From 7c289f0767b02888908b35a35053f0ae5a45b091 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Fri, 19 Nov 2021 10:28:18 -0600 Subject: [PATCH] RFC 0016 extend `pe.*` field set - Set to Stage X (#1670) * mark as abandoned * remove pe extensions from experimental schema * artifacts * add PR for stage x * add a changelog entry --- CHANGELOG.next.md | 1 + experimental/generated/beats/fields.ecs.yml | 1500 +-------- experimental/generated/csv/fields.csv | 186 -- experimental/generated/ecs/ecs_flat.yml | 2442 +------------- experimental/generated/ecs/ecs_nested.yml | 2839 +---------------- .../generated/elasticsearch/7/template.json | 826 +---- .../elasticsearch/component/dll.json | 136 - .../elasticsearch/component/file.json | 136 - .../elasticsearch/component/process.json | 272 -- .../elasticsearch/component/threat.json | 272 -- experimental/schemas/pe.yml | 228 -- rfcs/text/0014-extend-file-pe.md | 9 +- 12 files changed, 269 insertions(+), 8578 deletions(-) delete mode 100644 experimental/schemas/pe.yml diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index f226cbf90..610433a1e 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -23,6 +23,7 @@ Thanks, you're awesome :-) --> #### Removed - Removing `process.target.*` reuses from experimental schema. #1666 +- Removing RFC 0014 `pe.*` fields from experimental schema. #1670 ### Tooling and Artifact Changes diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index ce99a48fd..0bff88a49 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -1412,13 +1412,6 @@ description: CPU architecture target for the file. example: x64 default_field: false - - name: pe.authentihash - level: extended - type: keyword - ignore_above: 1024 - description: Authentihash of the PE file. - example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 - default_field: false - name: pe.company level: extended type: keyword @@ -1426,67 +1419,6 @@ description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false - - name: pe.compile_timestamp - level: extended - type: date - description: Compile timestamp of the PE file. - example: '2020-11-05T17:25:47.000Z' - default_field: false - - name: pe.compiler.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the compiler - example: Clang - default_field: false - - name: pe.compiler.version - level: extended - type: keyword - ignore_above: 1024 - description: Version of the compiler. - example: 11.0.0 - default_field: false - - name: pe.creation_date - level: extended - type: date - description: Extracted when possible from the file's metadata. Indicates when - it was built or compiled. It can also be faked by malware creators. - example: '2020-11-05T17:25:47.000Z' - default_field: false - - name: pe.debug - level: extended - type: nested - description: 'An array containing an object for each debug entry, if present. - - The expected fields for this nested object fall under the `debug.` prefix.' - default_field: false - - name: pe.debug.offset - level: extended - type: keyword - ignore_above: 1024 - description: Debug offset information. - example: 1296336 - default_field: false - - name: pe.debug.size - level: extended - type: long - format: bytes - description: Size of the debug information. - example: 816 - default_field: false - - name: pe.debug.timestamp - level: extended - type: date - description: Timestamp of the debug information. - example: '2020-11-05T17:25:47.000Z' - default_field: false - - name: pe.debug.type - level: extended - type: keyword - ignore_above: 1024 - description: Information type generated by the debug options. - example: IMAGE_DEBUG_TYPE_POGO - default_field: false - name: pe.description level: extended type: keyword @@ -1494,20 +1426,6 @@ description: Internal description of the file, provided at compile-time. example: Paint default_field: false - - name: pe.entry_point - level: extended - type: keyword - ignore_above: 1024 - description: Relative byte offset to the base of the PE file. - example: 25856 - default_field: false - - name: pe.exports - level: extended - type: keyword - ignore_above: 1024 - description: List of symbols exported by PE - example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' - default_field: false - name: pe.file_version level: extended type: keyword @@ -1515,14 +1433,6 @@ description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false - - name: pe.icon.hash.dhash - level: extended - type: keyword - ignore_above: 1024 - description: Difference Hash (dhash) to find files with a visually similar icon - or thumbnail. - example: b806e17c8e330d82 - default_field: false - name: pe.imphash level: extended type: keyword @@ -1534,20 +1444,6 @@ Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf default_field: false - - name: pe.imports - level: extended - type: flattened - description: List of all imported functions - example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" - }' - default_field: false - - name: pe.machine_type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the PE file. - example: Intel 386 or later, and compatibles - default_field: false - name: pe.original_file_name level: extended type: keyword @@ -1555,13 +1451,6 @@ description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false - - name: pe.packers - level: extended - type: keyword - ignore_above: 1024 - description: List of packers and tools used. - example: '["ASPack v2.12", ".NET executable"]' - default_field: false - name: pe.product level: extended type: keyword @@ -1569,105 +1458,6 @@ description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" default_field: false - - name: pe.resources - level: extended - type: nested - description: 'An array containing an object for each PE resource, if present. - - The expected fields for this nested object fall under the `resources.` prefix.' - default_field: false - - name: pe.resources.chi2 - level: extended - type: long - description: Chi-square probability distribution. - example: -1 - default_field: false - - name: pe.resources.entropy - level: extended - type: long - description: Measurement of entropy randomness in the resources section. - example: 0, 1 - default_field: false - - name: pe.resources.filetype - level: extended - type: keyword - ignore_above: 1024 - description: File type of the resources section. - example: Data - default_field: false - - name: pe.resources.language - level: extended - type: keyword - ignore_above: 1024 - description: Language identification. - example: CHINESE SIMPLIFIED - default_field: false - - name: pe.resources.sha256 - level: extended - type: keyword - ignore_above: 1024 - description: SHA256 hash of resources section. - example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - default_field: false - - name: pe.resources.type - level: extended - type: keyword - ignore_above: 1024 - description: Digest of resource types. - example: '["RT_VERSION", "RT_MANIFEST"]' - default_field: false - - name: pe.rich_header.hash.md5 - level: extended - type: keyword - ignore_above: 1024 - description: MD5 hash of the header for the PE file. - example: 5aa1aa0f2b4be70397a1e9e2b87627cd - default_field: false - - name: pe.sections - level: extended - type: nested - description: Data about sections of compiled binary PE - default_field: false - - name: pe.sections.chi2 - level: extended - type: long - description: Chi-square probability distribution. - example: 3027194 - default_field: false - - name: pe.sections.entropy - level: extended - type: float - description: Measurement of entropy randomness in the file. - example: 6.24 - default_field: false - - name: pe.sections.flags - level: extended - type: keyword - ignore_above: 1024 - description: Section flags of the file. - example: rx - default_field: false - - name: pe.sections.name - level: extended - type: keyword - ignore_above: 1024 - description: Section names of the file. - example: .text, .data - default_field: false - - name: pe.sections.raw_size - level: extended - type: long - format: bytes - description: Size of the section or the dize of the initialized data on disk. - example: 198144 - default_field: false - - name: pe.sections.virtual_address - level: extended - type: long - format: bytes - description: Virtual address available to the file. - example: 8192 - default_field: false - name: dns title: DNS group: 2 @@ -3064,13 +2854,6 @@ description: CPU architecture target for the file. example: x64 default_field: false - - name: pe.authentihash - level: extended - type: keyword - ignore_above: 1024 - description: Authentihash of the PE file. - example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 - default_field: false - name: pe.company level: extended type: keyword @@ -3078,67 +2861,6 @@ description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false - - name: pe.compile_timestamp - level: extended - type: date - description: Compile timestamp of the PE file. - example: '2020-11-05T17:25:47.000Z' - default_field: false - - name: pe.compiler.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the compiler - example: Clang - default_field: false - - name: pe.compiler.version - level: extended - type: keyword - ignore_above: 1024 - description: Version of the compiler. - example: 11.0.0 - default_field: false - - name: pe.creation_date - level: extended - type: date - description: Extracted when possible from the file's metadata. Indicates when - it was built or compiled. It can also be faked by malware creators. - example: '2020-11-05T17:25:47.000Z' - default_field: false - - name: pe.debug - level: extended - type: nested - description: 'An array containing an object for each debug entry, if present. - - The expected fields for this nested object fall under the `debug.` prefix.' - default_field: false - - name: pe.debug.offset - level: extended - type: keyword - ignore_above: 1024 - description: Debug offset information. - example: 1296336 - default_field: false - - name: pe.debug.size - level: extended - type: long - format: bytes - description: Size of the debug information. - example: 816 - default_field: false - - name: pe.debug.timestamp - level: extended - type: date - description: Timestamp of the debug information. - example: '2020-11-05T17:25:47.000Z' - default_field: false - - name: pe.debug.type - level: extended - type: keyword - ignore_above: 1024 - description: Information type generated by the debug options. - example: IMAGE_DEBUG_TYPE_POGO - default_field: false - name: pe.description level: extended type: keyword @@ -3146,20 +2868,6 @@ description: Internal description of the file, provided at compile-time. example: Paint default_field: false - - name: pe.entry_point - level: extended - type: keyword - ignore_above: 1024 - description: Relative byte offset to the base of the PE file. - example: 25856 - default_field: false - - name: pe.exports - level: extended - type: keyword - ignore_above: 1024 - description: List of symbols exported by PE - example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' - default_field: false - name: pe.file_version level: extended type: keyword @@ -3167,14 +2875,6 @@ description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false - - name: pe.icon.hash.dhash - level: extended - type: keyword - ignore_above: 1024 - description: Difference Hash (dhash) to find files with a visually similar icon - or thumbnail. - example: b806e17c8e330d82 - default_field: false - name: pe.imphash level: extended type: keyword @@ -3186,20 +2886,6 @@ Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf default_field: false - - name: pe.imports - level: extended - type: flattened - description: List of all imported functions - example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" - }' - default_field: false - - name: pe.machine_type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the PE file. - example: Intel 386 or later, and compatibles - default_field: false - name: pe.original_file_name level: extended type: keyword @@ -3207,13 +2893,6 @@ description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false - - name: pe.packers - level: extended - type: keyword - ignore_above: 1024 - description: List of packers and tools used. - example: '["ASPack v2.12", ".NET executable"]' - default_field: false - name: pe.product level: extended type: keyword @@ -3221,105 +2900,6 @@ description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" default_field: false - - name: pe.resources - level: extended - type: nested - description: 'An array containing an object for each PE resource, if present. - - The expected fields for this nested object fall under the `resources.