. 1.9.0-dev+exp,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to. 1.9.0-dev+exp,true,process,process.pid,long,core,,4242,Process id. 1.9.0-dev+exp,true,process,process.ppid,long,extended,,4241,Parent process' pid. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 54583bb5ad..ee97af19e6 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -1403,6 +1403,18 @@ dll.pe.architecture: original_fieldset: pe short: CPU architecture target for the file. type: keyword +dll.pe.authentihash: + dashed_name: dll-pe-authentihash + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + flat_name: dll.pe.authentihash + ignore_above: 1024 + level: extended + name: authentihash + normalize: [] + original_fieldset: pe + short: Authentihash of the PE file. + type: keyword dll.pe.company: dashed_name: dll-pe-company description: Internal company name of the file, provided at compile-time. @@ -1415,6 +1427,113 @@ dll.pe.company: original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword +dll.pe.compile_timestamp: + dashed_name: dll-pe-compile-timestamp + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + flat_name: dll.pe.compile_timestamp + level: extended + name: compile_timestamp + normalize: [] + original_fieldset: pe + short: Compile timestamp of the PE file. + type: date +dll.pe.compiler.name: + dashed_name: dll-pe-compiler-name + description: Name of the compiler + example: Clang + flat_name: dll.pe.compiler.name + ignore_above: 1024 + level: extended + name: compiler.name + normalize: [] + original_fieldset: pe + short: Name of the compiler + type: keyword +dll.pe.compiler.version: + dashed_name: dll-pe-compiler-version + description: Version of the compiler. + example: 11.0.0 + flat_name: dll.pe.compiler.version + ignore_above: 1024 + level: extended + name: compiler.version + normalize: [] + original_fieldset: pe + short: Version of the compiler. + type: keyword +dll.pe.creation_date: + dashed_name: dll-pe-creation-date + description: Extracted when possible from the file's metadata. Indicates when it + was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + flat_name: dll.pe.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: pe + short: Build or compile date. + type: date +dll.pe.debug: + dashed_name: dll-pe-debug + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix.' + flat_name: dll.pe.debug + level: extended + name: debug + normalize: + - array + original_fieldset: pe + short: Debug information + type: nested +dll.pe.debug.offset: + dashed_name: dll-pe-debug-offset + description: Debug offset information. + example: 1296336 + flat_name: dll.pe.debug.offset + ignore_above: 1024 + level: extended + name: debug.offset + normalize: [] + original_fieldset: pe + short: Debug offset information. + type: keyword +dll.pe.debug.size: + dashed_name: dll-pe-debug-size + description: Size of the debug information. + example: 816 + flat_name: dll.pe.debug.size + format: bytes + level: extended + name: debug.size + normalize: [] + original_fieldset: pe + short: Size of the debug information. + type: long +dll.pe.debug.timestamp: + dashed_name: dll-pe-debug-timestamp + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + flat_name: dll.pe.debug.timestamp + level: extended + name: debug.timestamp + normalize: [] + original_fieldset: pe + short: Timestamp of the debug information. + type: date +dll.pe.debug.type: + dashed_name: dll-pe-debug-type + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + flat_name: dll.pe.debug.type + ignore_above: 1024 + level: extended + name: debug.type + normalize: [] + original_fieldset: pe + short: Information type generated by the debug options. + type: keyword dll.pe.description: dashed_name: dll-pe-description description: Internal description of the file, provided at compile-time. @@ -1427,6 +1546,31 @@ dll.pe.description: original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword +dll.pe.entry_point: + dashed_name: dll-pe-entry-point + description: Relative byte offset to the base of the PE file. + example: 25856 + flat_name: dll.pe.entry_point + ignore_above: 1024 + level: extended + name: entry_point + normalize: [] + original_fieldset: pe + short: Relative byte offset to the base of the PE file. + type: keyword +dll.pe.exports: + dashed_name: dll-pe-exports + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + flat_name: dll.pe.exports + ignore_above: 1024 + level: extended + name: exports + normalize: + - array + original_fieldset: pe + short: List of symbols exported by PE + type: keyword dll.pe.file_version: dashed_name: dll-pe-file-version description: Internal version of the file, provided at compile-time. @@ -1439,6 +1583,19 @@ dll.pe.file_version: original_fieldset: pe short: Process name. type: keyword +dll.pe.icon.hash.dhash: + dashed_name: dll-pe-icon-hash-dhash + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + flat_name: dll.pe.icon.hash.dhash + ignore_above: 1024 + level: extended + name: icon.hash.dhash + normalize: [] + original_fieldset: pe + short: Difference Hash (dhash) to find files with a visually similar icon or thumbnail. + type: keyword dll.pe.imphash: dashed_name: dll-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash -- @@ -1455,6 +1612,30 @@ dll.pe.imphash: original_fieldset: pe short: A hash of the imports in a PE file. type: keyword +dll.pe.imports: + dashed_name: dll-pe-imports + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + flat_name: dll.pe.imports + level: extended + name: imports + normalize: [] + original_fieldset: pe + short: List of all imported functions + type: flattened +dll.pe.machine_type: + dashed_name: dll-pe-machine-type + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + flat_name: dll.pe.machine_type + ignore_above: 1024 + level: extended + name: machine_type + normalize: [] + original_fieldset: pe + short: Machine type of the PE file. + type: keyword dll.pe.original_file_name: dashed_name: dll-pe-original-file-name description: Internal name of the file, provided at compile-time. @@ -1466,6 +1647,19 @@ dll.pe.original_file_name: original_fieldset: pe short: Internal name of the file, provided at compile-time. type: wildcard +dll.pe.packers: + dashed_name: dll-pe-packers + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + flat_name: dll.pe.packers + ignore_above: 1024 + level: extended + name: packers + normalize: + - array + original_fieldset: pe + short: List of packers and tools used. + type: keyword dll.pe.product: dashed_name: dll-pe-product description: Internal product name of the file, provided at compile-time. @@ -1478,6 +1672,183 @@ dll.pe.product: original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword +dll.pe.resources: + dashed_name: dll-pe-resources + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' + flat_name: dll.pe.resources + level: extended + name: resources + normalize: + - array + original_fieldset: pe + short: PE resource information + type: nested +dll.pe.resources.chi2: + dashed_name: dll-pe-resources-chi2 + description: Chi-square probability distribution. + example: -1 + flat_name: dll.pe.resources.chi2 + level: extended + name: resources.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long +dll.pe.resources.entropy: + dashed_name: dll-pe-resources-entropy + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + flat_name: dll.pe.resources.entropy + level: extended + name: resources.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the resources section. + type: long +dll.pe.resources.filetype: + dashed_name: dll-pe-resources-filetype + description: File type of the resources section. + example: Data + flat_name: dll.pe.resources.filetype + ignore_above: 1024 + level: extended + name: resources.filetype + normalize: [] + original_fieldset: pe + short: File type of the resources section. + type: keyword +dll.pe.resources.language: + dashed_name: dll-pe-resources-language + description: Language identification. + example: CHINESE SIMPLIFIED + flat_name: dll.pe.resources.language + ignore_above: 1024 + level: extended + name: resources.language + normalize: [] + original_fieldset: pe + short: Language identification. + type: keyword +dll.pe.resources.sha256: + dashed_name: dll-pe-resources-sha256 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + flat_name: dll.pe.resources.sha256 + ignore_above: 1024 + level: extended + name: resources.sha256 + normalize: [] + original_fieldset: pe + short: SHA256 hash of resources section. + type: keyword +dll.pe.resources.type: + dashed_name: dll-pe-resources-type + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + flat_name: dll.pe.resources.type + ignore_above: 1024 + level: extended + name: resources.type + normalize: + - array + original_fieldset: pe + short: List of resource types. + type: keyword +dll.pe.rich_header.hash.md5: + dashed_name: dll-pe-rich-header-hash-md5 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + flat_name: dll.pe.rich_header.hash.md5 + ignore_above: 1024 + level: extended + name: rich_header.hash.md5 + normalize: [] + original_fieldset: pe + short: MD5 hash of the header for the PE file. + type: keyword +dll.pe.sections: + dashed_name: dll-pe-sections + description: Data about sections of compiled binary PE + flat_name: dll.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Data about sections of the compiled binary PE + type: nested +dll.pe.sections.chi2: + dashed_name: dll-pe-sections-chi2 + description: Chi-square probability distribution. + example: 3027194 + flat_name: dll.pe.sections.chi2 + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long +dll.pe.sections.entropy: + dashed_name: dll-pe-sections-entropy + description: Measurement of entropy randomness in the file. + example: 6.24 + flat_name: dll.pe.sections.entropy + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the file. + type: float +dll.pe.sections.flags: + dashed_name: dll-pe-sections-flags + description: Section flags of the file. + example: rx + flat_name: dll.pe.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: pe + short: Section flags of the file. + type: keyword +dll.pe.sections.name: + dashed_name: dll-pe-sections-name + description: Section names of the file. + example: .text, .data + flat_name: dll.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: Section names of the file. + type: keyword +dll.pe.sections.raw_size: + dashed_name: dll-pe-sections-raw-size + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + flat_name: dll.pe.sections.raw_size + format: bytes + level: extended + name: sections.raw_size + normalize: [] + original_fieldset: pe + short: Size of the section or the dize of the initialized data on disk. + type: long +dll.pe.sections.virtual_address: + dashed_name: dll-pe-sections-virtual-address + description: Virtual address available to the file. + example: 8192 + flat_name: dll.pe.sections.virtual_address + format: bytes + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: pe + short: Virtual address available to the file. + type: long dns.answers: dashed_name: dns-answers description: 'An array containing an object for each answer section returned by @@ -2884,6 +3255,18 @@ file.pe.architecture: original_fieldset: pe short: CPU architecture target for the file. type: keyword +file.pe.authentihash: + dashed_name: file-pe-authentihash + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + flat_name: file.pe.authentihash + ignore_above: 1024 + level: extended + name: authentihash + normalize: [] + original_fieldset: pe + short: Authentihash of the PE file. + type: keyword file.pe.company: dashed_name: file-pe-company description: Internal company name of the file, provided at compile-time. @@ -2896,6 +3279,113 @@ file.pe.company: original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword +file.pe.compile_timestamp: + dashed_name: file-pe-compile-timestamp + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + flat_name: file.pe.compile_timestamp + level: extended + name: compile_timestamp + normalize: [] + original_fieldset: pe + short: Compile timestamp of the PE file. + type: date +file.pe.compiler.name: + dashed_name: file-pe-compiler-name + description: Name of the compiler + example: Clang + flat_name: file.pe.compiler.name + ignore_above: 1024 + level: extended + name: compiler.name + normalize: [] + original_fieldset: pe + short: Name of the compiler + type: keyword +file.pe.compiler.version: + dashed_name: file-pe-compiler-version + description: Version of the compiler. + example: 11.0.0 + flat_name: file.pe.compiler.version + ignore_above: 1024 + level: extended + name: compiler.version + normalize: [] + original_fieldset: pe + short: Version of the compiler. + type: keyword +file.pe.creation_date: + dashed_name: file-pe-creation-date + description: Extracted when possible from the file's metadata. Indicates when it + was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + flat_name: file.pe.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: pe + short: Build or compile date. + type: date +file.pe.debug: + dashed_name: file-pe-debug + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix.' + flat_name: file.pe.debug + level: extended + name: debug + normalize: + - array + original_fieldset: pe + short: Debug information + type: nested +file.pe.debug.offset: + dashed_name: file-pe-debug-offset + description: Debug offset information. + example: 1296336 + flat_name: file.pe.debug.offset + ignore_above: 1024 + level: extended + name: debug.offset + normalize: [] + original_fieldset: pe + short: Debug offset information. + type: keyword +file.pe.debug.size: + dashed_name: file-pe-debug-size + description: Size of the debug information. + example: 816 + flat_name: file.pe.debug.size + format: bytes + level: extended + name: debug.size + normalize: [] + original_fieldset: pe + short: Size of the debug information. + type: long +file.pe.debug.timestamp: + dashed_name: file-pe-debug-timestamp + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + flat_name: file.pe.debug.timestamp + level: extended + name: debug.timestamp + normalize: [] + original_fieldset: pe + short: Timestamp of the debug information. + type: date +file.pe.debug.type: + dashed_name: file-pe-debug-type + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + flat_name: file.pe.debug.type + ignore_above: 1024 + level: extended + name: debug.type + normalize: [] + original_fieldset: pe + short: Information type generated by the debug options. + type: keyword file.pe.description: dashed_name: file-pe-description description: Internal description of the file, provided at compile-time. @@ -2908,6 +3398,31 @@ file.pe.description: original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword +file.pe.entry_point: + dashed_name: file-pe-entry-point + description: Relative byte offset to the base of the PE file. + example: 25856 + flat_name: file.pe.entry_point + ignore_above: 1024 + level: extended + name: entry_point + normalize: [] + original_fieldset: pe + short: Relative byte offset to the base of the PE file. + type: keyword +file.pe.exports: + dashed_name: file-pe-exports + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + flat_name: file.pe.exports + ignore_above: 