` prefix.' - default_field: false - - name: pe.resources.chi2 - level: extended - type: long - description: Chi-square probability distribution. - example: -1 - default_field: false - - name: pe.resources.entropy - level: extended - type: long - description: Measurement of entropy randomness in the resources section. - example: 0, 1 - default_field: false - - name: pe.resources.filetype - level: extended - type: keyword - ignore_above: 1024 - description: File type of the resources section. - example: Data - default_field: false - - name: pe.resources.language - level: extended - type: keyword - ignore_above: 1024 - description: Language identification. - example: CHINESE SIMPLIFIED - default_field: false - - name: pe.resources.sha256 - level: extended - type: keyword - ignore_above: 1024 - description: SHA256 hash of resources section. - example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - default_field: false - - name: pe.resources.type - level: extended - type: keyword - ignore_above: 1024 - description: Digest of resource types. - example: '["RT_VERSION", "RT_MANIFEST"]' - default_field: false - - name: pe.rich_header.hash.md5 - level: extended - type: keyword - ignore_above: 1024 - description: MD5 hash of the header for the PE file. - example: 5aa1aa0f2b4be70397a1e9e2b87627cd - default_field: false - - name: pe.sections - level: extended - type: nested - description: Data about sections of compiled binary PE - default_field: false - - name: pe.sections.chi2 - level: extended - type: long - description: Chi-square probability distribution. - example: 3027194 - default_field: false - - name: pe.sections.entropy - level: extended - type: float - description: Measurement of entropy randomness in the file. - example: 6.24 - default_field: false - - name: pe.sections.flags - level: extended - type: keyword - ignore_above: 1024 - description: Section flags of the file. - example: rx - default_field: false - - name: pe.sections.name - level: extended - type: keyword - ignore_above: 1024 - description: Section names of the file. - example: .text, .data - default_field: false - - name: pe.sections.raw_size - level: extended - type: long - format: bytes - description: Size of the section or the dize of the initialized data on disk. - example: 198144 - default_field: false - - name: pe.sections.virtual_address - level: extended - type: long - format: bytes - description: Virtual address available to the file. - example: 8192 - default_field: false - name: size level: extended type: long @@ -4951,13 +4531,6 @@ description: CPU architecture target for the file. example: x64 default_field: false - - name: authentihash - level: extended - type: keyword - ignore_above: 1024 - description: Authentihash of the PE file. - example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 - default_field: false - name: company level: extended type: keyword @@ -4965,104 +4538,21 @@ description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false - - name: compile_timestamp - level: extended - type: date - description: Compile timestamp of the PE file. - example: '2020-11-05T17:25:47.000Z' - default_field: false - - name: compiler.name + - name: description level: extended type: keyword ignore_above: 1024 - description: Name of the compiler - example: Clang + description: Internal description of the file, provided at compile-time. + example: Paint default_field: false - - name: compiler.version + - name: file_version level: extended type: keyword ignore_above: 1024 - description: Version of the compiler. - example: 11.0.0 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 default_field: false - - name: creation_date - level: extended - type: date - description: Extracted when possible from the file's metadata. Indicates when - it was built or compiled. It can also be faked by malware creators. - example: '2020-11-05T17:25:47.000Z' - default_field: false - - name: debug - level: extended - type: nested - description: 'An array containing an object for each debug entry, if present. - - The expected fields for this nested object fall under the `debug.` prefix.' - default_field: false - - name: debug.offset - level: extended - type: keyword - ignore_above: 1024 - description: Debug offset information. - example: 1296336 - default_field: false - - name: debug.size - level: extended - type: long - format: bytes - description: Size of the debug information. - example: 816 - default_field: false - - name: debug.timestamp - level: extended - type: date - description: Timestamp of the debug information. - example: '2020-11-05T17:25:47.000Z' - default_field: false - - name: debug.type - level: extended - type: keyword - ignore_above: 1024 - description: Information type generated by the debug options. - example: IMAGE_DEBUG_TYPE_POGO - default_field: false - - name: description - level: extended - type: keyword - ignore_above: 1024 - description: Internal description of the file, provided at compile-time. - example: Paint - default_field: false - - name: entry_point - level: extended - type: keyword - ignore_above: 1024 - description: Relative byte offset to the base of the PE file. - example: 25856 - default_field: false - - name: exports - level: extended - type: keyword - ignore_above: 1024 - description: List of symbols exported by PE - example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' - default_field: false - - name: file_version - level: extended - type: keyword - ignore_above: 1024 - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 - default_field: false - - name: icon.hash.dhash - level: extended - type: keyword - ignore_above: 1024 - description: Difference Hash (dhash) to find files with a visually similar icon - or thumbnail. - example: b806e17c8e330d82 - default_field: false - - name: imphash + - name: imphash level: extended type: keyword ignore_above: 1024 @@ -5073,20 +4563,6 @@ Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf default_field: false - - name: imports - level: extended - type: flattened - description: List of all imported functions - example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" - }' - default_field: false - - name: machine_type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the PE file. - example: Intel 386 or later, and compatibles - default_field: false - name: original_file_name level: extended type: keyword @@ -5094,13 +4570,6 @@ description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false - - name: packers - level: extended - type: keyword - ignore_above: 1024 - description: List of packers and tools used. - example: '["ASPack v2.12", ".NET executable"]' - default_field: false - name: product level: extended type: keyword @@ -5108,105 +4577,6 @@ description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" default_field: false - - name: resources - level: extended - type: nested - description: 'An array containing an object for each PE resource, if present. - - The expected fields for this nested object fall under the `resources.` prefix.' - default_field: false - - name: resources.chi2 - level: extended - type: long - description: Chi-square probability distribution. - example: -1 - default_field: false - - name: resources.entropy - level: extended - type: long - description: Measurement of entropy randomness in the resources section. - example: 0, 1 - default_field: false - - name: resources.filetype - level: extended - type: keyword - ignore_above: 1024 - description: File type of the resources section. - example: Data - default_field: false - - name: resources.language - level: extended - type: keyword - ignore_above: 1024 - description: Language identification. - example: CHINESE SIMPLIFIED - default_field: false - - name: resources.sha256 - level: extended - type: keyword - ignore_above: 1024 - description: SHA256 hash of resources section. - example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - default_field: false - - name: resources.type - level: extended - type: keyword - ignore_above: 1024 - description: Digest of resource types. - example: '["RT_VERSION", "RT_MANIFEST"]' - default_field: false - - name: rich_header.hash.md5 - level: extended - type: keyword - ignore_above: 1024 - description: MD5 hash of the header for the PE file. - example: 5aa1aa0f2b4be70397a1e9e2b87627cd - default_field: false - - name: sections - level: extended - type: nested - description: Data about sections of compiled binary PE - default_field: false - - name: sections.chi2 - level: extended - type: long - description: Chi-square probability distribution. - example: 3027194 - default_field: false - - name: sections.entropy - level: extended - type: float - description: Measurement of entropy randomness in the file. - example: 6.24 - default_field: false - - name: sections.flags - level: extended - type: keyword - ignore_above: 1024 - description: Section flags of the file. - example: rx - default_field: false - - name: sections.name - level: extended - type: keyword - ignore_above: 1024 - description: Section names of the file. - example: .text, .data - default_field: false - - name: sections.raw_size - level: extended - type: long - format: bytes - description: Size of the section or the dize of the initialized data on disk. - example: 198144 - default_field: false - - name: sections.virtual_address - level: extended - type: long - format: bytes - description: Virtual address available to the file. - example: 8192 - default_field: false - name: process title: Process group: 2 @@ -5962,13 +5332,6 @@ description: CPU architecture target for the file. example: x64 default_field: false - - name: parent.pe.authentihash - level: extended - type: keyword - ignore_above: 1024 - description: Authentihash of the PE file. - example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 - default_field: false - name: parent.pe.company level: extended type: keyword @@ -5976,67 +5339,6 @@ description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false - - name: parent.pe.compile_timestamp - level: extended - type: date - description: Compile timestamp of the PE file. - example: '2020-11-05T17:25:47.000Z' - default_field: false - - name: parent.pe.compiler.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the compiler - example: Clang - default_field: false - - name: parent.pe.compiler.version - level: extended - type: keyword - ignore_above: 1024 - description: Version of the compiler. - example: 11.0.0 - default_field: false - - name: parent.pe.creation_date - level: extended - type: date - description: Extracted when possible from the file's metadata. Indicates when - it was built or compiled. It can also be faked by malware creators. - example: '2020-11-05T17:25:47.000Z' - default_field: false - - name: parent.pe.debug - level: extended - type: nested - description: 'An array containing an object for each debug entry, if present. - - The expected fields for this nested object fall under the `debug.` prefix.' - default_field: false - - name: parent.pe.debug.offset - level: extended - type: keyword - ignore_above: 1024 - description: Debug offset information. - example: 1296336 - default_field: false - - name: parent.pe.debug.size - level: extended - type: long - format: bytes - description: Size of the debug information. - example: 816 - default_field: false - - name: parent.pe.debug.timestamp - level: extended - type: date - description: Timestamp of the debug information. - example: '2020-11-05T17:25:47.000Z' - default_field: false - - name: parent.pe.debug.type - level: extended - type: keyword - ignore_above: 1024 - description: Information type generated by the debug options. - example: IMAGE_DEBUG_TYPE_POGO - default_field: false - name: parent.pe.description level: extended type: keyword @@ -6044,20 +5346,6 @@ description: Internal description of the file, provided at compile-time. example: Paint default_field: false - - name: parent.pe.entry_point - level: extended - type: keyword - ignore_above: 1024 - description: Relative byte offset to the base of the PE file. - example: 25856 - default_field: false - - name: parent.pe.exports - level: extended - type: keyword - ignore_above: 1024 - description: List of symbols exported by PE - example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' - default_field: false - name: parent.pe.file_version level: extended type: keyword @@ -6065,14 +5353,6 @@ description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false - - name: parent.pe.icon.hash.dhash - level: extended - type: keyword - ignore_above: 1024 - description: Difference Hash (dhash) to find files with a visually similar icon - or thumbnail. - example: b806e17c8e330d82 - default_field: false - name: parent.pe.imphash level: extended type: keyword @@ -6084,20 +5364,6 @@ Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf default_field: false - - name: parent.pe.imports - level: extended - type: flattened - description: List of all imported functions - example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" - }' - default_field: false - - name: parent.pe.machine_type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the PE file. - example: Intel 386 or later, and compatibles - default_field: false - name: parent.pe.original_file_name level: extended type: keyword @@ -6105,13 +5371,6 @@ description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false - - name: parent.pe.packers - level: extended - type: keyword - ignore_above: 1024 - description: List of packers and tools used. - example: '["ASPack v2.12", ".NET executable"]' - default_field: false - name: parent.pe.product level: extended type: keyword @@ -6119,105 +5378,6 @@ description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" default_field: false - - name: parent.pe.resources - level: extended - type: nested - description: 'An array containing an object for each PE resource, if present. - - The expected fields for this nested object fall under the `resources.` prefix.' - default_field: false - - name: parent.pe.resources.chi2 - level: extended - type: long - description: Chi-square probability distribution. - example: -1 - default_field: false - - name: parent.pe.resources.entropy - level: extended - type: long - description: Measurement of entropy randomness in the resources section. - example: 0, 1 - default_field: false - - name: parent.pe.resources.filetype - level: extended - type: keyword - ignore_above: 1024 - description: File type of the resources section. - example: Data - default_field: false - - name: parent.pe.resources.language - level: extended - type: keyword - ignore_above: 1024 - description: Language identification. - example: CHINESE SIMPLIFIED - default_field: false - - name: parent.pe.resources.sha256 - level: extended - type: keyword - ignore_above: 1024 - description: SHA256 hash of resources section. - example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - default_field: false - - name: parent.pe.resources.type - level: extended - type: keyword - ignore_above: 1024 - description: Digest of resource types. - example: '["RT_VERSION", "RT_MANIFEST"]' - default_field: false - - name: parent.pe.rich_header.hash.md5 - level: extended - type: keyword - ignore_above: 1024 - description: MD5 hash of the header for the PE file. - example: 5aa1aa0f2b4be70397a1e9e2b87627cd - default_field: false - - name: parent.pe.sections - level: extended - type: nested - description: Data about sections of compiled binary PE - default_field: false - - name: parent.pe.sections.chi2 - level: extended - type: long - description: Chi-square probability distribution. - example: 3027194 - default_field: false - - name: parent.pe.sections.entropy - level: extended - type: float - description: Measurement of entropy randomness in the file. - example: 6.24 - default_field: false - - name: parent.pe.sections.flags - level: extended - type: keyword - ignore_above: 1024 - description: Section flags of the file. - example: rx - default_field: false - - name: parent.pe.sections.name - level: extended - type: keyword - ignore_above: 1024 - description: Section names of the file. - example: .text, .data - default_field: false - - name: parent.pe.sections.raw_size - level: extended - type: long - format: bytes - description: Size of the section or the dize of the initialized data on disk. - example: 198144 - default_field: false - - name: parent.pe.sections.virtual_address - level: extended - type: long - format: bytes - description: Virtual address available to the file. - example: 8192 - default_field: false - name: parent.pgid level: extended type: long @@ -6286,13 +5446,6 @@ description: CPU architecture target for the file. example: x64 default_field: false - - name: pe.authentihash - level: extended - type: keyword - ignore_above: 1024 - description: Authentihash of the PE file. - example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 - default_field: false - name: pe.company level: extended type: keyword @@ -6300,67 +5453,6 @@ description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false - - name: pe.compile_timestamp - level: extended - type: date - description: Compile timestamp of the PE file. - example: '2020-11-05T17:25:47.000Z' - default_field: false - - name: pe.compiler.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the compiler - example: Clang - default_field: false - - name: pe.compiler.version - level: extended - type: keyword - ignore_above: 1024 - description: Version of the compiler. - example: 11.0.0 - default_field: false - - name: pe.creation_date - level: extended - type: date - description: Extracted when possible from the file's metadata. Indicates when - it was built or compiled. It can also be faked by malware creators. - example: '2020-11-05T17:25:47.000Z' - default_field: false - - name: pe.debug - level: extended - type: nested - description: 'An array containing an object for each debug entry, if present. - - The expected fields for this nested object fall under the `debug.` prefix.' - default_field: false - - name: pe.debug.offset - level: extended - type: keyword - ignore_above: 1024 - description: Debug offset information. - example: 1296336 - default_field: false - - name: pe.debug.size - level: extended - type: long - format: bytes - description: Size of the debug information. - example: 816 - default_field: false - - name: pe.debug.timestamp - level: extended - type: date - description: Timestamp of the debug information. - example: '2020-11-05T17:25:47.000Z' - default_field: false - - name: pe.debug.type - level: extended - type: keyword - ignore_above: 1024 - description: Information type generated by the debug options. - example: IMAGE_DEBUG_TYPE_POGO - default_field: false - name: pe.description level: extended type: keyword @@ -6368,20 +5460,6 @@ description: Internal description of the file, provided at compile-time. example: Paint default_field: false - - name: pe.entry_point - level: extended - type: keyword - ignore_above: 1024 - description: Relative byte offset to the base of the PE file. - example: 25856 - default_field: false - - name: pe.exports - level: extended - type: keyword - ignore_above: 1024 - description: List of symbols exported by PE - example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' - default_field: false - name: pe.file_version level: extended type: keyword @@ -6389,14 +5467,6 @@ description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false - - name: pe.icon.hash.dhash - level: extended - type: keyword - ignore_above: 1024 - description: Difference Hash (dhash) to find files with a visually similar icon - or thumbnail. - example: b806e17c8e330d82 - default_field: false - name: pe.imphash level: extended type: keyword @@ -6405,142 +5475,22 @@ -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf - default_field: false - - name: pe.imports - level: extended - type: flattened - description: List of all imported functions - example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" - }' - default_field: false - - name: pe.machine_type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the PE file. - example: Intel 386 or later, and compatibles - default_field: false - - name: pe.original_file_name - level: extended - type: keyword - ignore_above: 1024 - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE - default_field: false - - name: pe.packers - level: extended - type: keyword - ignore_above: 1024 - description: List of packers and tools used. - example: '["ASPack v2.12", ".NET executable"]' - default_field: false - - name: pe.product - level: extended - type: keyword - ignore_above: 1024 - description: Internal product name of the file, provided at compile-time. - example: "Microsoft\xAE Windows\xAE Operating System" - default_field: false - - name: pe.resources - level: extended - type: nested - description: 'An array containing an object for each PE resource, if present. - - The expected fields for this nested object fall under the `resources.` prefix.' - default_field: false - - name: pe.resources.chi2 - level: extended - type: long - description: Chi-square probability distribution. - example: -1 - default_field: false - - name: pe.resources.entropy - level: extended - type: long - description: Measurement of entropy randomness in the resources section. - example: 0, 1 - default_field: false - - name: pe.resources.filetype - level: extended - type: keyword - ignore_above: 1024 - description: File type of the resources section. - example: Data - default_field: false - - name: pe.resources.language - level: extended - type: keyword - ignore_above: 1024 - description: Language identification. - example: CHINESE SIMPLIFIED - default_field: false - - name: pe.resources.sha256 - level: extended - type: keyword - ignore_above: 1024 - description: SHA256 hash of resources section. - example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - default_field: false - - name: pe.resources.type - level: extended - type: keyword - ignore_above: 1024 - description: Digest of resource types. - example: '["RT_VERSION", "RT_MANIFEST"]' - default_field: false - - name: pe.rich_header.hash.md5 - level: extended - type: keyword - ignore_above: 1024 - description: MD5 hash of the header for the PE file. - example: 5aa1aa0f2b4be70397a1e9e2b87627cd - default_field: false - - name: pe.sections - level: extended - type: nested - description: Data about sections of compiled binary PE - default_field: false - - name: pe.sections.chi2 - level: extended - type: long - description: Chi-square probability distribution. - example: 3027194 - default_field: false - - name: pe.sections.entropy - level: extended - type: float - description: Measurement of entropy randomness in the file. - example: 6.24 + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf default_field: false - - name: pe.sections.flags + - name: pe.original_file_name level: extended type: keyword ignore_above: 1024 - description: Section flags of the file. - example: rx + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE default_field: false - - name: pe.sections.name + - name: pe.product level: extended type: keyword ignore_above: 1024 - description: Section names of the file. - example: .text, .data - default_field: false - - name: pe.sections.raw_size - level: extended - type: long - format: bytes - description: Size of the section or the dize of the initialized data on disk. - example: 198144 - default_field: false - - name: pe.sections.virtual_address - level: extended - type: long - format: bytes - description: Virtual address available to the file. - example: 8192 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" default_field: false - name: pgid level: extended @@ -8206,13 +7156,6 @@ description: CPU architecture target for the file. example: x64 default_field: false - - name: enrichments.indicator.file.pe.authentihash - level: extended - type: keyword - ignore_above: 1024 - description: Authentihash of the PE file. - example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 - default_field: false - name: enrichments.indicator.file.pe.company level: extended type: keyword @@ -8220,67 +7163,6 @@ description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false - - name: enrichments.indicator.file.pe.compile_timestamp - level: extended - type: date - description: Compile timestamp of the PE file. - example: '2020-11-05T17:25:47.000Z' - default_field: false - - name: enrichments.indicator.file.pe.compiler.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the compiler - example: Clang - default_field: false - - name: enrichments.indicator.file.pe.compiler.version - level: extended - type: keyword - ignore_above: 1024 - description: Version of the compiler. - example: 11.0.0 - default_field: false - - name: enrichments.indicator.file.pe.creation_date - level: extended - type: date - description: Extracted when possible from the file's metadata. Indicates when - it was built or compiled. It can also be faked by malware creators. - example: '2020-11-05T17:25:47.000Z' - default_field: false - - name: enrichments.indicator.file.pe.debug - level: extended - type: nested - description: 'An array containing an object for each debug entry, if present. - - The expected fields for this nested object fall under the `debug.` prefix.' - default_field: false - - name: enrichments.indicator.file.pe.debug.offset - level: extended - type: keyword - ignore_above: 1024 - description: Debug offset information. - example: 1296336 - default_field: false - - name: enrichments.indicator.file.pe.debug.size - level: extended - type: long - format: bytes - description: Size of the debug information. - example: 816 - default_field: false - - name: enrichments.indicator.file.pe.debug.timestamp - level: extended - type: date - description: Timestamp of the debug information. - example: '2020-11-05T17:25:47.000Z' - default_field: false - - name: enrichments.indicator.file.pe.debug.type - level: extended - type: keyword - ignore_above: 1024 - description: Information type generated by the debug options. - example: IMAGE_DEBUG_TYPE_POGO - default_field: false - name: enrichments.indicator.file.pe.description level: extended type: keyword @@ -8288,20 +7170,6 @@ description: Internal description of the file, provided at compile-time. example: Paint default_field: false - - name: enrichments.indicator.file.pe.entry_point - level: extended - type: keyword - ignore_above: 1024 - description: Relative byte offset to the base of the PE file. - example: 25856 - default_field: false - - name: enrichments.indicator.file.pe.exports - level: extended - type: keyword - ignore_above: 1024 - description: List of symbols exported by PE - example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' - default_field: false - name: enrichments.indicator.file.pe.file_version level: extended type: keyword @@ -8309,14 +7177,6 @@ description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false - - name: enrichments.indicator.file.pe.icon.hash.dhash - level: extended - type: keyword - ignore_above: 1024 - description: Difference Hash (dhash) to find files with a visually similar icon - or thumbnail. - example: b806e17c8e330d82 - default_field: false - name: enrichments.indicator.file.pe.imphash level: extended type: keyword @@ -8328,20 +7188,6 @@ Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf default_field: false - - name: enrichments.indicator.file.pe.imports - level: extended - type: flattened - description: List of all imported functions - example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" - }' - default_field: false - - name: enrichments.indicator.file.pe.machine_type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the PE file. - example: Intel 386 or later, and compatibles - default_field: false - name: enrichments.indicator.file.pe.original_file_name level: extended type: keyword @@ -8349,13 +7195,6 @@ description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false - - name: enrichments.indicator.file.pe.packers - level: extended - type: keyword - ignore_above: 1024 - description: List of packers and tools used. - example: '["ASPack v2.12", ".NET executable"]' - default_field: false - name: enrichments.indicator.file.pe.product level: extended type: keyword @@ -8363,105 +7202,6 @@ description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" default_field: false - - name: enrichments.indicator.file.pe.resources - level: extended - type: nested - description: 'An array containing an object for each PE resource, if present. - - The expected fields for this nested object fall under the `resources.