1024 + level: extended + name: exports + normalize: + - array + original_fieldset: pe + short: List of symbols exported by PE + type: keyword file.pe.file_version: dashed_name: file-pe-file-version description: Internal version of the file, provided at compile-time. @@ -2920,6 +3435,19 @@ file.pe.file_version: original_fieldset: pe short: Process name. type: keyword +file.pe.icon.hash.dhash: + dashed_name: file-pe-icon-hash-dhash + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + flat_name: file.pe.icon.hash.dhash + ignore_above: 1024 + level: extended + name: icon.hash.dhash + normalize: [] + original_fieldset: pe + short: Difference Hash (dhash) to find files with a visually similar icon or thumbnail. + type: keyword file.pe.imphash: dashed_name: file-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash -- @@ -2936,6 +3464,30 @@ file.pe.imphash: original_fieldset: pe short: A hash of the imports in a PE file. type: keyword +file.pe.imports: + dashed_name: file-pe-imports + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + flat_name: file.pe.imports + level: extended + name: imports + normalize: [] + original_fieldset: pe + short: List of all imported functions + type: flattened +file.pe.machine_type: + dashed_name: file-pe-machine-type + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + flat_name: file.pe.machine_type + ignore_above: 1024 + level: extended + name: machine_type + normalize: [] + original_fieldset: pe + short: Machine type of the PE file. + type: keyword file.pe.original_file_name: dashed_name: file-pe-original-file-name description: Internal name of the file, provided at compile-time. @@ -2947,6 +3499,19 @@ file.pe.original_file_name: original_fieldset: pe short: Internal name of the file, provided at compile-time. type: wildcard +file.pe.packers: + dashed_name: file-pe-packers + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + flat_name: file.pe.packers + ignore_above: 1024 + level: extended + name: packers + normalize: + - array + original_fieldset: pe + short: List of packers and tools used. + type: keyword file.pe.product: dashed_name: file-pe-product description: Internal product name of the file, provided at compile-time. @@ -2959,38 +3524,215 @@ file.pe.product: original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword -file.size: - dashed_name: file-size - description: 'File size in bytes. +file.pe.resources: + dashed_name: file-pe-resources + description: 'An array containing an object for each PE resource, if present. - Only relevant when `file.type` is "file".' - example: 16384 - flat_name: file.size + The expected fields for this nested object fall under the `resources.` prefix.' + flat_name: file.pe.resources level: extended - name: size + name: resources + normalize: + - array + original_fieldset: pe + short: PE resource information + type: nested +file.pe.resources.chi2: + dashed_name: file-pe-resources-chi2 + description: Chi-square probability distribution. + example: -1 + flat_name: file.pe.resources.chi2 + level: extended + name: resources.chi2 normalize: [] - short: File size in bytes. + original_fieldset: pe + short: Chi-square probability distribution. type: long -file.target_path: - dashed_name: file-target-path - description: Target path for symlinks. - flat_name: file.target_path +file.pe.resources.entropy: + dashed_name: file-pe-resources-entropy + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + flat_name: file.pe.resources.entropy level: extended - multi_fields: - - flat_name: file.target_path.text - name: text - norms: false - type: text - name: target_path + name: resources.entropy normalize: [] - short: Target path for symlinks. - type: wildcard -file.type: - dashed_name: file-type - description: File type (file, dir, or symlink). - example: file - flat_name: file.type - ignore_above: 1024 + original_fieldset: pe + short: Measurement of entropy randomness in the resources section. + type: long +file.pe.resources.filetype: + dashed_name: file-pe-resources-filetype + description: File type of the resources section. + example: Data + flat_name: file.pe.resources.filetype + ignore_above: 1024 + level: extended + name: resources.filetype + normalize: [] + original_fieldset: pe + short: File type of the resources section. + type: keyword +file.pe.resources.language: + dashed_name: file-pe-resources-language + description: Language identification. + example: CHINESE SIMPLIFIED + flat_name: file.pe.resources.language + ignore_above: 1024 + level: extended + name: resources.language + normalize: [] + original_fieldset: pe + short: Language identification. + type: keyword +file.pe.resources.sha256: + dashed_name: file-pe-resources-sha256 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + flat_name: file.pe.resources.sha256 + ignore_above: 1024 + level: extended + name: resources.sha256 + normalize: [] + original_fieldset: pe + short: SHA256 hash of resources section. + type: keyword +file.pe.resources.type: + dashed_name: file-pe-resources-type + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + flat_name: file.pe.resources.type + ignore_above: 1024 + level: extended + name: resources.type + normalize: + - array + original_fieldset: pe + short: List of resource types. + type: keyword +file.pe.rich_header.hash.md5: + dashed_name: file-pe-rich-header-hash-md5 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + flat_name: file.pe.rich_header.hash.md5 + ignore_above: 1024 + level: extended + name: rich_header.hash.md5 + normalize: [] + original_fieldset: pe + short: MD5 hash of the header for the PE file. + type: keyword +file.pe.sections: + dashed_name: file-pe-sections + description: Data about sections of compiled binary PE + flat_name: file.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Data about sections of the compiled binary PE + type: nested +file.pe.sections.chi2: + dashed_name: file-pe-sections-chi2 + description: Chi-square probability distribution. + example: 3027194 + flat_name: file.pe.sections.chi2 + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long +file.pe.sections.entropy: + dashed_name: file-pe-sections-entropy + description: Measurement of entropy randomness in the file. + example: 6.24 + flat_name: file.pe.sections.entropy + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the file. + type: float +file.pe.sections.flags: + dashed_name: file-pe-sections-flags + description: Section flags of the file. + example: rx + flat_name: file.pe.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: pe + short: Section flags of the file. + type: keyword +file.pe.sections.name: + dashed_name: file-pe-sections-name + description: Section names of the file. + example: .text, .data + flat_name: file.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: Section names of the file. + type: keyword +file.pe.sections.raw_size: + dashed_name: file-pe-sections-raw-size + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + flat_name: file.pe.sections.raw_size + format: bytes + level: extended + name: sections.raw_size + normalize: [] + original_fieldset: pe + short: Size of the section or the dize of the initialized data on disk. + type: long +file.pe.sections.virtual_address: + dashed_name: file-pe-sections-virtual-address + description: Virtual address available to the file. + example: 8192 + flat_name: file.pe.sections.virtual_address + format: bytes + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: pe + short: Virtual address available to the file. + type: long +file.size: + dashed_name: file-size + description: 'File size in bytes. + + Only relevant when `file.type` is "file".' + example: 16384 + flat_name: file.size + level: extended + name: size + normalize: [] + short: File size in bytes. + type: long +file.target_path: + dashed_name: file-target-path + description: Target path for symlinks. + flat_name: file.target_path + level: extended + multi_fields: + - flat_name: file.target_path.text + name: text + norms: false + type: text + name: target_path + normalize: [] + short: Target path for symlinks. + type: wildcard +file.type: + dashed_name: file-type + description: File type (file, dir, or symlink). + example: file + flat_name: file.type + ignore_above: 1024 level: extended name: type normalize: [] @@ -5682,6 +6424,18 @@ process.parent.pe.architecture: original_fieldset: pe short: CPU architecture target for the file. type: keyword +process.parent.pe.authentihash: + dashed_name: process-parent-pe-authentihash + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + flat_name: process.parent.pe.authentihash + ignore_above: 1024 + level: extended + name: authentihash + normalize: [] + original_fieldset: pe + short: Authentihash of the PE file. + type: keyword process.parent.pe.company: dashed_name: process-parent-pe-company description: Internal company name of the file, provided at compile-time. @@ -5694,6 +6448,113 @@ process.parent.pe.company: original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword +process.parent.pe.compile_timestamp: + dashed_name: process-parent-pe-compile-timestamp + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + flat_name: process.parent.pe.compile_timestamp + level: extended + name: compile_timestamp + normalize: [] + original_fieldset: pe + short: Compile timestamp of the PE file. + type: date +process.parent.pe.compiler.name: + dashed_name: process-parent-pe-compiler-name + description: Name of the compiler + example: Clang + flat_name: process.parent.pe.compiler.name + ignore_above: 1024 + level: extended + name: compiler.name + normalize: [] + original_fieldset: pe + short: Name of the compiler + type: keyword +process.parent.pe.compiler.version: + dashed_name: process-parent-pe-compiler-version + description: Version of the compiler. + example: 11.0.0 + flat_name: process.parent.pe.compiler.version + ignore_above: 1024 + level: extended + name: compiler.version + normalize: [] + original_fieldset: pe + short: Version of the compiler. + type: keyword +process.parent.pe.creation_date: + dashed_name: process-parent-pe-creation-date + description: Extracted when possible from the file's metadata. Indicates when it + was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + flat_name: process.parent.pe.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: pe + short: Build or compile date. + type: date +process.parent.pe.debug: + dashed_name: process-parent-pe-debug + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix.' + flat_name: process.parent.pe.debug + level: extended + name: debug + normalize: + - array + original_fieldset: pe + short: Debug information + type: nested +process.parent.pe.debug.offset: + dashed_name: process-parent-pe-debug-offset + description: Debug offset information. + example: 1296336 + flat_name: process.parent.pe.debug.offset + ignore_above: 1024 + level: extended + name: debug.offset + normalize: [] + original_fieldset: pe + short: Debug offset information. + type: keyword +process.parent.pe.debug.size: + dashed_name: process-parent-pe-debug-size + description: Size of the debug information. + example: 816 + flat_name: process.parent.pe.debug.size + format: bytes + level: extended + name: debug.size + normalize: [] + original_fieldset: pe + short: Size of the debug information. + type: long +process.parent.pe.debug.timestamp: + dashed_name: process-parent-pe-debug-timestamp + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + flat_name: process.parent.pe.debug.timestamp + level: extended + name: debug.timestamp + normalize: [] + original_fieldset: pe + short: Timestamp of the debug information. + type: date +process.parent.pe.debug.type: + dashed_name: process-parent-pe-debug-type + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + flat_name: process.parent.pe.debug.type + ignore_above: 1024 + level: extended + name: debug.type + normalize: [] + original_fieldset: pe + short: Information type generated by the debug options. + type: keyword process.parent.pe.description: dashed_name: process-parent-pe-description description: Internal description of the file, provided at compile-time. @@ -5706,6 +6567,31 @@ process.parent.pe.description: original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword +process.parent.pe.entry_point: + dashed_name: process-parent-pe-entry-point + description: Relative byte offset to the base of the PE file. + example: 25856 + flat_name: process.parent.pe.entry_point + ignore_above: 1024 + level: extended + name: entry_point + normalize: [] + original_fieldset: pe + short: Relative byte offset to the base of the PE file. + type: keyword +process.parent.pe.exports: + dashed_name: process-parent-pe-exports + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + flat_name: process.parent.pe.exports + ignore_above: 1024 + level: extended + name: exports + normalize: + - array + original_fieldset: pe + short: List of symbols exported by PE + type: keyword process.parent.pe.file_version: dashed_name: process-parent-pe-file-version description: Internal version of the file, provided at compile-time. @@ -5718,6 +6604,19 @@ process.parent.pe.file_version: original_fieldset: pe short: Process name. type: keyword +process.parent.pe.icon.hash.dhash: + dashed_name: process-parent-pe-icon-hash-dhash + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + flat_name: process.parent.pe.icon.hash.dhash + ignore_above: 1024 + level: extended + name: icon.hash.dhash + normalize: [] + original_fieldset: pe + short: Difference Hash (dhash) to find files with a visually similar icon or thumbnail. + type: keyword process.parent.pe.imphash: dashed_name: process-parent-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash -- @@ -5734,6 +6633,30 @@ process.parent.pe.imphash: original_fieldset: pe short: A hash of the imports in a PE file. type: keyword +process.parent.pe.imports: + dashed_name: process-parent-pe-imports + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + flat_name: process.parent.pe.imports + level: extended + name: imports + normalize: [] + original_fieldset: pe + short: List of all imported functions + type: flattened +process.parent.pe.machine_type: + dashed_name: process-parent-pe-machine-type + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + flat_name: process.parent.pe.machine_type + ignore_above: 1024 + level: extended + name: machine_type + normalize: [] + original_fieldset: pe + short: Machine type of the PE file. + type: keyword process.parent.pe.original_file_name: dashed_name: process-parent-pe-original-file-name description: Internal name of the file, provided at compile-time. @@ -5745,6 +6668,19 @@ process.parent.pe.original_file_name: original_fieldset: pe short: Internal name of the file, provided at compile-time. type: wildcard +process.parent.pe.packers: + dashed_name: process-parent-pe-packers + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + flat_name: process.parent.pe.packers + ignore_above: 1024 + level: extended + name: packers + normalize: + - array + original_fieldset: pe + short: List of packers and tools used. + type: keyword process.parent.pe.product: dashed_name: process-parent-pe-product description: Internal product name of the file, provided at compile-time. @@ -5757,6 +6693,183 @@ process.parent.pe.product: original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword +process.parent.pe.resources: + dashed_name: process-parent-pe-resources + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' + flat_name: process.parent.pe.resources + level: extended + name: resources + normalize: + - array + original_fieldset: pe + short: PE resource information + type: nested +process.parent.pe.resources.chi2: + dashed_name: process-parent-pe-resources-chi2 + description: Chi-square probability distribution. + example: -1 + flat_name: process.parent.pe.resources.chi2 + level: extended + name: resources.