` prefix.' - default_field: false - - name: enrichments.indicator.file.pe.resources.chi2 - level: extended - type: long - description: Chi-square probability distribution. - example: -1 - default_field: false - - name: enrichments.indicator.file.pe.resources.entropy - level: extended - type: long - description: Measurement of entropy randomness in the resources section. - example: 0, 1 - default_field: false - - name: enrichments.indicator.file.pe.resources.filetype - level: extended - type: keyword - ignore_above: 1024 - description: File type of the resources section. - example: Data - default_field: false - - name: enrichments.indicator.file.pe.resources.language - level: extended - type: keyword - ignore_above: 1024 - description: Language identification. - example: CHINESE SIMPLIFIED - default_field: false - - name: enrichments.indicator.file.pe.resources.sha256 - level: extended - type: keyword - ignore_above: 1024 - description: SHA256 hash of resources section. - example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - default_field: false - - name: enrichments.indicator.file.pe.resources.type - level: extended - type: keyword - ignore_above: 1024 - description: Digest of resource types. - example: '["RT_VERSION", "RT_MANIFEST"]' - default_field: false - - name: enrichments.indicator.file.pe.rich_header.hash.md5 - level: extended - type: keyword - ignore_above: 1024 - description: MD5 hash of the header for the PE file. - example: 5aa1aa0f2b4be70397a1e9e2b87627cd - default_field: false - - name: enrichments.indicator.file.pe.sections - level: extended - type: nested - description: Data about sections of compiled binary PE - default_field: false - - name: enrichments.indicator.file.pe.sections.chi2 - level: extended - type: long - description: Chi-square probability distribution. - example: 3027194 - default_field: false - - name: enrichments.indicator.file.pe.sections.entropy - level: extended - type: float - description: Measurement of entropy randomness in the file. - example: 6.24 - default_field: false - - name: enrichments.indicator.file.pe.sections.flags - level: extended - type: keyword - ignore_above: 1024 - description: Section flags of the file. - example: rx - default_field: false - - name: enrichments.indicator.file.pe.sections.name - level: extended - type: keyword - ignore_above: 1024 - description: Section names of the file. - example: .text, .data - default_field: false - - name: enrichments.indicator.file.pe.sections.raw_size - level: extended - type: long - format: bytes - description: Size of the section or the dize of the initialized data on disk. - example: 198144 - default_field: false - - name: enrichments.indicator.file.pe.sections.virtual_address - level: extended - type: long - format: bytes - description: Virtual address available to the file. - example: 8192 - default_field: false - name: enrichments.indicator.file.size level: extended type: long @@ -9789,13 +8529,6 @@ description: CPU architecture target for the file. example: x64 default_field: false - - name: indicator.file.pe.authentihash - level: extended - type: keyword - ignore_above: 1024 - description: Authentihash of the PE file. - example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 - default_field: false - name: indicator.file.pe.company level: extended type: keyword @@ -9803,67 +8536,6 @@ description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false - - name: indicator.file.pe.compile_timestamp - level: extended - type: date - description: Compile timestamp of the PE file. - example: '2020-11-05T17:25:47.000Z' - default_field: false - - name: indicator.file.pe.compiler.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the compiler - example: Clang - default_field: false - - name: indicator.file.pe.compiler.version - level: extended - type: keyword - ignore_above: 1024 - description: Version of the compiler. - example: 11.0.0 - default_field: false - - name: indicator.file.pe.creation_date - level: extended - type: date - description: Extracted when possible from the file's metadata. Indicates when - it was built or compiled. It can also be faked by malware creators. - example: '2020-11-05T17:25:47.000Z' - default_field: false - - name: indicator.file.pe.debug - level: extended - type: nested - description: 'An array containing an object for each debug entry, if present. - - The expected fields for this nested object fall under the `debug.` prefix.' - default_field: false - - name: indicator.file.pe.debug.offset - level: extended - type: keyword - ignore_above: 1024 - description: Debug offset information. - example: 1296336 - default_field: false - - name: indicator.file.pe.debug.size - level: extended - type: long - format: bytes - description: Size of the debug information. - example: 816 - default_field: false - - name: indicator.file.pe.debug.timestamp - level: extended - type: date - description: Timestamp of the debug information. - example: '2020-11-05T17:25:47.000Z' - default_field: false - - name: indicator.file.pe.debug.type - level: extended - type: keyword - ignore_above: 1024 - description: Information type generated by the debug options. - example: IMAGE_DEBUG_TYPE_POGO - default_field: false - name: indicator.file.pe.description level: extended type: keyword @@ -9871,20 +8543,6 @@ description: Internal description of the file, provided at compile-time. example: Paint default_field: false - - name: indicator.file.pe.entry_point - level: extended - type: keyword - ignore_above: 1024 - description: Relative byte offset to the base of the PE file. - example: 25856 - default_field: false - - name: indicator.file.pe.exports - level: extended - type: keyword - ignore_above: 1024 - description: List of symbols exported by PE - example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' - default_field: false - name: indicator.file.pe.file_version level: extended type: keyword @@ -9892,14 +8550,6 @@ description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false - - name: indicator.file.pe.icon.hash.dhash - level: extended - type: keyword - ignore_above: 1024 - description: Difference Hash (dhash) to find files with a visually similar icon - or thumbnail. - example: b806e17c8e330d82 - default_field: false - name: indicator.file.pe.imphash level: extended type: keyword @@ -9911,20 +8561,6 @@ Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf default_field: false - - name: indicator.file.pe.imports - level: extended - type: flattened - description: List of all imported functions - example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" - }' - default_field: false - - name: indicator.file.pe.machine_type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the PE file. - example: Intel 386 or later, and compatibles - default_field: false - name: indicator.file.pe.original_file_name level: extended type: keyword @@ -9932,13 +8568,6 @@ description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false - - name: indicator.file.pe.packers - level: extended - type: keyword - ignore_above: 1024 - description: List of packers and tools used. - example: '["ASPack v2.12", ".NET executable"]' - default_field: false - name: indicator.file.pe.product level: extended type: keyword @@ -9946,105 +8575,6 @@ description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" default_field: false - - name: indicator.file.pe.resources - level: extended - type: nested - description: 'An array containing an object for each PE resource, if present. - - The expected fields for this nested object fall under the `resources.` prefix.' - default_field: false - - name: indicator.file.pe.resources.chi2 - level: extended - type: long - description: Chi-square probability distribution. - example: -1 - default_field: false - - name: indicator.file.pe.resources.entropy - level: extended - type: long - description: Measurement of entropy randomness in the resources section. - example: 0, 1 - default_field: false - - name: indicator.file.pe.resources.filetype - level: extended - type: keyword - ignore_above: 1024 - description: File type of the resources section. - example: Data - default_field: false - - name: indicator.file.pe.resources.language - level: extended - type: keyword - ignore_above: 1024 - description: Language identification. - example: CHINESE SIMPLIFIED - default_field: false - - name: indicator.file.pe.resources.sha256 - level: extended - type: keyword - ignore_above: 1024 - description: SHA256 hash of resources section. - example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - default_field: false - - name: indicator.file.pe.resources.type - level: extended - type: keyword - ignore_above: 1024 - description: Digest of resource types. - example: '["RT_VERSION", "RT_MANIFEST"]' - default_field: false - - name: indicator.file.pe.rich_header.hash.md5 - level: extended - type: keyword - ignore_above: 1024 - description: MD5 hash of the header for the PE file. - example: 5aa1aa0f2b4be70397a1e9e2b87627cd - default_field: false - - name: indicator.file.pe.sections - level: extended - type: nested - description: Data about sections of compiled binary PE - default_field: false - - name: indicator.file.pe.sections.chi2 - level: extended - type: long - description: Chi-square probability distribution. - example: 3027194 - default_field: false - - name: indicator.file.pe.sections.entropy - level: extended - type: float - description: Measurement of entropy randomness in the file. - example: 6.24 - default_field: false - - name: indicator.file.pe.sections.flags - level: extended - type: keyword - ignore_above: 1024 - description: Section flags of the file. - example: rx - default_field: false - - name: indicator.file.pe.sections.name - level: extended - type: keyword - ignore_above: 1024 - description: Section names of the file. - example: .text, .data - default_field: false - - name: indicator.file.pe.sections.raw_size - level: extended - type: long - format: bytes - description: Size of the section or the dize of the initialized data on disk. - example: 198144 - default_field: false - - name: indicator.file.pe.sections.virtual_address - level: extended - type: long - format: bytes - description: Virtual address available to the file. - example: 8192 - default_field: false - name: indicator.file.size level: extended type: long diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 58bd59000..190732df9 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -157,43 +157,12 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.1.0-dev+exp,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library. 8.1.0-dev+exp,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library. 8.1.0-dev+exp,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -8.1.0-dev+exp,true,dll,dll.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file. 8.1.0-dev+exp,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -8.1.0-dev+exp,true,dll,dll.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file. -8.1.0-dev+exp,true,dll,dll.pe.compiler.name,keyword,extended,,Clang,Name of the compiler -8.1.0-dev+exp,true,dll,dll.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler. -8.1.0-dev+exp,true,dll,dll.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date. -8.1.0-dev+exp,true,dll,dll.pe.debug,nested,extended,array,,Debug information -8.1.0-dev+exp,true,dll,dll.pe.debug.offset,keyword,extended,,1296336,Debug offset information. -8.1.0-dev+exp,true,dll,dll.pe.debug.size,long,extended,,816,Size of the debug information. -8.1.0-dev+exp,true,dll,dll.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information. -8.1.0-dev+exp,true,dll,dll.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options. 8.1.0-dev+exp,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -8.1.0-dev+exp,true,dll,dll.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file. -8.1.0-dev+exp,true,dll,dll.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE 8.1.0-dev+exp,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -8.1.0-dev+exp,true,dll,dll.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail. 8.1.0-dev+exp,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -8.1.0-dev+exp,true,dll,dll.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions -8.1.0-dev+exp,true,dll,dll.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file. 8.1.0-dev+exp,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -8.1.0-dev+exp,true,dll,dll.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used. 8.1.0-dev+exp,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -8.1.0-dev+exp,true,dll,dll.pe.resources,nested,extended,array,,PE resource information -8.1.0-dev+exp,true,dll,dll.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution. -8.1.0-dev+exp,true,dll,dll.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section. -8.1.0-dev+exp,true,dll,dll.pe.resources.filetype,keyword,extended,,Data,File type of the resources section. -8.1.0-dev+exp,true,dll,dll.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification. -8.1.0-dev+exp,true,dll,dll.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section. -8.1.0-dev+exp,true,dll,dll.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types. -8.1.0-dev+exp,true,dll,dll.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file. -8.1.0-dev+exp,true,dll,dll.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE -8.1.0-dev+exp,true,dll,dll.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution. -8.1.0-dev+exp,true,dll,dll.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file. -8.1.0-dev+exp,true,dll,dll.pe.sections.flags,keyword,extended,,rx,Section flags of the file. -8.1.0-dev+exp,true,dll,dll.pe.sections.name,keyword,extended,,".text, .data",Section names of the file. -8.1.0-dev+exp,true,dll,dll.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk. -8.1.0-dev+exp,true,dll,dll.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file. 8.1.0-dev+exp,true,dns,dns.answers,object,extended,array,,Array of DNS answers. 8.1.0-dev+exp,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record. 8.1.0-dev+exp,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource. @@ -335,43 +304,12 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.1.0-dev+exp,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." 8.1.0-dev+exp,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name." 8.1.0-dev+exp,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -8.1.0-dev+exp,true,file,file.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file. 8.1.0-dev+exp,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -8.1.0-dev+exp,true,file,file.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file. -8.1.0-dev+exp,true,file,file.pe.compiler.name,keyword,extended,,Clang,Name of the compiler -8.1.0-dev+exp,true,file,file.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler. -8.1.0-dev+exp,true,file,file.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date. -8.1.0-dev+exp,true,file,file.pe.debug,nested,extended,array,,Debug information -8.1.0-dev+exp,true,file,file.pe.debug.offset,keyword,extended,,1296336,Debug offset information. -8.1.0-dev+exp,true,file,file.pe.debug.size,long,extended,,816,Size of the debug information. -8.1.0-dev+exp,true,file,file.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information. -8.1.0-dev+exp,true,file,file.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options. 8.1.0-dev+exp,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -8.1.0-dev+exp,true,file,file.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file. -8.1.0-dev+exp,true,file,file.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE 8.1.0-dev+exp,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -8.1.0-dev+exp,true,file,file.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail. 8.1.0-dev+exp,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -8.1.0-dev+exp,true,file,file.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions -8.1.0-dev+exp,true,file,file.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file. 8.1.0-dev+exp,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -8.1.0-dev+exp,true,file,file.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used. 8.1.0-dev+exp,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -8.1.0-dev+exp,true,file,file.pe.resources,nested,extended,array,,PE resource information -8.1.0-dev+exp,true,file,file.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution. -8.1.0-dev+exp,true,file,file.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section. -8.1.0-dev+exp,true,file,file.pe.resources.filetype,keyword,extended,,Data,File type of the resources section. -8.1.0-dev+exp,true,file,file.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification. -8.1.0-dev+exp,true,file,file.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section. -8.1.0-dev+exp,true,file,file.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types. -8.1.0-dev+exp,true,file,file.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file. -8.1.0-dev+exp,true,file,file.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE -8.1.0-dev+exp,true,file,file.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution. -8.1.0-dev+exp,true,file,file.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file. -8.1.0-dev+exp,true,file,file.pe.sections.flags,keyword,extended,,rx,Section flags of the file. -8.1.0-dev+exp,true,file,file.pe.sections.name,keyword,extended,,".text, .data",Section names of the file. -8.1.0-dev+exp,true,file,file.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk. -8.1.0-dev+exp,true,file,file.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file. 8.1.0-dev+exp,true,file,file.size,long,extended,,16384,File size in bytes. 8.1.0-dev+exp,true,file,file.target_path,keyword,extended,,,Target path for symlinks. 8.1.0-dev+exp,true,file,file.target_path.text,match_only_text,extended,,,Target path for symlinks. @@ -660,43 +598,12 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.1.0-dev+exp,true,process,process.parent.name,keyword,extended,,ssh,Process name. 8.1.0-dev+exp,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name. 8.1.0-dev+exp,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -8.1.0-dev+exp,true,process,process.parent.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file. 8.1.0-dev+exp,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -8.1.0-dev+exp,true,process,process.parent.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file. -8.1.0-dev+exp,true,process,process.parent.pe.compiler.name,keyword,extended,,Clang,Name of the compiler -8.1.0-dev+exp,true,process,process.parent.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler. -8.1.0-dev+exp,true,process,process.parent.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date. -8.1.0-dev+exp,true,process,process.parent.pe.debug,nested,extended,array,,Debug information -8.1.0-dev+exp,true,process,process.parent.pe.debug.offset,keyword,extended,,1296336,Debug offset information. -8.1.0-dev+exp,true,process,process.parent.pe.debug.size,long,extended,,816,Size of the debug information. -8.1.0-dev+exp,true,process,process.parent.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information. -8.1.0-dev+exp,true,process,process.parent.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options. 8.1.0-dev+exp,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -8.1.0-dev+exp,true,process,process.parent.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file. -8.1.0-dev+exp,true,process,process.parent.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE 8.1.0-dev+exp,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -8.1.0-dev+exp,true,process,process.parent.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail. 8.1.0-dev+exp,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -8.1.0-dev+exp,true,process,process.parent.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions -8.1.0-dev+exp,true,process,process.parent.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file. 8.1.0-dev+exp,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -8.1.0-dev+exp,true,process,process.parent.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used. 8.1.0-dev+exp,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -8.1.0-dev+exp,true,process,process.parent.pe.resources,nested,extended,array,,PE resource information -8.1.0-dev+exp,true,process,process.parent.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution. -8.1.0-dev+exp,true,process,process.parent.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section. -8.1.0-dev+exp,true,process,process.parent.pe.resources.filetype,keyword,extended,,Data,File type of the resources section. -8.1.0-dev+exp,true,process,process.parent.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification. -8.1.0-dev+exp,true,process,process.parent.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section. -8.1.0-dev+exp,true,process,process.parent.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types. -8.1.0-dev+exp,true,process,process.parent.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file. -8.1.0-dev+exp,true,process,process.parent.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE -8.1.0-dev+exp,true,process,process.parent.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution. -8.1.0-dev+exp,true,process,process.parent.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file. -8.1.0-dev+exp,true,process,process.parent.pe.sections.flags,keyword,extended,,rx,Section flags of the file. -8.1.0-dev+exp,true,process,process.parent.pe.sections.name,keyword,extended,,".text, .data",Section names of the file. -8.1.0-dev+exp,true,process,process.parent.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk. -8.1.0-dev+exp,true,process,process.parent.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file. 8.1.0-dev+exp,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to. 8.1.0-dev+exp,true,process,process.parent.pid,long,core,,4242,Process id. 8.1.0-dev+exp,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. @@ -708,43 +615,12 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.1.0-dev+exp,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process. 8.1.0-dev+exp,true,process,process.parent.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process. 8.1.0-dev+exp,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -8.1.0-dev+exp,true,process,process.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file. 8.1.0-dev+exp,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -8.1.0-dev+exp,true,process,process.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file. -8.1.0-dev+exp,true,process,process.pe.compiler.name,keyword,extended,,Clang,Name of the compiler -8.1.0-dev+exp,true,process,process.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler. -8.1.0-dev+exp,true,process,process.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date. -8.1.0-dev+exp,true,process,process.pe.debug,nested,extended,array,,Debug information -8.1.0-dev+exp,true,process,process.pe.debug.offset,keyword,extended,,1296336,Debug offset information. -8.1.0-dev+exp,true,process,process.pe.debug.size,long,extended,,816,Size of the debug information. -8.1.0-dev+exp,true,process,process.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information. -8.1.0-dev+exp,true,process,process.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options. 8.1.0-dev+exp,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -8.1.0-dev+exp,true,process,process.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file. -8.1.0-dev+exp,true,process,process.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE 8.1.0-dev+exp,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -8.1.0-dev+exp,true,process,process.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail. 8.1.0-dev+exp,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -8.1.0-dev+exp,true,process,process.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions -8.1.0-dev+exp,true,process,process.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file. 8.1.0-dev+exp,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -8.1.0-dev+exp,true,process,process.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used. 8.1.0-dev+exp,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -8.1.0-dev+exp,true,process,process.pe.resources,nested,extended,array,,PE resource information -8.1.0-dev+exp,true,process,process.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution. -8.1.0-dev+exp,true,process,process.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section. -8.1.0-dev+exp,true,process,process.pe.resources.filetype,keyword,extended,,Data,File type of the resources section. -8.1.0-dev+exp,true,process,process.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification. -8.1.0-dev+exp,true,process,process.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section. -8.1.0-dev+exp,true,process,process.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types. -8.1.0-dev+exp,true,process,process.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file. -8.1.0-dev+exp,true,process,process.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE -8.1.0-dev+exp,true,process,process.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution. -8.1.0-dev+exp,true,process,process.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file. -8.1.0-dev+exp,true,process,process.pe.sections.flags,keyword,extended,,rx,Section flags of the file. -8.1.0-dev+exp,true,process,process.pe.sections.name,keyword,extended,,".text, .data",Section names of the file. -8.1.0-dev+exp,true,process,process.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk. -8.1.0-dev+exp,true,process,process.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file. 8.1.0-dev+exp,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to. 8.1.0-dev+exp,true,process,process.pid,long,core,,4242,Process id. 8.1.0-dev+exp,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. @@ -951,43 +827,12 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." 8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name." 8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file. 8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file. -8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.compiler.name,keyword,extended,,Clang,Name of the compiler -8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler. -8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date. -8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.debug,nested,extended,array,,Debug information -8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.debug.offset,keyword,extended,,1296336,Debug offset information. -8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.debug.size,long,extended,,816,Size of the debug information. -8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information. -8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options. 8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file. -8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE 8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail. 8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions -8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file. 8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used. 8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.resources,nested,extended,array,,PE resource information -8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution. -8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section. -8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.resources.filetype,keyword,extended,,Data,File type of the resources section. -8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification. -8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section. -8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types. -8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file. -8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE -8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution. -8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file. -8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.flags,keyword,extended,,rx,Section flags of the file. -8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.name,keyword,extended,,".text, .data",Section names of the file. -8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk. -8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file. 8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes. 8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks. 8.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks. @@ -1166,43 +1011,12 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.1.0-dev+exp,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." 8.1.0-dev+exp,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name." 8.1.0-dev+exp,true,threat,threat.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -8.1.0-dev+exp,true,threat,threat.indicator.file.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file. 8.1.0-dev+exp,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -8.1.0-dev+exp,true,threat,threat.indicator.file.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file. -8.1.0-dev+exp,true,threat,threat.indicator.file.pe.compiler.name,keyword,extended,,Clang,Name of the compiler -8.1.0-dev+exp,true,threat,threat.indicator.file.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler. -8.1.0-dev+exp,true,threat,threat.indicator.file.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date. -8.1.0-dev+exp,true,threat,threat.indicator.file.pe.debug,nested,extended,array,,Debug information -8.1.0-dev+exp,true,threat,threat.indicator.file.pe.debug.offset,keyword,extended,,1296336,Debug offset information. -8.1.0-dev+exp,true,threat,threat.indicator.file.pe.debug.size,long,extended,,816,Size of the debug information. -8.1.0-dev+exp,true,threat,threat.indicator.file.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information. -8.1.0-dev+exp,true,threat,threat.indicator.file.