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long +process.parent.pe.resources.entropy: + dashed_name: process-parent-pe-resources-entropy + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + flat_name: process.parent.pe.resources.entropy + level: extended + name: resources.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the resources section. + type: long +process.parent.pe.resources.filetype: + dashed_name: process-parent-pe-resources-filetype + description: File type of the resources section. + example: Data + flat_name: process.parent.pe.resources.filetype + ignore_above: 1024 + level: extended + name: resources.filetype + normalize: [] + original_fieldset: pe + short: File type of the resources section. + type: keyword +process.parent.pe.resources.language: + dashed_name: process-parent-pe-resources-language + description: Language identification. + example: CHINESE SIMPLIFIED + flat_name: process.parent.pe.resources.language + ignore_above: 1024 + level: extended + name: resources.language + normalize: [] + original_fieldset: pe + short: Language identification. + type: keyword +process.parent.pe.resources.sha256: + dashed_name: process-parent-pe-resources-sha256 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + flat_name: process.parent.pe.resources.sha256 + ignore_above: 1024 + level: extended + name: resources.sha256 + normalize: [] + original_fieldset: pe + short: SHA256 hash of resources section. + type: keyword +process.parent.pe.resources.type: + dashed_name: process-parent-pe-resources-type + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + flat_name: process.parent.pe.resources.type + ignore_above: 1024 + level: extended + name: resources.type + normalize: + - array + original_fieldset: pe + short: List of resource types. + type: keyword +process.parent.pe.rich_header.hash.md5: + dashed_name: process-parent-pe-rich-header-hash-md5 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + flat_name: process.parent.pe.rich_header.hash.md5 + ignore_above: 1024 + level: extended + name: rich_header.hash.md5 + normalize: [] + original_fieldset: pe + short: MD5 hash of the header for the PE file. + type: keyword +process.parent.pe.sections: + dashed_name: process-parent-pe-sections + description: Data about sections of compiled binary PE + flat_name: process.parent.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Data about sections of the compiled binary PE + type: nested +process.parent.pe.sections.chi2: + dashed_name: process-parent-pe-sections-chi2 + description: Chi-square probability distribution. + example: 3027194 + flat_name: process.parent.pe.sections.chi2 + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long +process.parent.pe.sections.entropy: + dashed_name: process-parent-pe-sections-entropy + description: Measurement of entropy randomness in the file. + example: 6.24 + flat_name: process.parent.pe.sections.entropy + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the file. + type: float +process.parent.pe.sections.flags: + dashed_name: process-parent-pe-sections-flags + description: Section flags of the file. + example: rx + flat_name: process.parent.pe.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: pe + short: Section flags of the file. + type: keyword +process.parent.pe.sections.name: + dashed_name: process-parent-pe-sections-name + description: Section names of the file. + example: .text, .data + flat_name: process.parent.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: Section names of the file. + type: keyword +process.parent.pe.sections.raw_size: + dashed_name: process-parent-pe-sections-raw-size + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + flat_name: process.parent.pe.sections.raw_size + format: bytes + level: extended + name: sections.raw_size + normalize: [] + original_fieldset: pe + short: Size of the section or the dize of the initialized data on disk. + type: long +process.parent.pe.sections.virtual_address: + dashed_name: process-parent-pe-sections-virtual-address + description: Virtual address available to the file. + example: 8192 + flat_name: process.parent.pe.sections.virtual_address + format: bytes + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: pe + short: Virtual address available to the file. + type: long process.parent.pgid: dashed_name: process-parent-pgid description: Identifier of the group of processes the process belongs to. @@ -5883,6 +6996,18 @@ process.pe.architecture: original_fieldset: pe short: CPU architecture target for the file. type: keyword +process.pe.authentihash: + dashed_name: process-pe-authentihash + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + flat_name: process.pe.authentihash + ignore_above: 1024 + level: extended + name: authentihash + normalize: [] + original_fieldset: pe + short: Authentihash of the PE file. + type: keyword process.pe.company: dashed_name: process-pe-company description: Internal company name of the file, provided at compile-time. @@ -5895,6 +7020,113 @@ process.pe.company: original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword +process.pe.compile_timestamp: + dashed_name: process-pe-compile-timestamp + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + flat_name: process.pe.compile_timestamp + level: extended + name: compile_timestamp + normalize: [] + original_fieldset: pe + short: Compile timestamp of the PE file. + type: date +process.pe.compiler.name: + dashed_name: process-pe-compiler-name + description: Name of the compiler + example: Clang + flat_name: process.pe.compiler.name + ignore_above: 1024 + level: extended + name: compiler.name + normalize: [] + original_fieldset: pe + short: Name of the compiler + type: keyword +process.pe.compiler.version: + dashed_name: process-pe-compiler-version + description: Version of the compiler. + example: 11.0.0 + flat_name: process.pe.compiler.version + ignore_above: 1024 + level: extended + name: compiler.version + normalize: [] + original_fieldset: pe + short: Version of the compiler. + type: keyword +process.pe.creation_date: + dashed_name: process-pe-creation-date + description: Extracted when possible from the file's metadata. Indicates when it + was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + flat_name: process.pe.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: pe + short: Build or compile date. + type: date +process.pe.debug: + dashed_name: process-pe-debug + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix.' + flat_name: process.pe.debug + level: extended + name: debug + normalize: + - array + original_fieldset: pe + short: Debug information + type: nested +process.pe.debug.offset: + dashed_name: process-pe-debug-offset + description: Debug offset information. + example: 1296336 + flat_name: process.pe.debug.offset + ignore_above: 1024 + level: extended + name: debug.offset + normalize: [] + original_fieldset: pe + short: Debug offset information. + type: keyword +process.pe.debug.size: + dashed_name: process-pe-debug-size + description: Size of the debug information. + example: 816 + flat_name: process.pe.debug.size + format: bytes + level: extended + name: debug.size + normalize: [] + original_fieldset: pe + short: Size of the debug information. + type: long +process.pe.debug.timestamp: + dashed_name: process-pe-debug-timestamp + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + flat_name: process.pe.debug.timestamp + level: extended + name: debug.timestamp + normalize: [] + original_fieldset: pe + short: Timestamp of the debug information. + type: date +process.pe.debug.type: + dashed_name: process-pe-debug-type + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + flat_name: process.pe.debug.type + ignore_above: 1024 + level: extended + name: debug.type + normalize: [] + original_fieldset: pe + short: Information type generated by the debug options. + type: keyword process.pe.description: dashed_name: process-pe-description description: Internal description of the file, provided at compile-time. @@ -5907,6 +7139,31 @@ process.pe.description: original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword +process.pe.entry_point: + dashed_name: process-pe-entry-point + description: Relative byte offset to the base of the PE file. + example: 25856 + flat_name: process.pe.entry_point + ignore_above: 1024 + level: extended + name: entry_point + normalize: [] + original_fieldset: pe + short: Relative byte offset to the base of the PE file. + type: keyword +process.pe.exports: + dashed_name: process-pe-exports + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + flat_name: process.pe.exports + ignore_above: 1024 + level: extended + name: exports + normalize: + - array + original_fieldset: pe + short: List of symbols exported by PE + type: keyword process.pe.file_version: dashed_name: process-pe-file-version description: Internal version of the file, provided at compile-time. @@ -5919,6 +7176,19 @@ process.pe.file_version: original_fieldset: pe short: Process name. type: keyword +process.pe.icon.hash.dhash: + dashed_name: process-pe-icon-hash-dhash + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + flat_name: process.pe.icon.hash.dhash + ignore_above: 1024 + level: extended + name: icon.hash.dhash + normalize: [] + original_fieldset: pe + short: Difference Hash (dhash) to find files with a visually similar icon or thumbnail. + type: keyword process.pe.imphash: dashed_name: process-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash -- @@ -5935,6 +7205,30 @@ process.pe.imphash: original_fieldset: pe short: A hash of the imports in a PE file. type: keyword +process.pe.imports: + dashed_name: process-pe-imports + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + flat_name: process.pe.imports + level: extended + name: imports + normalize: [] + original_fieldset: pe + short: List of all imported functions + type: flattened +process.pe.machine_type: + dashed_name: process-pe-machine-type + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + flat_name: process.pe.machine_type + ignore_above: 1024 + level: extended + name: machine_type + normalize: [] + original_fieldset: pe + short: Machine type of the PE file. + type: keyword process.pe.original_file_name: dashed_name: process-pe-original-file-name description: Internal name of the file, provided at compile-time. @@ -5946,6 +7240,19 @@ process.pe.original_file_name: original_fieldset: pe short: Internal name of the file, provided at compile-time. type: wildcard +process.pe.packers: + dashed_name: process-pe-packers + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + flat_name: process.pe.packers + ignore_above: 1024 + level: extended + name: packers + normalize: + - array + original_fieldset: pe + short: List of packers and tools used. + type: keyword process.pe.product: dashed_name: process-pe-product description: Internal product name of the file, provided at compile-time. @@ -5958,6 +7265,183 @@ process.pe.product: original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword +process.pe.resources: + dashed_name: process-pe-resources + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' + flat_name: process.pe.resources + level: extended + name: resources + normalize: + - array + original_fieldset: pe + short: PE resource information + type: nested +process.pe.resources.chi2: + dashed_name: process-pe-resources-chi2 + description: Chi-square probability distribution. + example: -1 + flat_name: process.pe.resources.chi2 + level: extended + name: resources.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long +process.pe.resources.entropy: + dashed_name: process-pe-resources-entropy + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + flat_name: process.pe.resources.entropy + level: extended + name: resources.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the resources section. + type: long +process.pe.resources.filetype: + dashed_name: process-pe-resources-filetype + description: File type of the resources section. + example: Data + flat_name: process.pe.resources.filetype + ignore_above: 1024 + level: extended + name: resources.filetype + normalize: [] + original_fieldset: pe + short: File type of the resources section. + type: keyword +process.pe.resources.language: + dashed_name: process-pe-resources-language + description: Language identification. + example: CHINESE SIMPLIFIED + flat_name: process.pe.resources.language + ignore_above: 1024 + level: extended + name: resources.language + normalize: [] + original_fieldset: pe + short: Language identification. + type: keyword +process.pe.resources.sha256: + dashed_name: process-pe-resources-sha256 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + flat_name: process.pe.resources.sha256 + ignore_above: 1024 + level: extended + name: resources.sha256 + normalize: [] + original_fieldset: pe + short: SHA256 hash of resources section. + type: keyword +process.pe.resources.type: + dashed_name: process-pe-resources-type + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + flat_name: process.pe.resources.type + ignore_above: 1024 + level: extended + name: resources.type + normalize: + - array + original_fieldset: pe + short: List of resource types. + type: keyword +process.pe.rich_header.hash.md5: + dashed_name: process-pe-rich-header-hash-md5 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + flat_name: process.pe.rich_header.hash.md5 + ignore_above: 1024 + level: extended + name: rich_header.hash.md5 + normalize: [] + original_fieldset: pe + short: MD5 hash of the header for the PE file. + type: keyword +process.pe.sections: + dashed_name: process-pe-sections + description: Data about sections of compiled binary PE + flat_name: process.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Data about sections of the compiled binary PE + type: nested +process.pe.sections.chi2: + dashed_name: process-pe-sections-chi2 + description: Chi-square probability distribution. + example: 3027194 + flat_name: process.pe.sections.chi2 + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long +process.pe.sections.entropy: + dashed_name: process-pe-sections-entropy + description: Measurement of entropy randomness in the file. + example: 6.24 + flat_name: process.pe.sections.entropy + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the file. + type: float +process.pe.sections.flags: + dashed_name: process-pe-sections-flags + description: Section flags of the file. + example: rx + flat_name: process.pe.