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options. 8.1.0-dev+exp,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -8.1.0-dev+exp,true,threat,threat.indicator.file.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file. -8.1.0-dev+exp,true,threat,threat.indicator.file.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE 8.1.0-dev+exp,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -8.1.0-dev+exp,true,threat,threat.indicator.file.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail. 8.1.0-dev+exp,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -8.1.0-dev+exp,true,threat,threat.indicator.file.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions -8.1.0-dev+exp,true,threat,threat.indicator.file.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file. 8.1.0-dev+exp,true,threat,threat.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -8.1.0-dev+exp,true,threat,threat.indicator.file.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used. 8.1.0-dev+exp,true,threat,threat.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -8.1.0-dev+exp,true,threat,threat.indicator.file.pe.resources,nested,extended,array,,PE resource information -8.1.0-dev+exp,true,threat,threat.indicator.file.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution. -8.1.0-dev+exp,true,threat,threat.indicator.file.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section. -8.1.0-dev+exp,true,threat,threat.indicator.file.pe.resources.filetype,keyword,extended,,Data,File type of the resources section. -8.1.0-dev+exp,true,threat,threat.indicator.file.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification. -8.1.0-dev+exp,true,threat,threat.indicator.file.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section. -8.1.0-dev+exp,true,threat,threat.indicator.file.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types. -8.1.0-dev+exp,true,threat,threat.indicator.file.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file. -8.1.0-dev+exp,true,threat,threat.indicator.file.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE -8.1.0-dev+exp,true,threat,threat.indicator.file.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution. -8.1.0-dev+exp,true,threat,threat.indicator.file.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file. -8.1.0-dev+exp,true,threat,threat.indicator.file.pe.sections.flags,keyword,extended,,rx,Section flags of the file. -8.1.0-dev+exp,true,threat,threat.indicator.file.pe.sections.name,keyword,extended,,".text, .data",Section names of the file. -8.1.0-dev+exp,true,threat,threat.indicator.file.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk. -8.1.0-dev+exp,true,threat,threat.indicator.file.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file. 8.1.0-dev+exp,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes. 8.1.0-dev+exp,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks. 8.1.0-dev+exp,true,threat,threat.indicator.file.target_path.text,match_only_text,extended,,,Target path for symlinks. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 2d47b0c1a..8987db7e2 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -1893,18 +1893,6 @@ dll.pe.architecture: original_fieldset: pe short: CPU architecture target for the file. type: keyword -dll.pe.authentihash: - dashed_name: dll-pe-authentihash - description: Authentihash of the PE file. - example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 - flat_name: dll.pe.authentihash - ignore_above: 1024 - level: extended - name: authentihash - normalize: [] - original_fieldset: pe - short: Authentihash of the PE file. - type: keyword dll.pe.company: dashed_name: dll-pe-company description: Internal company name of the file, provided at compile-time. @@ -1917,113 +1905,6 @@ dll.pe.company: original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword -dll.pe.compile_timestamp: - dashed_name: dll-pe-compile-timestamp - description: Compile timestamp of the PE file. - example: '2020-11-05T17:25:47.000Z' - flat_name: dll.pe.compile_timestamp - level: extended - name: compile_timestamp - normalize: [] - original_fieldset: pe - short: Compile timestamp of the PE file. - type: date -dll.pe.compiler.name: - dashed_name: dll-pe-compiler-name - description: Name of the compiler - example: Clang - flat_name: dll.pe.compiler.name - ignore_above: 1024 - level: extended - name: compiler.name - normalize: [] - original_fieldset: pe - short: Name of the compiler - type: keyword -dll.pe.compiler.version: - dashed_name: dll-pe-compiler-version - description: Version of the compiler. - example: 11.0.0 - flat_name: dll.pe.compiler.version - ignore_above: 1024 - level: extended - name: compiler.version - normalize: [] - original_fieldset: pe - short: Version of the compiler. - type: keyword -dll.pe.creation_date: - dashed_name: dll-pe-creation-date - description: Extracted when possible from the file's metadata. Indicates when it - was built or compiled. It can also be faked by malware creators. - example: '2020-11-05T17:25:47.000Z' - flat_name: dll.pe.creation_date - level: extended - name: creation_date - normalize: [] - original_fieldset: pe - short: Build or compile date. - type: date -dll.pe.debug: - dashed_name: dll-pe-debug - description: 'An array containing an object for each debug entry, if present. - - The expected fields for this nested object fall under the `debug.` prefix.' - flat_name: dll.pe.debug - level: extended - name: debug - normalize: - - array - original_fieldset: pe - short: Debug information - type: nested -dll.pe.debug.offset: - dashed_name: dll-pe-debug-offset - description: Debug offset information. - example: 1296336 - flat_name: dll.pe.debug.offset - ignore_above: 1024 - level: extended - name: debug.offset - normalize: [] - original_fieldset: pe - short: Debug offset information. - type: keyword -dll.pe.debug.size: - dashed_name: dll-pe-debug-size - description: Size of the debug information. - example: 816 - flat_name: dll.pe.debug.size - format: bytes - level: extended - name: debug.size - normalize: [] - original_fieldset: pe - short: Size of the debug information. - type: long -dll.pe.debug.timestamp: - dashed_name: dll-pe-debug-timestamp - description: Timestamp of the debug information. - example: '2020-11-05T17:25:47.000Z' - flat_name: dll.pe.debug.timestamp - level: extended - name: debug.timestamp - normalize: [] - original_fieldset: pe - short: Timestamp of the debug information. - type: date -dll.pe.debug.type: - dashed_name: dll-pe-debug-type - description: Information type generated by the debug options. - example: IMAGE_DEBUG_TYPE_POGO - flat_name: dll.pe.debug.type - ignore_above: 1024 - level: extended - name: debug.type - normalize: [] - original_fieldset: pe - short: Information type generated by the debug options. - type: keyword dll.pe.description: dashed_name: dll-pe-description description: Internal description of the file, provided at compile-time. @@ -2036,31 +1917,6 @@ dll.pe.description: original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword -dll.pe.entry_point: - dashed_name: dll-pe-entry-point - description: Relative byte offset to the base of the PE file. - example: 25856 - flat_name: dll.pe.entry_point - ignore_above: 1024 - level: extended - name: entry_point - normalize: [] - original_fieldset: pe - short: Relative byte offset to the base of the PE file. - type: keyword -dll.pe.exports: - dashed_name: dll-pe-exports - description: List of symbols exported by PE - example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' - flat_name: dll.pe.exports - ignore_above: 1024 - level: extended - name: exports - normalize: - - array - original_fieldset: pe - short: List of symbols exported by PE - type: keyword dll.pe.file_version: dashed_name: dll-pe-file-version description: Internal version of the file, provided at compile-time. @@ -2073,19 +1929,6 @@ dll.pe.file_version: original_fieldset: pe short: Process name. type: keyword -dll.pe.icon.hash.dhash: - dashed_name: dll-pe-icon-hash-dhash - description: Difference Hash (dhash) to find files with a visually similar icon - or thumbnail. - example: b806e17c8e330d82 - flat_name: dll.pe.icon.hash.dhash - ignore_above: 1024 - level: extended - name: icon.hash.dhash - normalize: [] - original_fieldset: pe - short: Difference Hash (dhash) to find files with a visually similar icon or thumbnail. - type: keyword dll.pe.imphash: dashed_name: dll-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash -- @@ -2102,30 +1945,6 @@ dll.pe.imphash: original_fieldset: pe short: A hash of the imports in a PE file. type: keyword -dll.pe.imports: - dashed_name: dll-pe-imports - description: List of all imported functions - example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" - }' - flat_name: dll.pe.imports - level: extended - name: imports - normalize: [] - original_fieldset: pe - short: List of all imported functions - type: flattened -dll.pe.machine_type: - dashed_name: dll-pe-machine-type - description: Machine type of the PE file. - example: Intel 386 or later, and compatibles - flat_name: dll.pe.machine_type - ignore_above: 1024 - level: extended - name: machine_type - normalize: [] - original_fieldset: pe - short: Machine type of the PE file. - type: keyword dll.pe.original_file_name: dashed_name: dll-pe-original-file-name description: Internal name of the file, provided at compile-time. @@ -2138,19 +1957,6 @@ dll.pe.original_file_name: original_fieldset: pe short: Internal name of the file, provided at compile-time. type: keyword -dll.pe.packers: - dashed_name: dll-pe-packers - description: List of packers and tools used. - example: '["ASPack v2.12", ".NET executable"]' - flat_name: dll.pe.packers - ignore_above: 1024 - level: extended - name: packers - normalize: - - array - original_fieldset: pe - short: List of packers and tools used. - type: keyword dll.pe.product: dashed_name: dll-pe-product description: Internal product name of the file, provided at compile-time. @@ -2163,183 +1969,6 @@ dll.pe.product: original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword -dll.pe.resources: - dashed_name: dll-pe-resources - description: 'An array containing an object for each PE resource, if present. - - The expected fields for this nested object fall under the `resources.` prefix.' - flat_name: dll.pe.resources - level: extended - name: resources - normalize: - - array - original_fieldset: pe - short: PE resource information - type: nested -dll.pe.resources.chi2: - dashed_name: dll-pe-resources-chi2 - description: Chi-square probability distribution. - example: -1 - flat_name: dll.pe.resources.chi2 - level: extended - name: resources.chi2 - normalize: [] - original_fieldset: pe - short: Chi-square probability distribution. - type: long -dll.pe.resources.entropy: - dashed_name: dll-pe-resources-entropy - description: Measurement of entropy randomness in the resources section. - example: 0, 1 - flat_name: dll.pe.resources.entropy - level: extended - name: resources.entropy - normalize: [] - original_fieldset: pe - short: Measurement of entropy randomness in the resources section. - type: long -dll.pe.resources.filetype: - dashed_name: dll-pe-resources-filetype - description: File type of the resources section. - example: Data - flat_name: dll.pe.resources.filetype - ignore_above: 1024 - level: extended - name: resources.filetype - normalize: [] - original_fieldset: pe - short: File type of the resources section. - type: keyword -dll.pe.resources.language: - dashed_name: dll-pe-resources-language - description: Language identification. - example: CHINESE SIMPLIFIED - flat_name: dll.pe.resources.language - ignore_above: 1024 - level: extended - name: resources.language - normalize: [] - original_fieldset: pe - short: Language identification. - type: keyword -dll.pe.resources.sha256: - dashed_name: dll-pe-resources-sha256 - description: SHA256 hash of resources section. - example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - flat_name: dll.pe.resources.sha256 - ignore_above: 1024 - level: extended - name: resources.sha256 - normalize: [] - original_fieldset: pe - short: SHA256 hash of resources section. - type: keyword -dll.pe.resources.type: - dashed_name: dll-pe-resources-type - description: Digest of resource types. - example: '["RT_VERSION", "RT_MANIFEST"]' - flat_name: dll.pe.resources.type - ignore_above: 1024 - level: extended - name: resources.type - normalize: - - array - original_fieldset: pe - short: List of resource types. - type: keyword -dll.pe.rich_header.hash.md5: - dashed_name: dll-pe-rich-header-hash-md5 - description: MD5 hash of the header for the PE file. - example: 5aa1aa0f2b4be70397a1e9e2b87627cd - flat_name: dll.pe.rich_header.hash.md5 - ignore_above: 1024 - level: extended - name: rich_header.hash.md5 - normalize: [] - original_fieldset: pe - short: MD5 hash of the header for the PE file. - type: keyword -dll.pe.sections: - dashed_name: dll-pe-sections - description: Data about sections of compiled binary PE - flat_name: dll.pe.sections - level: extended - name: sections - normalize: - - array - original_fieldset: pe - short: Data about sections of the compiled binary PE - type: nested -dll.pe.sections.chi2: - dashed_name: dll-pe-sections-chi2 - description: Chi-square probability distribution. - example: 3027194 - flat_name: dll.pe.sections.chi2 - level: extended - name: sections.chi2 - normalize: [] - original_fieldset: pe - short: Chi-square probability distribution. - type: long -dll.pe.sections.entropy: - dashed_name: dll-pe-sections-entropy - description: Measurement of entropy randomness in the file. - example: 6.24 - flat_name: dll.pe.sections.entropy - level: extended - name: sections.entropy - normalize: [] - original_fieldset: pe - short: Measurement of entropy randomness in the file. - type: float -dll.pe.sections.flags: - dashed_name: dll-pe-sections-flags - description: Section flags of the file. - example: rx - flat_name: dll.pe.sections.flags - ignore_above: 1024 - level: extended - name: sections.flags - normalize: [] - original_fieldset: pe - short: Section flags of the file. - type: keyword -dll.pe.sections.name: - dashed_name: dll-pe-sections-name - description: Section names of the file. - example: .text, .data - flat_name: dll.pe.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: pe - short: Section names of the file. - type: keyword -dll.pe.sections.raw_size: - dashed_name: dll-pe-sections-raw-size - description: Size of the section or the dize of the initialized data on disk. - example: 198144 - flat_name: dll.pe.sections.raw_size - format: bytes - level: extended - name: sections.raw_size - normalize: [] - original_fieldset: pe - short: Size of the section or the dize of the initialized data on disk. - type: long -dll.pe.sections.virtual_address: - dashed_name: dll-pe-sections-virtual-address - description: Virtual address available to the file. - example: 8192 - flat_name: dll.pe.sections.virtual_address - format: bytes - level: extended - name: sections.virtual_address - normalize: [] - original_fieldset: pe - short: Virtual address available to the file. - type: long dns.answers: dashed_name: dns-answers description: 'An array containing an object for each answer section returned by @@ -4508,18 +4137,6 @@ file.pe.architecture: original_fieldset: pe short: CPU architecture target for the file. type: keyword -file.pe.authentihash: - dashed_name: file-pe-authentihash - description: Authentihash of the PE file. - example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 - flat_name: file.pe.authentihash - ignore_above: 1024 - level: extended - name: authentihash - normalize: [] - original_fieldset: pe - short: Authentihash of the PE file. - type: keyword file.pe.company: dashed_name: file-pe-company description: Internal company name of the file, provided at compile-time. @@ -4532,113 +4149,6 @@ file.pe.company: original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword -file.pe.compile_timestamp: - dashed_name: file-pe-compile-timestamp - description: Compile timestamp of the PE file. - example: '2020-11-05T17:25:47.000Z' - flat_name: file.pe.compile_timestamp - level: extended - name: compile_timestamp - normalize: [] - original_fieldset: pe - short: Compile timestamp of the PE file. - type: date -file.pe.compiler.name: - dashed_name: file-pe-compiler-name - description: Name of the compiler - example: Clang - flat_name: file.pe.compiler.name - ignore_above: 1024 - level: extended - name: compiler.name - normalize: [] - original_fieldset: pe - short: Name of the compiler - type: keyword -file.pe.compiler.version: - dashed_name: file-pe-compiler-version - description: Version of the compiler. - example: 11.0.0 - flat_name: file.pe.compiler.version - ignore_above: 1024 - level: extended - name: compiler.version - normalize: [] - original_fieldset: pe - short: Version of the compiler. - type: keyword -file.pe.creation_date: - dashed_name: file-pe-creation-date - description: Extracted when possible from the file's metadata. Indicates when it - was built or compiled. It can also be faked by malware creators. - example: '2020-11-05T17:25:47.000Z' - flat_name: file.pe.creation_date - level: extended - name: creation_date - normalize: [] - original_fieldset: pe - short: Build or compile date. - type: date -file.pe.debug: - dashed_name: file-pe-debug - description: 'An array containing an object for each debug entry, if present. - - The expected fields for this nested object fall under the `debug.` prefix.' - flat_name: file.pe.debug - level: extended - name: debug - normalize: - - array - original_fieldset: pe - short: Debug information - type: nested -file.pe.debug.offset: - dashed_name: file-pe-debug-offset - description: Debug offset information. - example: 1296336 - flat_name: file.pe.debug.offset - ignore_above: 1024 - level: extended - name: debug.offset - normalize: [] - original_fieldset: pe - short: Debug offset information. - type: keyword -file.pe.debug.size: - dashed_name: file-pe-debug-size - description: Size of the debug information. - example: 816 - flat_name: file.pe.debug.size - format: bytes - level: extended - name: debug.size - normalize: [] - original_fieldset: pe - short: Size of the debug information. - type: long -file.pe.debug.timestamp: - dashed_name: file-pe-debug-timestamp - description: Timestamp of the debug information. - example: '2020-11-05T17:25:47.000Z' - flat_name: file.pe.debug.timestamp - level: extended - name: debug.timestamp - normalize: [] - original_fieldset: pe - short: Timestamp of the debug information. - type: date -file.pe.debug.type: - dashed_name: file-pe-debug-type - description: Information type generated by the debug options. - example: IMAGE_DEBUG_TYPE_POGO - flat_name: file.pe.debug.type - ignore_above: 1024 - level: extended - name: debug.type - normalize: [] - original_fieldset: pe - short: Information type generated by the debug options. - type: keyword file.pe.description: dashed_name: file-pe-description description: Internal description of the file, provided at compile-time. @@ -4651,31 +4161,6 @@ file.pe.description: original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword -file.pe.entry_point: - dashed_name: file-pe-entry-point - description: Relative byte offset to the base of the PE file. - example: 25856 - flat_name: file.pe.entry_point - ignore_above: 1024 - level: extended - name: entry_point - normalize: [] - original_fieldset: pe - short: Relative byte offset to the base of the PE file. - type: keyword -file.pe.exports: - dashed_name: file-pe-exports - description: List of symbols exported by PE - example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' - flat_name: file.pe.exports - ignore_above: 1024 - level: extended - name: exports - normalize: - - array - original_fieldset: pe - short: List of symbols exported by PE - type: keyword file.pe.file_version: dashed_name: file-pe-file-version description: Internal version of the file, provided at compile-time. @@ -4688,19 +4173,6 @@ file.pe.file_version: original_fieldset: pe short: Process name. type: keyword -file.pe.icon.hash.dhash: - dashed_name: file-pe-icon-hash-dhash - description: Difference Hash (dhash) to find files with a visually similar icon - or thumbnail. - example: b806e17c8e330d82 - flat_name: file.pe.icon.hash.dhash - ignore_above: 1024 - level: extended - name: icon.hash.dhash - normalize: [] - original_fieldset: pe - short: Difference Hash (dhash) to find files with a visually similar icon or thumbnail. - type: keyword file.pe.imphash: dashed_name: file-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash -- @@ -4717,30 +4189,6 @@ file.pe.imphash: original_fieldset: pe short: A hash of the imports in a PE file. type: keyword -file.pe.imports: - dashed_name: file-pe-imports - description: List of all imported functions - example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" - }' - flat_name: file.pe.imports - level: extended - name: imports - normalize: [] - original_fieldset: pe - short: List of all imported functions - type: flattened -file.pe.machine_type: - dashed_name: file-pe-machine-type - description: Machine type of the PE file. - example: Intel 386 or later, and compatibles - flat_name: file.pe.machine_type - ignore_above: 1024 - level: extended - name: machine_type - normalize: [] - original_fieldset: pe - short: Machine type of the PE file. - type: keyword file.pe.original_file_name: dashed_name: file-pe-original-file-name description: Internal name of the file, provided at compile-time. @@ -4753,19 +4201,6 @@ file.pe.original_file_name: original_fieldset: pe short: Internal name of the file, provided at compile-time. type: keyword -file.pe.packers: - dashed_name: file-pe-packers - description: List of packers and tools used. - example: '["ASPack v2.12", ".NET executable"]' - flat_name: file.pe.packers - ignore_above: 1024 - level: extended - name: packers - normalize: - - array - original_fieldset: pe - short: List of packers and tools used. - type: keyword file.pe.product: dashed_name: file-pe-product description: Internal product name of the file, provided at compile-time. @@ -4778,183 +4213,6 @@ file.pe.product: original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword -file.pe.resources: - dashed_name: file-pe-resources - description: 'An array containing an object for each PE resource, if present. - - The expected fields for this nested object fall under the `resources.` prefix.' - flat_name: file.pe.resources - level: extended - name: resources - normalize: - - array - original_fieldset: pe - short: PE resource information - type: nested -file.pe.resources.chi2: - dashed_name: file-pe-resources-chi2 - description: Chi-square probability distribution. - example: -1 - flat_name: file.pe.resources.chi2 - level: extended - name: resources.chi2 - normalize: [] - original_fieldset: pe - short: Chi-square probability distribution. - type: long -file.pe.resources.entropy: - dashed_name: file-pe-resources-entropy - description: Measurement of entropy randomness in the resources section. - example: 0, 1 - flat_name: file.pe.resources.entropy - level: extended - name: resources.entropy - normalize: [] - original_fieldset: pe - short: Measurement of entropy randomness in the resources section. - type: long -file.pe.resources.filetype: - dashed_name: file-pe-resources-filetype - description: File type of the resources section. - example: Data - flat_name: file.pe.resources.filetype - ignore_above: 1024 - level: extended - name: resources.filetype - normalize: [] - original_fieldset: pe - short: File type of the resources section. - type: keyword -file.pe.resources.language: - dashed_name: file-pe-resources-language - description: Language identification. - example: CHINESE SIMPLIFIED - flat_name: file.pe.resources.language - ignore_above: 1024 - level: extended - name: resources.language - normalize: [] - original_fieldset: pe - short: Language identification. - type: keyword -file.pe.resources.sha256: - dashed_name: file-pe-resources-sha256 - description: SHA256 hash of resources section. - example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - flat_name: file.pe.resources.sha256 - ignore_above: 1024 - level: extended - name: resources.sha256 - normalize: [] - original_fieldset: pe - short: SHA256 hash of resources section. - type: keyword -file.pe.resources.type: - dashed_name: file-pe-resources-type - description: Digest of resource types. - example: '["RT_VERSION", "RT_MANIFEST"]' - flat_name: file.pe.resources.type - ignore_above: 1024 - level: extended - name: resources.type - normalize: - - array - original_fieldset: pe - short: List of resource types. - type: keyword -file.pe.rich_header.hash.md5: - dashed_name: file-pe-rich-header-hash-md5 - description: MD5 hash of the header for the PE file. - example: 5aa1aa0f2b4be70397a1e9e2b87627cd - flat_name: file.pe.rich_header.hash.md5 - ignore_above: 1024 - level: extended - name: rich_header.hash.md5 - normalize: [] - original_fieldset: pe - short: MD5 hash of the header for the PE file. - type: keyword -file.pe.sections: - dashed_name: file-pe-sections - description: Data about sections of compiled binary PE - flat_name: file.pe.sections - level: extended - name: sections - normalize: - - array - original_fieldset: pe - short: Data about sections of the compiled binary PE - type: nested -file.pe.sections.chi2: - dashed_name: file-pe-sections-chi2 - description: Chi-square probability distribution. - example: 3027194 - flat_name: file.pe.sections.chi2 - level: extended - name: sections.chi2 - normalize: [] - original_fieldset: pe - short: Chi-square probability distribution. - type: long -file.pe.sections.entropy: - dashed_name: file-pe-sections-entropy - description: Measurement of entropy randomness in the file. - example: 6.24 - flat_name: file.pe.sections.entropy - level: extended - name: sections.entropy - normalize: [] - original_fieldset: pe - short: Measurement of entropy randomness in the file. - type: float -file.pe.sections.flags: - dashed_name: file-pe-sections-flags - description: Section flags of the file. - example: rx - flat_name: file.pe.sections.flags - ignore_above: 1024 - level: extended - name: sections.flags - normalize: [] - original_fieldset: pe - short: Section flags of the file. - type: keyword -file.pe.sections.name: - dashed_name: file-pe-sections-name - description: Section names of the file. - example: .text, .data - flat_name: file.pe.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: pe - short: Section names of the file. - type: keyword -file.pe.sections.raw_size: - dashed_name: file-pe-sections-raw-size - description: Size of the section or the dize of the initialized data on disk. - example: 198144 - flat_name: file.pe.sections.raw_size - format: bytes - level: extended - name: sections.raw_size - normalize: [] - original_fieldset: pe - short: Size of the section or the dize of the initialized data on disk. - type: long -file.pe.sections.virtual_address: - dashed_name: file-pe-sections-virtual-address - description: Virtual address available to the file. - example: 8192 - flat_name: file.pe.sections.virtual_address - format: bytes - level: extended - name: sections.virtual_address - normalize: [] - original_fieldset: pe - short: Virtual address available to the file. - type: long file.size: dashed_name: file-size description: 'File size in bytes. @@ -8405,18 +7663,6 @@ process.parent.pe.architecture: original_fieldset: pe short: CPU architecture target for the file. type: keyword -process.parent.pe.authentihash: - dashed_name: process-parent-pe-authentihash - description: Authentihash of the PE file. - example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 - flat_name: process.parent.pe.authentihash - ignore_above: 1024 - level: extended - name: authentihash - normalize: [] - original_fieldset: pe - short: Authentihash of the PE file. - type: keyword process.parent.pe.company: dashed_name: process-parent-pe-company description: Internal company name of the file, provided at compile-time. @@ -8429,113 +7675,6 @@ process.parent.pe.company: original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword -process.parent.pe.compile_timestamp: - dashed_name: process-parent-pe-compile-timestamp - description: Compile timestamp of the PE file. - example: '2020-11-05T17:25:47.000Z' - flat_name: process.parent.pe.compile_timestamp - level: extended - name: compile_timestamp - normalize: [] - original_fieldset: pe - short: Compile timestamp of the PE file. - type: date -process.parent.pe.compiler.name: - dashed_name: process-parent-pe-compiler-name - description: Name of the compiler - example: Clang - flat_name: process.parent.pe.compiler.name - ignore_above: 1024 - level: extended - name: compiler.name - normalize: [] - original_fieldset: pe - short: Name of the compiler - type: keyword -process.parent.pe.compiler.version: - dashed_name: process-parent-pe-compiler-version - description: Version of the compiler. - example: 11.0.0 - flat_name: process.parent.pe.compiler.version - ignore_above: 1024 - level: extended - name: compiler.version - normalize: [] - original_fieldset: pe - short: Version of the compiler. - type: keyword -process.parent.pe.creation_date: - dashed_name: process-parent-pe-creation-date - description: Extracted when possible from the file's metadata. Indicates when it - was built or compiled. It can also be faked by malware creators. - example: '2020-11-05T17:25:47.000Z' - flat_name: process.parent.pe.creation_date - level: extended - name: creation_date - normalize: [] - original_fieldset: pe - short: Build or compile date. - type: date -process.parent.pe.debug: - dashed_name: process-parent-pe-debug - description: 'An array containing an object for each debug entry, if present. - - The expected fields for this nested object fall under the `debug.