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: pe + short: Section flags of the file. + type: keyword +process.pe.sections.name: + dashed_name: process-pe-sections-name + description: Section names of the file. + example: .text, .data + flat_name: process.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: Section names of the file. + type: keyword +process.pe.sections.raw_size: + dashed_name: process-pe-sections-raw-size + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + flat_name: process.pe.sections.raw_size + format: bytes + level: extended + name: sections.raw_size + normalize: [] + original_fieldset: pe + short: Size of the section or the dize of the initialized data on disk. + type: long +process.pe.sections.virtual_address: + dashed_name: process-pe-sections-virtual-address + description: Virtual address available to the file. + example: 8192 + flat_name: process.pe.sections.virtual_address + format: bytes + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: pe + short: Virtual address available to the file. + type: long process.pgid: dashed_name: process-pgid description: Identifier of the group of processes the process belongs to. diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index a0bb8d6a76..4ce5d1a3ea 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -1749,6 +1749,18 @@ dll: original_fieldset: pe short: CPU architecture target for the file. type: keyword + dll.pe.authentihash: + dashed_name: dll-pe-authentihash + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + flat_name: dll.pe.authentihash + ignore_above: 1024 + level: extended + name: authentihash + normalize: [] + original_fieldset: pe + short: Authentihash of the PE file. + type: keyword dll.pe.company: dashed_name: dll-pe-company description: Internal company name of the file, provided at compile-time. @@ -1761,6 +1773,113 @@ dll: original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword + dll.pe.compile_timestamp: + dashed_name: dll-pe-compile-timestamp + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + flat_name: dll.pe.compile_timestamp + level: extended + name: compile_timestamp + normalize: [] + original_fieldset: pe + short: Compile timestamp of the PE file. + type: date + dll.pe.compiler.name: + dashed_name: dll-pe-compiler-name + description: Name of the compiler + example: Clang + flat_name: dll.pe.compiler.name + ignore_above: 1024 + level: extended + name: compiler.name + normalize: [] + original_fieldset: pe + short: Name of the compiler + type: keyword + dll.pe.compiler.version: + dashed_name: dll-pe-compiler-version + description: Version of the compiler. + example: 11.0.0 + flat_name: dll.pe.compiler.version + ignore_above: 1024 + level: extended + name: compiler.version + normalize: [] + original_fieldset: pe + short: Version of the compiler. + type: keyword + dll.pe.creation_date: + dashed_name: dll-pe-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + flat_name: dll.pe.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: pe + short: Build or compile date. + type: date + dll.pe.debug: + dashed_name: dll-pe-debug + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix.' + flat_name: dll.pe.debug + level: extended + name: debug + normalize: + - array + original_fieldset: pe + short: Debug information + type: nested + dll.pe.debug.offset: + dashed_name: dll-pe-debug-offset + description: Debug offset information. + example: 1296336 + flat_name: dll.pe.debug.offset + ignore_above: 1024 + level: extended + name: debug.offset + normalize: [] + original_fieldset: pe + short: Debug offset information. + type: keyword + dll.pe.debug.size: + dashed_name: dll-pe-debug-size + description: Size of the debug information. + example: 816 + flat_name: dll.pe.debug.size + format: bytes + level: extended + name: debug.size + normalize: [] + original_fieldset: pe + short: Size of the debug information. + type: long + dll.pe.debug.timestamp: + dashed_name: dll-pe-debug-timestamp + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + flat_name: dll.pe.debug.timestamp + level: extended + name: debug.timestamp + normalize: [] + original_fieldset: pe + short: Timestamp of the debug information. + type: date + dll.pe.debug.type: + dashed_name: dll-pe-debug-type + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + flat_name: dll.pe.debug.type + ignore_above: 1024 + level: extended + name: debug.type + normalize: [] + original_fieldset: pe + short: Information type generated by the debug options. + type: keyword dll.pe.description: dashed_name: dll-pe-description description: Internal description of the file, provided at compile-time. @@ -1773,6 +1892,31 @@ dll: original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword + dll.pe.entry_point: + dashed_name: dll-pe-entry-point + description: Relative byte offset to the base of the PE file. + example: 25856 + flat_name: dll.pe.entry_point + ignore_above: 1024 + level: extended + name: entry_point + normalize: [] + original_fieldset: pe + short: Relative byte offset to the base of the PE file. + type: keyword + dll.pe.exports: + dashed_name: dll-pe-exports + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + flat_name: dll.pe.exports + ignore_above: 1024 + level: extended + name: exports + normalize: + - array + original_fieldset: pe + short: List of symbols exported by PE + type: keyword dll.pe.file_version: dashed_name: dll-pe-file-version description: Internal version of the file, provided at compile-time. @@ -1785,6 +1929,20 @@ dll: original_fieldset: pe short: Process name. type: keyword + dll.pe.icon.hash.dhash: + dashed_name: dll-pe-icon-hash-dhash + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + flat_name: dll.pe.icon.hash.dhash + ignore_above: 1024 + level: extended + name: icon.hash.dhash + normalize: [] + original_fieldset: pe + short: Difference Hash (dhash) to find files with a visually similar icon or + thumbnail. + type: keyword dll.pe.imphash: dashed_name: dll-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash @@ -1801,6 +1959,30 @@ dll: original_fieldset: pe short: A hash of the imports in a PE file. type: keyword + dll.pe.imports: + dashed_name: dll-pe-imports + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + flat_name: dll.pe.imports + level: extended + name: imports + normalize: [] + original_fieldset: pe + short: List of all imported functions + type: flattened + dll.pe.machine_type: + dashed_name: dll-pe-machine-type + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + flat_name: dll.pe.machine_type + ignore_above: 1024 + level: extended + name: machine_type + normalize: [] + original_fieldset: pe + short: Machine type of the PE file. + type: keyword dll.pe.original_file_name: dashed_name: dll-pe-original-file-name description: Internal name of the file, provided at compile-time. @@ -1812,6 +1994,19 @@ dll: original_fieldset: pe short: Internal name of the file, provided at compile-time. type: wildcard + dll.pe.packers: + dashed_name: dll-pe-packers + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + flat_name: dll.pe.packers + ignore_above: 1024 + level: extended + name: packers + normalize: + - array + original_fieldset: pe + short: List of packers and tools used. + type: keyword dll.pe.product: dashed_name: dll-pe-product description: Internal product name of the file, provided at compile-time. @@ -1824,6 +2019,183 @@ dll: original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword + dll.pe.resources: + dashed_name: dll-pe-resources + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' + flat_name: dll.pe.resources + level: extended + name: resources + normalize: + - array + original_fieldset: pe + short: PE resource information + type: nested + dll.pe.resources.chi2: + dashed_name: dll-pe-resources-chi2 + description: Chi-square probability distribution. + example: -1 + flat_name: dll.pe.resources.chi2 + level: extended + name: resources.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long + dll.pe.resources.entropy: + dashed_name: dll-pe-resources-entropy + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + flat_name: dll.pe.resources.entropy + level: extended + name: resources.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the resources section. + type: long + dll.pe.resources.filetype: + dashed_name: dll-pe-resources-filetype + description: File type of the resources section. + example: Data + flat_name: dll.pe.resources.filetype + ignore_above: 1024 + level: extended + name: resources.filetype + normalize: [] + original_fieldset: pe + short: File type of the resources section. + type: keyword + dll.pe.resources.language: + dashed_name: dll-pe-resources-language + description: Language identification. + example: CHINESE SIMPLIFIED + flat_name: dll.pe.resources.language + ignore_above: 1024 + level: extended + name: resources.language + normalize: [] + original_fieldset: pe + short: Language identification. + type: keyword + dll.pe.resources.sha256: + dashed_name: dll-pe-resources-sha256 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + flat_name: dll.pe.resources.sha256 + ignore_above: 1024 + level: extended + name: resources.sha256 + normalize: [] + original_fieldset: pe + short: SHA256 hash of resources section. + type: keyword + dll.pe.resources.type: + dashed_name: dll-pe-resources-type + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + flat_name: dll.pe.resources.type + ignore_above: 1024 + level: extended + name: resources.type + normalize: + - array + original_fieldset: pe + short: List of resource types. + type: keyword + dll.pe.rich_header.hash.md5: + dashed_name: dll-pe-rich-header-hash-md5 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + flat_name: dll.pe.rich_header.hash.md5 + ignore_above: 1024 + level: extended + name: rich_header.hash.md5 + normalize: [] + original_fieldset: pe + short: MD5 hash of the header for the PE file. + type: keyword + dll.pe.sections: + dashed_name: dll-pe-sections + description: Data about sections of compiled binary PE + flat_name: dll.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Data about sections of the compiled binary PE + type: nested + dll.pe.sections.chi2: + dashed_name: dll-pe-sections-chi2 + description: Chi-square probability distribution. + example: 3027194 + flat_name: dll.pe.sections.chi2 + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long + dll.pe.sections.entropy: + dashed_name: dll-pe-sections-entropy + description: Measurement of entropy randomness in the file. + example: 6.24 + flat_name: dll.pe.sections.entropy + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the file. + type: float + dll.pe.sections.flags: + dashed_name: dll-pe-sections-flags + description: Section flags of the file. + example: rx + flat_name: dll.pe.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: pe + short: Section flags of the file. + type: keyword + dll.pe.sections.name: + dashed_name: dll-pe-sections-name + description: Section names of the file. + example: .text, .data + flat_name: dll.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: Section names of the file. + type: keyword + dll.pe.sections.raw_size: + dashed_name: dll-pe-sections-raw-size + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + flat_name: dll.pe.sections.raw_size + format: bytes + level: extended + name: sections.raw_size + normalize: [] + original_fieldset: pe + short: Size of the section or the dize of the initialized data on disk. + type: long + dll.pe.sections.virtual_address: + dashed_name: dll-pe-sections-virtual-address + description: Virtual address available to the file. + example: 8192 + flat_name: dll.pe.sections.virtual_address + format: bytes + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: pe + short: Virtual address available to the file. + type: long group: 2 name: dll nestings: @@ -3332,6 +3704,18 @@ file: original_fieldset: pe short: CPU architecture target for the file. type: keyword + file.pe.authentihash: + dashed_name: file-pe-authentihash + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + flat_name: file.pe.authentihash + ignore_above: 1024 + level: extended + name: authentihash + normalize: [] + original_fieldset: pe + short: Authentihash of the PE file. + type: keyword file.pe.company: dashed_name: file-pe-company description: Internal company name of the file, provided at compile-time. @@ -3344,6 +3728,113 @@ file: original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword + file.pe.compile_timestamp: + dashed_name: file-pe-compile-timestamp + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + flat_name: file.pe.compile_timestamp + level: extended + name: compile_timestamp + normalize: [] + original_fieldset: pe + short: Compile timestamp of the PE file. + type: date + file.pe.compiler.name: + dashed_name: file-pe-compiler-name + description: Name of the compiler + example: Clang + flat_name: file.pe.compiler.name + ignore_above: 1024 + level: extended + name: compiler.name + normalize: [] + original_fieldset: pe + short: Name of the compiler + type: keyword + file.pe.compiler.version: + dashed_name: file-pe-compiler-version + description: Version of the compiler. + example: 11.0.0 + flat_name: file.pe.compiler.version + ignore_above: 1024 + level: extended + name: compiler.version + normalize: [] + original_fieldset: pe + short: Version of the compiler. + type: keyword + file.pe.creation_date: + dashed_name: file-pe-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + flat_name: file.pe.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: pe + short: Build or compile date. + type: date + file.pe.debug: + dashed_name: file-pe-debug + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix.' + flat_name: file.pe.debug + level: extended + name: debug + normalize: + - array + original_fieldset: pe + short: Debug information + type: nested + file.pe.debug.offset: + dashed_name: file-pe-debug-offset + description: Debug offset information. + example: 1296336 + flat_name: file.pe.debug.offset + ignore_above: 1024 + level: extended + name: debug.offset + normalize: [] + original_fieldset: pe + short: Debug offset information. + type: keyword + file.pe.debug.size: + dashed_name: file-pe-debug-size + description: Size of the debug information. + example: 816 + flat_name: file.pe.debug.size + format: bytes + level: extended + name: debug.size + normalize: [] + original_fieldset: pe + short: Size of the debug information. + type: long + file.pe.debug.timestamp: + dashed_name: file-pe-debug-timestamp + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + flat_name: file.pe.debug.timestamp + level: extended + name: debug.timestamp + normalize: [] + original_fieldset: pe + short: Timestamp of the debug information. + type: date + file.pe.debug.type: + dashed_name: file-pe-debug-type + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + flat_name: file.pe.debug.type + ignore_above: 1024 + level: extended + name: debug.type + normalize: [] + original_fieldset: pe + short: Information type generated by the debug options. + type: keyword file.pe.description: dashed_name: file-pe-description description: Internal description of the file, provided at compile-time. @@ -3356,6 +3847,31 @@ file: original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword + file.pe.entry_point: + dashed_name: file-pe-entry-point + description: Relative byte offset to the base of the PE file. + example: 25856 + flat_name: file.pe.entry_point + ignore_above: 1024 + level: extended + name: entry_point + normalize: [] + original_fieldset: pe + short: Relative byte offset to the base of the PE file. + type: keyword + file.pe.exports: + dashed_name: file-pe-exports + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + flat_name: file.pe.exports + ignore_above: 1024 + level: extended + name: exports + normalize: + - array + original_fieldset: pe + short: List of symbols exported by PE + type: keyword file.pe.file_version: dashed_name: file-pe-file-version description: Internal version of the file, provided at compile-time. @@ -3368,6 +3884,20 @@ file: original_fieldset: pe short: Process name. type: keyword + file.pe.icon.hash.dhash: + dashed_name: file-pe-icon-hash-dhash + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + flat_name: file.pe.icon.hash.dhash + ignore_above: 1024 + level: extended + name: icon.hash.dhash + normalize: [] + original_fieldset: pe + short: Difference Hash (dhash) to find files with a visually similar icon or + thumbnail. + type: keyword file.pe.imphash: dashed_name: file-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash @@ -3384,6 +3914,30 @@ file: original_fieldset: pe short: A hash of the imports in a PE file. type: keyword + file.pe.imports: + dashed_name: file-pe-imports + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + flat_name: file.pe.imports + level: extended + name: imports + normalize: [] + original_fieldset: pe + short: List of all imported functions + type: flattened + file.pe.machine_type: + dashed_name: file-pe-machine-type + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + flat_name: file.pe.machine_type + ignore_above: 1024 + level: extended + name: machine_type + normalize: [] + original_fieldset: pe + short: Machine type of the PE file. + type: keyword file.pe.original_file_name: dashed_name: file-pe-original-file-name description: Internal name of the file, provided at compile-time. @@ -3395,6 +3949,19 @@ file: original_fieldset: pe short: Internal name of the file, provided at compile-time. type: wildcard + file.pe.packers: + dashed_name: file-pe-packers + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + flat_name: file.pe.packers + ignore_above: 1024 + level: extended + name: packers + normalize: + - array + original_fieldset: pe + short: List of packers and tools used. + type: keyword file.pe.product: dashed_name: file-pe-product description: Internal product name of the file, provided at compile-time. @@ -3407,38 +3974,215 @@ file: original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword - file.size: - dashed_name: file-size - description: 'File size in bytes. + file.pe.resources: + dashed_name: file-pe-resources + description: 'An array containing an object for each PE resource, if present. - Only relevant when `file.type` is "file".' - example: 16384 - flat_name: file.size + The expected fields for this nested object fall under the `resources.` prefix.' + flat_name: file.pe.resources level: extended - name: size + name: resources + normalize: + - array + original_fieldset: pe + short: PE resource information + type: nested + file.pe.resources.chi2: + dashed_name: file-pe-resources-chi2 + description: Chi-square probability distribution. + example: -1 + flat_name: file.pe.resources.chi2 + level: extended + name: resources.chi2 normalize: [] - short: File size in bytes. + original_fieldset: pe + short: Chi-square probability distribution. type: long - file.target_path: - dashed_name: file-target-path - description: Target path for symlinks. - flat_name: file.target_path + file.pe.resources.entropy: + dashed_name: file-pe-resources-entropy + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + flat_name: file.pe.resources.entropy level: extended - multi_fields: - - flat_name: file.target_path.text - name: text - norms: false - type: text - name: target_path + name: resources.entropy normalize: [] - short: Target path for symlinks. - type: wildcard - file.type: - dashed_name: file-type - description: File type (file, dir, or symlink). - example: file - flat_name: file.type - ignore_above: 1024 + original_fieldset: pe + short: Measurement of entropy randomness in the resources section. + type: long + file.pe.resources.filetype: + dashed_name: file-pe-resources-filetype + description: File type of the resources section. + example: Data + flat_name: file.pe.resources.filetype + ignore_above: 1024 + level: extended + name: resources.filetype + normalize: [] + original_fieldset: pe + short: File type of the resources section. + type: keyword + file.pe.resources.language: + dashed_name: file-pe-resources-language + description: Language identification. + example: CHINESE SIMPLIFIED + flat_name: file.pe.resources.language + ignore_above: 1024 + level: extended + name: resources.language + normalize: [] + original_fieldset: pe + short: Language identification. + type: keyword + file.pe.resources.sha256: + dashed_name: file-pe-resources-sha256 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + flat_name: file.pe.resources.sha256 + ignore_above: 1024 + level: extended + name: resources.sha256 + normalize: [] + original_fieldset: pe + short: SHA256 hash of resources section. + type: keyword + file.pe.resources.type: + dashed_name: file-pe-resources-type + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + flat_name: file.pe.resources.type + ignore_above: 1024 + level: extended + name: resources.type + normalize: + - array + original_fieldset: pe + short: List of resource types. + type: keyword + file.pe.rich_header.hash.md5: + dashed_name: file-pe-rich-header-hash-md5 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + flat_name: file.pe.rich_header.hash.md5 + ignore_above: 1024 + level: extended + name: rich_header.hash.md5 + normalize: [] + original_fieldset: pe + short: MD5 hash of the header for the PE file. + type: keyword + file.pe.sections: + dashed_name: file-pe-sections + description: Data about sections of compiled binary PE + flat_name: file.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Data about sections of the compiled binary PE + type: nested + file.pe.sections.chi2: + dashed_name: file-pe-sections-chi2 + description: Chi-square probability distribution. + example: 3027194 + flat_name: file.pe.sections.chi2 + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long + file.pe.sections.entropy: + dashed_name: file-pe-sections-entropy + description: Measurement of entropy randomness in the file. + example: 6.24 + flat_name: file.pe.sections.entropy + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the file. + type: float + file.pe.sections.flags: + dashed_name: file-pe-sections-flags + description: Section flags of the file. + example: rx + flat_name: file.pe.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: pe + short: Section flags of the file. + type: keyword + file.pe.sections.name: + dashed_name: file-pe-sections-name + description: Section names of the file. + example: .text, .data + flat_name: file.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: Section names of the file. + type: keyword + file.pe.sections.raw_size: + dashed_name: file-pe-sections-raw-size + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + flat_name: file.pe.sections.raw_size + format: bytes + level: extended + name: sections.raw_size + normalize: [] + original_fieldset: pe + short: Size of the section or the dize of the initialized data on disk. + type: long + file.pe.sections.virtual_address: + dashed_name: file-pe-sections-virtual-address + description: Virtual address available to the file. + example: 8192 + flat_name: file.pe.sections.virtual_address + format: bytes + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: pe + short: Virtual address available to the file. + type: long + file.size: + dashed_name: file-size + description: 'File size in bytes. + + Only relevant when `file.type` is "file".' + example: 16384 + flat_name: file.size + level: extended + name: size + normalize: [] + short: File size in bytes. + type: long + file.target_path: + dashed_name: file-target-path + description: Target path for symlinks. + flat_name: file.target_path + level: extended + multi_fields: + - flat_name: file.target_path.text + name: text + norms: false + type: text + name: target_path + normalize: [] + short: Target path for symlinks. + type: wildcard + file.type: + dashed_name: file-type + description: File type (file, dir, or symlink). + example: file + flat_name: file.type + ignore_above: 1024 level: extended name: type normalize: [] @@ -6243,6 +6987,17 @@ pe: normalize: [] short: CPU architecture target for the file. type: keyword + pe.authentihash: + dashed_name: pe-authentihash + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + flat_name: pe.authentihash + ignore_above: 1024 + level: extended + name: authentihash + normalize: [] + short: Authentihash of the PE file. + type: keyword pe.company: dashed_name: pe-company description: Internal company name of the file, provided at compile-time. @@ -6254,6 +7009,104 @@ pe: normalize: [] short: Internal company name of the file, provided at compile-time. type: keyword + pe.compile_timestamp: + dashed_name: pe-compile-timestamp + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + flat_name: pe.compile_timestamp + level: extended + name: compile_timestamp + normalize: [] + short: Compile timestamp of the PE file. + type: date + pe.compiler.name: + dashed_name: pe-compiler-name + description: Name of the compiler + example: Clang + flat_name: pe.compiler.name + ignore_above: 1024 + level: extended + name: compiler.name + normalize: [] + short: Name of the compiler + type: keyword + pe.compiler.version: + dashed_name: pe-compiler-version + description: Version of the compiler. + example: 11.0.0 + flat_name: pe.compiler.version + ignore_above: 1024 + level: extended + name: compiler.version + normalize: [] + short: Version of the compiler. + type: keyword + pe.creation_date: + dashed_name: pe-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + flat_name: pe.creation_date + level: extended + name: creation_date + normalize: [] + short: Build or compile date. + type: date + pe.debug: + dashed_name: pe-debug + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix.' + flat_name: pe.debug + level: extended + name: debug + normalize: + - array + short: Debug information + type: nested + pe.debug.offset: + dashed_name: pe-debug-offset + description: Debug offset information. + example: 1296336 + flat_name: pe.debug.offset + ignore_above: 1024 + level: extended + name: debug.offset + normalize: [] + short: Debug offset information. + type: keyword + pe.debug.size: + dashed_name: pe-debug-size + description: Size of the debug information. + example: 816 + flat_name: pe.debug.size + format: bytes + level: extended + name: debug.size + normalize: [] + short: Size of the debug information. + type: long + pe.debug.timestamp: + dashed_name: pe-debug-timestamp + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + flat_name: pe.debug.timestamp + level: extended + name: debug.timestamp + normalize: [] + short: Timestamp of the debug information. + type: date + pe.debug.type: + dashed_name: pe-debug-type + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + flat_name: pe.debug.type + ignore_above: 1024 + level: extended + name: debug.type + normalize: [] + short: Information type generated by the debug options. + type: keyword pe.description: dashed_name: pe-description description: Internal description of the file, provided at compile-time. @@ -6265,6 +7118,29 @@ pe: normalize: [] short: Internal description of the file, provided at compile-time. type: keyword + pe.entry_point: + dashed_name: pe-entry-point + description: Relative byte offset to the base of the PE file. + example: 25856 + flat_name: pe.entry_point + ignore_above: 1024 + level: extended + name: entry_point + normalize: [] + short: Relative byte offset to the base of the PE file. + type: keyword + pe.exports: + dashed_name: pe-exports + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + flat_name: pe.exports + ignore_above: 1024 + level: extended + name: exports + normalize: + - array + short: List of symbols exported by PE + type: keyword pe.file_version: dashed_name: pe-file-version description: Internal version of the file, provided at compile-time. @@ -6276,6 +7152,19 @@ pe: normalize: [] short: Process name. type: keyword + pe.icon.hash.dhash: + dashed_name: pe-icon-hash-dhash + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + flat_name: pe.icon.hash.dhash + ignore_above: 1024 + level: extended + name: icon.hash.dhash + normalize: [] + short: Difference Hash (dhash) to find files with a visually similar icon or + thumbnail. + type: keyword pe.imphash: dashed_name: pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash @@ -6291,6 +7180,28 @@ pe: normalize: [] short: A hash of the imports in a PE file. type: keyword + pe.imports: + dashed_name: pe-imports + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + flat_name: pe.imports + level: extended + name: imports + normalize: [] + short: List of all imported functions + type: flattened + pe.machine_type: + dashed_name: pe-machine-type + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + flat_name: pe.machine_type + ignore_above: 1024 + level: extended + name: machine_type + normalize: [] + short: Machine type of the PE file. + type: keyword pe.original_file_name: dashed_name: pe-original-file-name description: Internal name of the file, provided at compile-time. @@ -6301,6 +7212,18 @@ pe: normalize: [] short: Internal name of the file, provided at compile-time. type: wildcard + pe.packers: + dashed_name: pe-packers + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + flat_name: pe.packers + ignore_above: 1024 + level: extended + name: packers + normalize: + - array + short: List of packers and tools used. + type: keyword pe.product: dashed_name: pe-product description: Internal product name of the file, provided at compile-time. @@ -6312,6 +7235,168 @@ pe: normalize: [] short: Internal product name of the file, provided at compile-time. type: keyword + pe.resources: + dashed_name: pe-resources + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' + flat_name: pe.resources + level: extended + name: resources + normalize: + - array + short: PE resource information + type: nested + pe.resources.chi2: + dashed_name: pe-resources-chi2 + description: Chi-square probability distribution. + example: -1 + flat_name: pe.resources.chi2 + level: extended + name: resources.chi2 + normalize: [] + short: Chi-square probability distribution. + type: long + pe.resources.entropy: + dashed_name: pe-resources-entropy + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + flat_name: pe.resources.entropy + level: extended + name: resources.entropy + normalize: [] + short: Measurement of entropy randomness in the resources section. + type: long + pe.resources.filetype: + dashed_name: pe-resources-filetype + description: File type of the resources section. + example: Data + flat_name: pe.resources.filetype + ignore_above: 1024 + level: extended + name: resources.filetype + normalize: [] + short: File type of the resources section. + type: keyword + pe.resources.language: + dashed_name: pe-resources-language + description: Language identification. + example: CHINESE SIMPLIFIED + flat_name: pe.resources.language + ignore_above: 1024 + level: extended + name: resources.language + normalize: [] + short: Language identification. + type: keyword + pe.resources.sha256: + dashed_name: pe-resources-sha256 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + flat_name: pe.resources.sha256 + ignore_above: 1024 + level: extended + name: resources.sha256 + normalize: [] + short: SHA256 hash of resources section. + type: keyword + pe.resources.type: + dashed_name: pe-resources-type + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + flat_name: pe.resources.type + ignore_above: 1024 + level: extended + name: resources.type + normalize: + - array + short: List of resource types. + type: keyword + pe.rich_header.hash.md5: + dashed_name: pe-rich-header-hash-md5 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + flat_name: pe.rich_header.hash.md5 + ignore_above: 1024 + level: extended + name: rich_header.hash.md5 + normalize: [] + short: MD5 hash of the header for the PE file. + type: keyword + pe.sections: + dashed_name: pe-sections + description: Data about sections of compiled binary PE + flat_name: pe.sections + level: extended + name: sections + normalize: + - array + short: Data about sections of the compiled binary PE + type: nested + pe.sections.chi2: + dashed_name: pe-sections-chi2 + description: Chi-square probability distribution. + example: 3027194 + flat_name: pe.sections.chi2 + level: extended + name: sections.chi2 + normalize: [] + short: Chi-square probability distribution. + type: long + pe.sections.entropy: + dashed_name: pe-sections-entropy + description: Measurement of entropy randomness in the file. + example: 6.24 + flat_name: pe.sections.entropy + level: extended + name: sections.entropy + normalize: [] + short: Measurement of entropy randomness in the file. + type: float + pe.sections.flags: + dashed_name: pe-sections-flags + description: Section flags of the file. + example: rx + flat_name: pe.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + short: Section flags of the file. + type: keyword + pe.sections.name: + dashed_name: pe-sections-name + description: Section names of the file. + example: .text, .data + flat_name: pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + short: Section names of the file. + type: keyword + pe.sections.raw_size: + dashed_name: pe-sections-raw-size + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + flat_name: pe.sections.raw_size + format: bytes + level: extended + name: sections.raw_size + normalize: [] + short: Size of the section or the dize of the initialized data on disk. + type: long + pe.sections.virtual_address: + dashed_name: pe-sections-virtual-address + description: Virtual address available to the file. + example: 8192 + flat_name: pe.sections.virtual_address + format: bytes + level: extended + name: sections.virtual_address + normalize: [] + short: Virtual address available to the file. + type: long group: 2 name: pe prefix: pe. @@ -6824,6 +7909,18 @@ process: original_fieldset: pe short: CPU architecture target for the file. type: keyword + process.parent.pe.authentihash: + dashed_name: process-parent-pe-authentihash + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + flat_name: process.parent.pe.authentihash + ignore_above: 1024 + level: extended + name: authentihash + normalize: [] + original_fieldset: pe + short: Authentihash of the PE file. + type: keyword process.parent.pe.company: dashed_name: process-parent-pe-company description: Internal company name of the file, provided at compile-time. @@ -6836,6 +7933,113 @@ process: original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword + process.parent.pe.compile_timestamp: + dashed_name: process-parent-pe-compile-timestamp + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + flat_name: process.parent.pe.compile_timestamp + level: extended + name: compile_timestamp + normalize: [] + original_fieldset: pe + short: Compile timestamp of the PE file. + type: date + process.parent.pe.compiler.name: + dashed_name: process-parent-pe-compiler-name + description: Name of the compiler + example: Clang + flat_name: process.parent.pe.compiler.name + ignore_above: 1024 + level: extended + name: compiler.name + normalize: [] + original_fieldset: pe + short: Name of the compiler + type: keyword + process.parent.pe.compiler.version: + dashed_name: process-parent-pe-compiler-version + description: Version of the compiler. + example: 11.0.0 + flat_name: process.parent.pe.compiler.version + ignore_above: 1024 + level: extended + name: compiler.version + normalize: [] + original_fieldset: pe + short: Version of the compiler. + type: keyword + process.parent.pe.creation_date: + dashed_name: process-parent-pe-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + flat_name: process.parent.pe.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: pe + short: Build or compile date. + type: date + process.parent.pe.debug: + dashed_name: process-parent-pe-debug + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix.' + flat_name: process.parent.pe.debug + level: extended + name: debug + normalize: + - array + original_fieldset: pe + short: Debug information + type: nested + process.parent.pe.debug.offset: + dashed_name: process-parent-pe-debug-offset + description: Debug offset information. + example: 1296336 + flat_name: process.parent.pe.debug.offset + ignore_above: 1024 + level: extended + name: debug.offset + normalize: [] + original_fieldset: pe + short: Debug offset information. + type: keyword + process.parent.pe.debug.size: + dashed_name: process-parent-pe-debug-size + description: Size of the debug information. + example: 816 + flat_name: process.parent.pe.debug.size + format: bytes + level: extended + name: debug.size + normalize: [] + original_fieldset: pe + short: Size of the debug information. + type: long + process.parent.pe.debug.timestamp: + dashed_name: process-parent-pe-debug-timestamp + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + flat_name: process.parent.pe.debug.timestamp + level: extended + name: debug.timestamp + normalize: [] + original_fieldset: pe + short: Timestamp of the debug information. + type: date + process.parent.pe.debug.type: + dashed_name: process-parent-pe-debug-type + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + flat_name: process.parent.pe.debug.type + ignore_above: 1024 + level: extended + name: debug.type + normalize: [] + original_fieldset: pe + short: Information type generated by the debug options. + type: keyword process.parent.pe.description: dashed_name: process-parent-pe-description description: Internal description of the file, provided at compile-time. @@ -6848,6 +8052,31 @@ process: original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword + process.parent.pe.entry_point: + dashed_name: process-parent-pe-entry-point + description: Relative byte offset to the base of the PE file. + example: 25856 + flat_name: process.parent.pe.entry_point + ignore_above: 1024 + level: extended + name: entry_point + normalize: [] + original_fieldset: pe + short: Relative byte offset to the base of the PE file. + type: keyword + process.parent.pe.exports: + dashed_name: process-parent-pe-exports + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + flat_name: process.parent.pe.exports + ignore_above: 1024 + level: extended + name: exports + normalize: + - array + original_fieldset: pe + short: List of symbols exported by PE + type: keyword process.parent.pe.file_version: dashed_name: process-parent-pe-file-version description: Internal version of the file, provided at compile-time. @@ -6860,6 +8089,20 @@ process: original_fieldset: pe short: Process name. type: keyword + process.parent.pe.icon.hash.dhash: + dashed_name: process-parent-pe-icon-hash-dhash + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + flat_name: process.parent.pe.icon.hash.dhash + ignore_above: 1024 + level: extended + name: icon.hash.dhash + normalize: [] + original_fieldset: pe + short: Difference Hash (dhash) to find files with a visually similar icon or + thumbnail. + type: keyword process.parent.pe.imphash: dashed_name: process-parent-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash @@ -6876,6 +8119,30 @@ process: original_fieldset: pe short: A hash of the imports in a PE file. type: keyword + process.parent.pe.imports: + dashed_name: process-parent-pe-imports + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + flat_name: process.parent.pe.imports + level: extended + name: imports + normalize: [] + original_fieldset: pe + short: List of all imported functions + type: flattened + process.parent.pe.machine_type: + dashed_name: process-parent-pe-machine-type + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + flat_name: process.parent.pe.machine_type + ignore_above: 1024 + level: extended + name: machine_type + normalize: [] + original_fieldset: pe + short: Machine type of the PE file. + type: keyword process.parent.pe.original_file_name: dashed_name: process-parent-pe-original-file-name description: Internal name of the file, provided at compile-time. @@ -6887,6 +8154,19 @@ process: original_fieldset: pe short: Internal name of the file, provided at compile-time. type: wildcard + process.parent.pe.packers: + dashed_name: process-parent-pe-packers + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + flat_name: process.parent.pe.packers + ignore_above: 1024 + level: extended + name: packers + normalize: + - array + original_fieldset: pe + short: List of packers and tools used. + type: keyword process.parent.pe.product: dashed_name: process-parent-pe-product description: Internal product name of the file, provided at compile-time. @@ -6899,6 +8179,183 @@ process: original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword + process.parent.pe.resources: + dashed_name: process-parent-pe-resources + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' + flat_name: process.parent.pe.resources + level: extended + name: resources + normalize: + - array + original_fieldset: pe + short: PE resource information + type: nested + process.parent.pe.resources.chi2: + dashed_name: process-parent-pe-resources-chi2 + description: Chi-square probability distribution. + example: -1 + flat_name: process.parent.pe.resources.chi2 + level: extended + name: resources.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long + process.parent.pe.resources.entropy: + dashed_name: process-parent-pe-resources-entropy + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + flat_name: process.parent.pe.resources.entropy + level: extended + name: resources.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the resources section. + type: long + process.parent.pe.resources.filetype: + dashed_name: process-parent-pe-resources-filetype + description: File type of the resources section. + example: Data + flat_name: process.parent.pe.resources.filetype + ignore_above: 1024 + level: extended + name: resources.filetype + normalize: [] + original_fieldset: pe + short: File type of the resources section. + type: keyword + process.parent.pe.resources.language: + dashed_name: process-parent-pe-resources-language + description: Language identification. + example: CHINESE SIMPLIFIED + flat_name: process.parent.pe.resources.language + ignore_above: 1024 + level: extended + name: resources.language + normalize: [] + original_fieldset: pe + short: Language identification. + type: keyword + process.parent.pe.resources.sha256: + dashed_name: process-parent-pe-resources-sha256 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + flat_name: process.parent.pe.resources.sha256 + ignore_above: 1024 + level: extended + name: resources.sha256 + normalize: [] + original_fieldset: pe + short: SHA256 hash of resources section. + type: keyword + process.parent.pe.resources.type: + dashed_name: process-parent-pe-resources-type + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + flat_name: process.parent.pe.resources.type + ignore_above: 1024 + level: extended + name: resources.type + normalize: + - array + original_fieldset: pe + short: List of resource types. + type: keyword + process.parent.pe.rich_header.hash.md5: + dashed_name: process-parent-pe-rich-header-hash-md5 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + flat_name: process.parent.pe.rich_header.hash.md5 + ignore_above: 1024 + level: extended + name: rich_header.hash.md5 + normalize: [] + original_fieldset: pe + short: MD5 hash of the header for the PE file. + type: keyword + process.parent.pe.sections: + dashed_name: process-parent-pe-sections + description: Data about sections of compiled binary PE + flat_name: process.parent.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Data about sections of the compiled binary PE + type: nested + process.parent.pe.sections.chi2: + dashed_name: process-parent-pe-sections-chi2 + description: Chi-square probability distribution. + example: 3027194 + flat_name: process.parent.pe.sections.chi2 + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long + process.parent.pe.sections.entropy: + dashed_name: process-parent-pe-sections-entropy + description: Measurement of entropy randomness in the file. + example: 6.24 + flat_name: process.parent.pe.sections.entropy + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the file. + type: float + process.parent.pe.sections.flags: + dashed_name: process-parent-pe-sections-flags + description: Section flags of the file. + example: rx + flat_name: process.parent.pe.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: pe + short: Section flags of the file. + type: keyword + process.parent.pe.sections.name: + dashed_name: process-parent-pe-sections-name + description: Section names of the file. + example: .text, .data + flat_name: process.parent.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: Section names of the file. + type: keyword + process.parent.pe.sections.raw_size: + dashed_name: process-parent-pe-sections-raw-size + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + flat_name: process.parent.pe.sections.raw_size + format: bytes + level: extended + name: sections.raw_size + normalize: [] + original_fieldset: pe + short: Size of the section or the dize of the initialized data on disk. + type: long + process.parent.pe.sections.virtual_address: + dashed_name: process-parent-pe-sections-virtual-address + description: Virtual address available to the file. + example: 8192 + flat_name: process.parent.pe.sections.virtual_address + format: bytes + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: pe + short: Virtual address available to the file. + type: long process.parent.pgid: dashed_name: process-parent-pgid description: Identifier of the group of processes the process belongs to. @@ -7025,6 +8482,18 @@ process: original_fieldset: pe short: CPU architecture target for the file. type: keyword + process.pe.authentihash: + dashed_name: process-pe-authentihash + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + flat_name: process.pe.authentihash + ignore_above: 1024 + level: extended + name: authentihash + normalize: [] + original_fieldset: pe + short: Authentihash of the PE file. + type: keyword process.pe.company: dashed_name: process-pe-company description: Internal company name of the file, provided at compile-time. @@ -7037,6 +8506,113 @@ process: original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword + process.pe.compile_timestamp: + dashed_name: process-pe-compile-timestamp + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + flat_name: process.pe.compile_timestamp + level: extended + name: compile_timestamp + normalize: [] + original_fieldset: pe + short: Compile timestamp of the PE file. + type: date + process.pe.compiler.name: + dashed_name: process-pe-compiler-name + description: Name of the compiler + example: Clang + flat_name: process.pe.compiler.name + ignore_above: 1024 + level: extended + name: compiler.name + normalize: [] + original_fieldset: pe + short: Name of the compiler + type: keyword + process.pe.compiler.version: + dashed_name: process-pe-compiler-version + description: Version of the compiler. + example: 11.0.0 + flat_name: process.pe.compiler.version + ignore_above: 1024 + level: extended + name: compiler.version + normalize: [] + original_fieldset: pe + short: Version of the compiler. + type: keyword + process.pe.creation_date: + dashed_name: process-pe-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + flat_name: process.pe.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: pe + short: Build or compile date. + type: date + process.pe.debug: + dashed_name: process-pe-debug + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix.' + flat_name: process.pe.debug + level: extended + name: debug + normalize: + - array + original_fieldset: pe + short: Debug information + type: nested + process.pe.debug.offset: + dashed_name: process-pe-debug-offset + description: Debug offset information. + example: 1296336 + flat_name: process.pe.debug.offset + ignore_above: 1024 + level: extended + name: debug.offset + normalize: [] + original_fieldset: pe + short: Debug offset information. + type: keyword + process.pe.debug.size: + dashed_name: process-pe-debug-size + description: Size of the debug information. + example: 816 + flat_name: process.pe.debug.size + format: bytes + level: extended + name: debug.size + normalize: [] + original_fieldset: pe + short: Size of the debug information. + type: long + process.pe.debug.timestamp: + dashed_name: process-pe-debug-timestamp + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + flat_name: process.pe.debug.timestamp + level: extended + name: debug.timestamp + normalize: [] + original_fieldset: pe + short: Timestamp of the debug information. + type: date + process.pe.debug.type: + dashed_name: process-pe-debug-type + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + flat_name: process.pe.debug.type + ignore_above: 1024 + level: extended + name: debug.type + normalize: [] + original_fieldset: pe + short: Information type generated by the debug options. + type: keyword process.pe.description: dashed_name: process-pe-description description: Internal description of the file, provided at compile-time. @@ -7049,6 +8625,31 @@ process: original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword + process.pe.entry_point: + dashed_name: process-pe-entry-point + description: Relative byte offset to the base of the PE file. + example: 25856 + flat_name: process.pe.entry_point + ignore_above: 1024 + level: extended + name: entry_point + normalize: [] + original_fieldset: pe + short: Relative byte offset to the base of the PE file. + type: keyword + process.pe.exports: + dashed_name: process-pe-exports + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + flat_name: process.pe.exports + ignore_above: 1024 + level: extended + name: exports + normalize: + - array + original_fieldset: pe + short: List of symbols exported by PE + type: keyword process.pe.file_version: dashed_name: process-pe-file-version description: Internal version of the file, provided at compile-time. @@ -7061,6 +8662,20 @@ process: original_fieldset: pe short: Process name. type: keyword + process.pe.icon.hash.dhash: + dashed_name: process-pe-icon-hash-dhash + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + flat_name: process.pe.icon.hash.dhash + ignore_above: 1024 + level: extended + name: icon.hash.dhash + normalize: [] + original_fieldset: pe + short: Difference Hash (dhash) to find files with a visually similar icon or + thumbnail. + type: keyword process.pe.imphash: dashed_name: process-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash @@ -7077,6 +8692,30 @@ process: original_fieldset: pe short: A hash of the imports in a PE file. type: keyword + process.pe.imports: + dashed_name: process-pe-imports + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + flat_name: process.pe.imports + level: extended + name: imports + normalize: [] + original_fieldset: pe + short: List of all imported functions + type: flattened + process.pe.machine_type: + dashed_name: process-pe-machine-type + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + flat_name: process.pe.machine_type + ignore_above: 1024 + level: extended + name: machine_type + normalize: [] + original_fieldset: pe + short: Machine type of the PE file. + type: keyword process.pe.original_file_name: dashed_name: process-pe-original-file-name description: Internal name of the file, provided at compile-time. @@ -7088,6 +8727,19 @@ process: original_fieldset: pe short: Internal name of the file, provided at compile-time. type: wildcard + process.pe.packers: + dashed_name: process-pe-packers + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + flat_name: process.pe.packers + ignore_above: 1024 + level: extended + name: packers + normalize: + - array + original_fieldset: pe + short: List of packers and tools used. + type: keyword process.pe.product: dashed_name: process-pe-product description: Internal product name of the file, provided at compile-time. @@ -7100,6 +8752,183 @@ process: original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword + process.pe.resources: + dashed_name: process-pe-resources + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' + flat_name: process.pe.resources + level: extended + name: resources + normalize: + - array + original_fieldset: pe + short: PE resource information + type: nested + process.pe.resources.chi2: + dashed_name: process-pe-resources-chi2 + description: Chi-square probability distribution. + example: -1 + flat_name: process.pe.resources.chi2 + level: extended + name: resources.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long + process.pe.resources.entropy: + dashed_name: process-pe-resources-entropy + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + flat_name: process.pe.resources.entropy + level: extended + name: resources.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the resources section. + type: long + process.pe.resources.filetype: + dashed_name: process-pe-resources-filetype + description: File type of the resources section. + example: Data + flat_name: process.pe.resources.filetype + ignore_above: 1024 + level: extended + name: resources.filetype + normalize: [] + original_fieldset: pe + short: File type of the resources section. + type: keyword + process.pe.resources.language: + dashed_name: process-pe-resources-language + description: Language identification. + example: CHINESE SIMPLIFIED + flat_name: process.pe.resources.language + ignore_above: 1024 + level: extended + name: resources.language + normalize: [] + original_fieldset: pe + short: Language identification. + type: keyword + process.pe.resources.sha256: + dashed_name: process-pe-resources-sha256 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + flat_name: process.pe.resources.sha256 + ignore_above: 1024 + level: extended + name: resources.sha256 + normalize: [] + original_fieldset: pe + short: SHA256 hash of resources section. + type: keyword + process.pe.resources.type: + dashed_name: process-pe-resources-type + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + flat_name: process.pe.resources.type + ignore_above: 1024 + level: extended + name: resources.type + normalize: + - array + original_fieldset: pe + short: List of resource types. + type: keyword + process.pe.rich_header.hash.md5: + dashed_name: process-pe-rich-header-hash-md5 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + flat_name: process.pe.rich_header.hash.md5 + ignore_above: 1024 + level: extended + name: rich_header.hash.md5 + normalize: [] + original_fieldset: pe + short: MD5 hash of the header for the PE file. + type: keyword + process.pe.sections: + dashed_name: process-pe-sections + description: Data about sections of compiled binary PE + flat_name: process.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Data about sections of the compiled binary PE + type: nested + process.pe.sections.chi2: + dashed_name: process-pe-sections-chi2 + description: Chi-square probability distribution. + example: 3027194 + flat_name: process.pe.sections.chi2 + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long + process.pe.sections.entropy: + dashed_name: process-pe-sections-entropy + description: Measurement of entropy randomness in the file. + example: 6.24 + flat_name: process.pe.sections.entropy + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the file. + type: float + process.pe.sections.flags: + dashed_name: process-pe-sections-flags + description: Section flags of the file. + example: rx + flat_name: process.pe.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: pe + short: Section flags of the file. + type: keyword + process.pe.sections.name: + dashed_name: process-pe-sections-name + description: Section names of the file. + example: .text, .data + flat_name: process.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: Section names of the file. + type: keyword + process.pe.sections.raw_size: + dashed_name: process-pe-sections-raw-size + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + flat_name: process.pe.sections.raw_size + format: bytes + level: extended + name: sections.raw_size + normalize: [] + original_fieldset: pe + short: Size of the section or the dize of the initialized data on disk. + type: long + process.pe.sections.virtual_address: + dashed_name: process-pe-sections-virtual-address + description: Virtual address available to the file. + example: 8192 + flat_name: process.pe.sections.virtual_address + format: bytes + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: pe + short: Virtual address available to the file. + type: long process.pgid: dashed_name: process-pgid description: Identifier of the group of processes the process belongs to. diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json index 451c03c849..ae2eb9f34b 100644 --- a/experimental/generated/elasticsearch/7/template.json +++ b/experimental/generated/elasticsearch/7/template.json @@ -568,28 +568,164 @@ "ignore_above": 1024, "type": "keyword" }, + "authentihash": { + "ignore_above": 1024, + "type": "keyword" + }, "company": { "ignore_above": 1024, "type": "keyword" }, + "compile_timestamp": { + "type": "date" + }, + "compiler": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "creation_date": { + "type": "date" + }, + "debug": { + "properties": { + "offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "timestamp": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, "description": { "ignore_above": 1024, "type": "keyword" }, + "entry_point": { + "ignore_above": 1024, + "type": "keyword" + }, + "exports": { + "ignore_above": 1024, + "type": "keyword" + }, "file_version": { "ignore_above": 1024, "type": "keyword" }, + "icon": { + "properties": { + "hash": { + "properties": { + "dhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, "imphash": { "ignore_above": 1024, "type": "keyword" }, + "imports": { + "type": "flattened" + }, + "machine_type": { + "ignore_above": 1024, + "type": "keyword" + }, "original_file_name": { "type": "wildcard" }, + "packers": { + "ignore_above": 1024, + "type": "keyword" + }, "product": { "ignore_above": 1024, "type": "keyword" + }, + "resources": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "filetype": { + "ignore_above": 1024, + "type": "keyword" + }, + "language": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "rich_header": { + "properties": { + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "float" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_size": { + "type": "long" + }, + "virtual_address": { + "type": "long" + } + }, + "type": "nested" } } } @@ -926,28 +1062,164 @@ "ignore_above": 1024, "type": "keyword" }, + "authentihash": { + "ignore_above": 1024, + "type": "keyword" + }, "company": { "ignore_above": 1024, "type": "keyword" }, + "compile_timestamp": { + "type": "date" + }, + "compiler": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "creation_date": { + "type": "date" + }, + "debug": { + "properties": { + "offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "timestamp": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, "description": { "ignore_above": 1024, "type": "keyword" }, + "entry_point": { + "ignore_above": 1024, + "type": "keyword" + }, + "exports": { + "ignore_above": 1024, + "type": "keyword" + }, "file_version": { "ignore_above": 1024, "type": "keyword" }, + "icon": { + "properties": { + "hash": { + "properties": { + "dhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, "imphash": { "ignore_above": 1024, "type": "keyword" }, + "imports": { + "type": "flattened" + }, + "machine_type": { + "ignore_above": 1024, + "type": "keyword" + }, "original_file_name": { "type": "wildcard" }, + "packers": { + "ignore_above": 1024, + "type": "keyword" + }, "product": { "ignore_above": 1024, "type": "keyword" + }, + "resources": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "filetype": { + "ignore_above": 1024, + "type": "keyword" + }, + "language": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "rich_header": { + "properties": { + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "float" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_size": { + "type": "long" + }, + "virtual_address": { + "type": "long" + } + }, + "type": "nested" } } }, @@ -2009,28 +2281,164 @@ "ignore_above": 1024, "type": "keyword" }, + "authentihash": { + "ignore_above": 1024, + "type": "keyword" + }, "company": { "ignore_above": 1024, "type": "keyword" }, + "compile_timestamp": { + "type": "date" + }, + "compiler": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "creation_date": { + "type": "date" + }, + "debug": { + "properties": { + "offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "timestamp": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, "description": { "ignore_above": 1024, "type": "keyword" }, + "entry_point": { + "ignore_above": 1024, + "type": "keyword" + }, + "exports": { + "ignore_above": 1024, + "type": "keyword" + }, "file_version": { "ignore_above": 1024, "type": "keyword" }, + "icon": { + "properties": { + "hash": { + "properties": { + "dhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, "imphash": { "ignore_above": 1024, "type": "keyword" }, + "imports": { + "type": "flattened" + }, + "machine_type": { + "ignore_above": 1024, + "type": "keyword" + }, "original_file_name": { "type": "wildcard" }, + "packers": { + "ignore_above": 1024, + "type": "keyword" + }, "product": { "ignore_above": 1024, "type": "keyword" + }, + "resources": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "filetype": { + "ignore_above": 1024, + "type": "keyword" + }, + "language": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "rich_header": { + "properties": { + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "float" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_size": { + "type": "long" + }, + "virtual_address": { + "type": "long" + } + }, + "type": "nested" } } }, @@ -2085,28 +2493,164 @@ "ignore_above": 1024, "type": "keyword" }, + "authentihash": { + "ignore_above": 1024, + "type": "keyword" + }, "company": { "ignore_above": 1024, "type": "keyword" }, + "compile_timestamp": { + "type": "date" + }, + "compiler": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "creation_date": { + "type": "date" + }, + "debug": { + "properties": { + "offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "timestamp": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, "description": { "ignore_above": 1024, "type": "keyword" }, + "entry_point": { + "ignore_above": 1024, + "type": "keyword" + }, + "exports": { + "ignore_above": 1024, + "type": "keyword" + }, "file_version": { "ignore_above": 1024, "type": "keyword" }, + "icon": { + "properties": { + "hash": { + "properties": { + "dhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, "imphash": { "ignore_above": 1024, "type": "keyword" }, + "imports": { + "type": "flattened" + }, + "machine_type": { + "ignore_above": 1024, + "type": "keyword" + }, "original_file_name": { "type": "wildcard" }, + "packers": { + "ignore_above": 1024, + "type": "keyword" + }, "product": { "ignore_above": 1024, "type": "keyword" + }, + "resources": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "filetype": { + "ignore_above": 1024, + "type": "keyword" + }, + "language": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "rich_header": { + "properties": { + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "float" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_size": { + "type": "long" + }, + "virtual_address": { + "type": "long" + } + }, + "type": "nested" } } }, diff --git a/experimental/generated/elasticsearch/component/dll.json b/experimental/generated/elasticsearch/component/dll.json index f791052452..5e7702fb92 100644 --- a/experimental/generated/elasticsearch/component/dll.json +++ b/experimental/generated/elasticsearch/component/dll.json @@ -67,28 +67,164 @@ "ignore_above": 1024, "type": "keyword" }, + "authentihash": { + "ignore_above": 1024, + "type": "keyword" + }, "company": { "ignore_above": 1024, "type": "keyword" }, + "compile_timestamp": { + "type": "date" + }, + "compiler": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "creation_date": { + "type": "date" + }, + "debug": { + "properties": { + "offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "timestamp": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, "description": { "ignore_above": 1024, "type": "keyword" }, + "entry_point": { + "ignore_above": 1024, + "type": "keyword" + }, + "exports": { + "ignore_above": 1024, + "type": "keyword" + }, "file_version": { "ignore_above": 1024, "type": "keyword" }, + "icon": { + "properties": { + "hash": { + "properties": { + "dhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, "imphash": { "ignore_above": 1024, "type": "keyword" }, + "imports": { + "type": "flattened" + }, + "machine_type": { + "ignore_above": 1024, + "type": "keyword" + }, "original_file_name": { "type": "wildcard" }, + "packers": { + "ignore_above": 1024, + "type": "keyword" + }, "product": { "ignore_above": 1024, "type": "keyword" + }, + "resources": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "filetype": { + "ignore_above": 1024, + "type": "keyword" + }, + "language": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "rich_header": { + "properties": { + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "float" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_size": { + "type": "long" + }, + "virtual_address": { + "type": "long" + } + }, + "type": "nested" } } } diff --git a/experimental/generated/elasticsearch/component/file.json b/experimental/generated/elasticsearch/component/file.json index 0ae17a7b92..5a5d4de0df 100644 --- a/experimental/generated/elasticsearch/component/file.json +++ b/experimental/generated/elasticsearch/component/file.json @@ -127,28 +127,164 @@ "ignore_above": 1024, "type": "keyword" }, + "authentihash": { + "ignore_above": 1024, + "type": "keyword" + }, "company": { "ignore_above": 1024, "type": "keyword" }, + "compile_timestamp": { + "type": "date" + }, + "compiler": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "creation_date": { + "type": "date" + }, + "debug": { + "properties": { + "offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "timestamp": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, "description": { "ignore_above": 1024, "type": "keyword" }, + "entry_point": { + "ignore_above": 1024, + "type": "keyword" + }, + "exports": { + "ignore_above": 1024, + "type": "keyword" + }, "file_version": { "ignore_above": 1024, "type": "keyword" }, + "icon": { + "properties": { + "hash": { + "properties": { + "dhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, "imphash": { "ignore_above": 1024, "type": "keyword" }, + "imports": { + "type": "flattened" + }, + "machine_type": { + "ignore_above": 1024, + "type": "keyword" + }, "original_file_name": { "type": "wildcard" }, + "packers": { + "ignore_above": 1024, + "type": "keyword" + }, "product": { "ignore_above": 1024, "type": "keyword" + }, + "resources": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "filetype": { + "ignore_above": 1024, + "type": "keyword" + }, + "language": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "rich_header": { + "properties": { + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "float" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_size": { + "type": "long" + }, + "virtual_address": { + "type": "long" + } + }, + "type": "nested" } } }, diff --git a/experimental/generated/elasticsearch/component/process.json b/experimental/generated/elasticsearch/component/process.json index ed0330dafa..c5747746c8 100644 --- a/experimental/generated/elasticsearch/component/process.json +++ b/experimental/generated/elasticsearch/component/process.json @@ -188,28 +188,164 @@ "ignore_above": 1024, "type": "keyword" }, + "authentihash": { + "ignore_above": 1024, + "type": "keyword" + }, "company": { "ignore_above": 1024, "type": "keyword" }, + "compile_timestamp": { + "type": "date" + }, + "compiler": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "creation_date": { + "type": "date" + }, + "debug": { + "properties": { + "offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "timestamp": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, "description": { "ignore_above": 1024, "type": "keyword" }, + "entry_point": { + "ignore_above": 1024, + "type": "keyword" + }, + "exports": { + "ignore_above": 1024, + "type": "keyword" + }, "file_version": { "ignore_above": 1024, "type": "keyword" }, + "icon": { + "properties": { + "hash": { + "properties": { + "dhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, "imphash": { "ignore_above": 1024, "type": "keyword" }, + "imports": { + "type": "flattened" + }, + "machine_type": { + "ignore_above": 1024, + "type": "keyword" + }, "original_file_name": { "type": "wildcard" }, + "packers": { + "ignore_above": 1024, + "type": "keyword" + }, "product": { "ignore_above": 1024, "type": "keyword" + }, + "resources": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "filetype": { + "ignore_above": 1024, + "type": "keyword" + }, + "language": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "rich_header": { + "properties": { + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "float" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_size": { + "type": "long" + }, + "virtual_address": { + "type": "long" + } + }, + "type": "nested" } } }, @@ -264,28 +400,164 @@ "ignore_above": 1024, "type": "keyword" }, + "authentihash": { + "ignore_above": 1024, + "type": "keyword" + }, "company": { "ignore_above": 1024, "type": "keyword" }, + "compile_timestamp": { + "type": "date" + }, + "compiler": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "creation_date": { + "type": "date" + }, + "debug": { + "properties": { + "offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "timestamp": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, "description": { "ignore_above": 1024, "type": "keyword" }, + "entry_point": { + "ignore_above": 1024, + "type": "keyword" + }, + "exports": { + "ignore_above": 1024, + "type": "keyword" + }, "file_version": { "ignore_above": 1024, "type": "keyword" }, + "icon": { + "properties": { + "hash": { + "properties": { + "dhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, "imphash": { "ignore_above": 1024, "type": "keyword" }, + "imports": { + "type": "flattened" + }, + "machine_type": { + "ignore_above": 1024, + "type": "keyword" + }, "original_file_name": { "type": "wildcard" }, + "packers": { + "ignore_above": 1024, + "type": "keyword" + }, "product": { "ignore_above": 1024, "type": "keyword" + }, + "resources": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "filetype": { + "ignore_above": 1024, + "type": "keyword" + }, + "language": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "rich_header": { + "properties": { + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "float" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_size": { + "type": "long" + }, + "virtual_address": { + "type": "long" + } + }, + "type": "nested" } } }, diff --git a/experimental/schemas/pe.yml b/experimental/schemas/pe.yml index 77a0574348..9ed4b4da8c 100644 --- a/experimental/schemas/pe.yml +++ b/experimental/schemas/pe.yml @@ -3,3 +3,228 @@ fields: - name: original_file_name type: wildcard + + - name: icon.hash.dhash + level: extended + type: keyword + description: > + Difference Hash (dhash) to find files with a visually similar icon or thumbnail. + + example: b806e17c8e330d82 + + - name: debug + level: extended + type: nested + short: Debug information + description: > + An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix. + normalize: + - array + + - name: debug.offset + level: extended + type: keyword + description: Debug offset information. + example: 1296336 + + - name: debug.size + level: extended + type: long + format: bytes + description: Size of the debug information. + example: 816 + + - name: debug.type + level: extended + type: keyword + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + + - name: debug.timestamp + level: extended + type: date + description: Timestamp of the debug information. + example: "2020-11-05T17:25:47.000Z" + + - name: imports + level: extended + type: flattened + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" }' + + - name: sections + level: extended + short: Data about sections of the compiled binary PE + description: > + Data about sections of compiled binary PE + type: nested + normalize: + - array + + - name: sections.chi2 + level: extended + description: Chi-square probability distribution. + type: long + example: 3027194 + + - name: sections.virtual_address + level: extended + description: Virtual address available to the file. + type: long + format: bytes + example: 8192 + + - name: sections.entropy + level: extended + description: Measurement of entropy randomness in the file. + type: float + example: 6.24 + + - name: sections.flags + level: extended + description: Section flags of the file. + type: keyword + example: rx + + - name: sections.name + level: extended + description: Section names of the file. + type: keyword + example: .text, .data + + - name: sections.raw_size + level: extended + description: Size of the section or the dize of the initialized data on disk. + type: long + format: bytes + example: 198144 + + - name: resources + level: extended + type: nested + short: PE resource information + description: > + An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix. + normalize: + - array + + - name: resources.chi2 + level: extended + description: Chi-square probability distribution. + type: long + example: -1 + + - name: resources.filetype + level: extended + description: File type of the resources section. + type: keyword + example: Data + + - name: resources.entropy + level: extended + description: Measurement of entropy randomness in the resources section. + type: long + example: 0, 1 + + - name: resources.sha256 + level: extended + description: SHA256 hash of resources section. + type: keyword + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + + - name: resources.language + level: extended + description: Language identification. + type: keyword + example: "CHINESE SIMPLIFIED" + + - name: resources.type + level: extended + type: keyword + short: List of resource types. + description: > + Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + normalize: + - array + + - name: exports + level: extended + type: keyword + description: > + List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + normalize: + - array + + - name: creation_date + level: extended + short: Build or compile date. + description: > + Extracted when possible from the file's metadata. Indicates when it was + built or compiled. It can also be faked by malware creators. + type: date + example: "2020-11-05T17:25:47.000Z" + + - name: authentihash + level: extended + description: > + Authentihash of the PE file. + type: keyword + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + + - name: compile_timestamp + level: extended + description: > + Compile timestamp of the PE file. + type: date + example: "2020-11-05T17:25:47.000Z" + + - name: compiler.name + level: extended + type: keyword + description: > + Name of the compiler + example: Clang + + - name: compiler.version + level: extended + type: keyword + description: > + Version of the compiler. + example: 11.0.0 + + - name: rich_header.hash.md5 + level: extended + type: keyword + description: > + MD5 hash of the header for the PE file. + + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + + - name: entry_point + level: extended + description: > + Relative byte offset to the base of the PE file. + type: keyword + example: 25856 + + - name: machine_type + level: extended + description: > + Machine type of the PE file. + type: keyword + example: "Intel 386 or later, and compatibles" + + - name: packers + level: extended + description: > + List of packers and tools used. + type: keyword + example: '["ASPack v2.12", ".NET executable"]' + normalize: + - array