` prefix.' - flat_name: process.parent.pe.debug - level: extended - name: debug - normalize: - - array - original_fieldset: pe - short: Debug information - type: nested -process.parent.pe.debug.offset: - dashed_name: process-parent-pe-debug-offset - description: Debug offset information. - example: 1296336 - flat_name: process.parent.pe.debug.offset - ignore_above: 1024 - level: extended - name: debug.offset - normalize: [] - original_fieldset: pe - short: Debug offset information. - type: keyword -process.parent.pe.debug.size: - dashed_name: process-parent-pe-debug-size - description: Size of the debug information. - example: 816 - flat_name: process.parent.pe.debug.size - format: bytes - level: extended - name: debug.size - normalize: [] - original_fieldset: pe - short: Size of the debug information. - type: long -process.parent.pe.debug.timestamp: - dashed_name: process-parent-pe-debug-timestamp - description: Timestamp of the debug information. - example: '2020-11-05T17:25:47.000Z' - flat_name: process.parent.pe.debug.timestamp - level: extended - name: debug.timestamp - normalize: [] - original_fieldset: pe - short: Timestamp of the debug information. - type: date -process.parent.pe.debug.type: - dashed_name: process-parent-pe-debug-type - description: Information type generated by the debug options. - example: IMAGE_DEBUG_TYPE_POGO - flat_name: process.parent.pe.debug.type - ignore_above: 1024 - level: extended - name: debug.type - normalize: [] - original_fieldset: pe - short: Information type generated by the debug options. - type: keyword process.parent.pe.description: dashed_name: process-parent-pe-description description: Internal description of the file, provided at compile-time. @@ -8548,31 +7687,6 @@ process.parent.pe.description: original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword -process.parent.pe.entry_point: - dashed_name: process-parent-pe-entry-point - description: Relative byte offset to the base of the PE file. - example: 25856 - flat_name: process.parent.pe.entry_point - ignore_above: 1024 - level: extended - name: entry_point - normalize: [] - original_fieldset: pe - short: Relative byte offset to the base of the PE file. - type: keyword -process.parent.pe.exports: - dashed_name: process-parent-pe-exports - description: List of symbols exported by PE - example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' - flat_name: process.parent.pe.exports - ignore_above: 1024 - level: extended - name: exports - normalize: - - array - original_fieldset: pe - short: List of symbols exported by PE - type: keyword process.parent.pe.file_version: dashed_name: process-parent-pe-file-version description: Internal version of the file, provided at compile-time. @@ -8585,19 +7699,6 @@ process.parent.pe.file_version: original_fieldset: pe short: Process name. type: keyword -process.parent.pe.icon.hash.dhash: - dashed_name: process-parent-pe-icon-hash-dhash - description: Difference Hash (dhash) to find files with a visually similar icon - or thumbnail. - example: b806e17c8e330d82 - flat_name: process.parent.pe.icon.hash.dhash - ignore_above: 1024 - level: extended - name: icon.hash.dhash - normalize: [] - original_fieldset: pe - short: Difference Hash (dhash) to find files with a visually similar icon or thumbnail. - type: keyword process.parent.pe.imphash: dashed_name: process-parent-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash -- @@ -8614,30 +7715,6 @@ process.parent.pe.imphash: original_fieldset: pe short: A hash of the imports in a PE file. type: keyword -process.parent.pe.imports: - dashed_name: process-parent-pe-imports - description: List of all imported functions - example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" - }' - flat_name: process.parent.pe.imports - level: extended - name: imports - normalize: [] - original_fieldset: pe - short: List of all imported functions - type: flattened -process.parent.pe.machine_type: - dashed_name: process-parent-pe-machine-type - description: Machine type of the PE file. - example: Intel 386 or later, and compatibles - flat_name: process.parent.pe.machine_type - ignore_above: 1024 - level: extended - name: machine_type - normalize: [] - original_fieldset: pe - short: Machine type of the PE file. - type: keyword process.parent.pe.original_file_name: dashed_name: process-parent-pe-original-file-name description: Internal name of the file, provided at compile-time. @@ -8650,19 +7727,6 @@ process.parent.pe.original_file_name: original_fieldset: pe short: Internal name of the file, provided at compile-time. type: keyword -process.parent.pe.packers: - dashed_name: process-parent-pe-packers - description: List of packers and tools used. - example: '["ASPack v2.12", ".NET executable"]' - flat_name: process.parent.pe.packers - ignore_above: 1024 - level: extended - name: packers - normalize: - - array - original_fieldset: pe - short: List of packers and tools used. - type: keyword process.parent.pe.product: dashed_name: process-parent-pe-product description: Internal product name of the file, provided at compile-time. @@ -8675,183 +7739,6 @@ process.parent.pe.product: original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword -process.parent.pe.resources: - dashed_name: process-parent-pe-resources - description: 'An array containing an object for each PE resource, if present. - - The expected fields for this nested object fall under the `resources.` prefix.' - flat_name: process.parent.pe.resources - level: extended - name: resources - normalize: - - array - original_fieldset: pe - short: PE resource information - type: nested -process.parent.pe.resources.chi2: - dashed_name: process-parent-pe-resources-chi2 - description: Chi-square probability distribution. - example: -1 - flat_name: process.parent.pe.resources.chi2 - level: extended - name: resources.chi2 - normalize: [] - original_fieldset: pe - short: Chi-square probability distribution. - type: long -process.parent.pe.resources.entropy: - dashed_name: process-parent-pe-resources-entropy - description: Measurement of entropy randomness in the resources section. - example: 0, 1 - flat_name: process.parent.pe.resources.entropy - level: extended - name: resources.entropy - normalize: [] - original_fieldset: pe - short: Measurement of entropy randomness in the resources section. - type: long -process.parent.pe.resources.filetype: - dashed_name: process-parent-pe-resources-filetype - description: File type of the resources section. - example: Data - flat_name: process.parent.pe.resources.filetype - ignore_above: 1024 - level: extended - name: resources.filetype - normalize: [] - original_fieldset: pe - short: File type of the resources section. - type: keyword -process.parent.pe.resources.language: - dashed_name: process-parent-pe-resources-language - description: Language identification. - example: CHINESE SIMPLIFIED - flat_name: process.parent.pe.resources.language - ignore_above: 1024 - level: extended - name: resources.language - normalize: [] - original_fieldset: pe - short: Language identification. - type: keyword -process.parent.pe.resources.sha256: - dashed_name: process-parent-pe-resources-sha256 - description: SHA256 hash of resources section. - example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - flat_name: process.parent.pe.resources.sha256 - ignore_above: 1024 - level: extended - name: resources.sha256 - normalize: [] - original_fieldset: pe - short: SHA256 hash of resources section. - type: keyword -process.parent.pe.resources.type: - dashed_name: process-parent-pe-resources-type - description: Digest of resource types. - example: '["RT_VERSION", "RT_MANIFEST"]' - flat_name: process.parent.pe.resources.type - ignore_above: 1024 - level: extended - name: resources.type - normalize: - - array - original_fieldset: pe - short: List of resource types. - type: keyword -process.parent.pe.rich_header.hash.md5: - dashed_name: process-parent-pe-rich-header-hash-md5 - description: MD5 hash of the header for the PE file. - example: 5aa1aa0f2b4be70397a1e9e2b87627cd - flat_name: process.parent.pe.rich_header.hash.md5 - ignore_above: 1024 - level: extended - name: rich_header.hash.md5 - normalize: [] - original_fieldset: pe - short: MD5 hash of the header for the PE file. - type: keyword -process.parent.pe.sections: - dashed_name: process-parent-pe-sections - description: Data about sections of compiled binary PE - flat_name: process.parent.pe.sections - level: extended - name: sections - normalize: - - array - original_fieldset: pe - short: Data about sections of the compiled binary PE - type: nested -process.parent.pe.sections.chi2: - dashed_name: process-parent-pe-sections-chi2 - description: Chi-square probability distribution. - example: 3027194 - flat_name: process.parent.pe.sections.chi2 - level: extended - name: sections.chi2 - normalize: [] - original_fieldset: pe - short: Chi-square probability distribution. - type: long -process.parent.pe.sections.entropy: - dashed_name: process-parent-pe-sections-entropy - description: Measurement of entropy randomness in the file. - example: 6.24 - flat_name: process.parent.pe.sections.entropy - level: extended - name: sections.entropy - normalize: [] - original_fieldset: pe - short: Measurement of entropy randomness in the file. - type: float -process.parent.pe.sections.flags: - dashed_name: process-parent-pe-sections-flags - description: Section flags of the file. - example: rx - flat_name: process.parent.pe.sections.flags - ignore_above: 1024 - level: extended - name: sections.flags - normalize: [] - original_fieldset: pe - short: Section flags of the file. - type: keyword -process.parent.pe.sections.name: - dashed_name: process-parent-pe-sections-name - description: Section names of the file. - example: .text, .data - flat_name: process.parent.pe.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: pe - short: Section names of the file. - type: keyword -process.parent.pe.sections.raw_size: - dashed_name: process-parent-pe-sections-raw-size - description: Size of the section or the dize of the initialized data on disk. - example: 198144 - flat_name: process.parent.pe.sections.raw_size - format: bytes - level: extended - name: sections.raw_size - normalize: [] - original_fieldset: pe - short: Size of the section or the dize of the initialized data on disk. - type: long -process.parent.pe.sections.virtual_address: - dashed_name: process-parent-pe-sections-virtual-address - description: Virtual address available to the file. - example: 8192 - flat_name: process.parent.pe.sections.virtual_address - format: bytes - level: extended - name: sections.virtual_address - normalize: [] - original_fieldset: pe - short: Virtual address available to the file. - type: long process.parent.pgid: dashed_name: process-parent-pgid description: Identifier of the group of processes the process belongs to. @@ -8967,18 +7854,6 @@ process.pe.architecture: original_fieldset: pe short: CPU architecture target for the file. type: keyword -process.pe.authentihash: - dashed_name: process-pe-authentihash - description: Authentihash of the PE file. - example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 - flat_name: process.pe.authentihash - ignore_above: 1024 - level: extended - name: authentihash - normalize: [] - original_fieldset: pe - short: Authentihash of the PE file. - type: keyword process.pe.company: dashed_name: process-pe-company description: Internal company name of the file, provided at compile-time. @@ -8986,434 +7861,75 @@ process.pe.company: flat_name: process.pe.company ignore_above: 1024 level: extended - name: company - normalize: [] - original_fieldset: pe - short: Internal company name of the file, provided at compile-time. - type: keyword -process.pe.compile_timestamp: - dashed_name: process-pe-compile-timestamp - description: Compile timestamp of the PE file. - example: '2020-11-05T17:25:47.000Z' - flat_name: process.pe.compile_timestamp - level: extended - name: compile_timestamp - normalize: [] - original_fieldset: pe - short: Compile timestamp of the PE file. - type: date -process.pe.compiler.name: - dashed_name: process-pe-compiler-name - description: Name of the compiler - example: Clang - flat_name: process.pe.compiler.name - ignore_above: 1024 - level: extended - name: compiler.name - normalize: [] - original_fieldset: pe - short: Name of the compiler - type: keyword -process.pe.compiler.version: - dashed_name: process-pe-compiler-version - description: Version of the compiler. - example: 11.0.0 - flat_name: process.pe.compiler.version - ignore_above: 1024 - level: extended - name: compiler.version - normalize: [] - original_fieldset: pe - short: Version of the compiler. - type: keyword -process.pe.creation_date: - dashed_name: process-pe-creation-date - description: Extracted when possible from the file's metadata. Indicates when it - was built or compiled. It can also be faked by malware creators. - example: '2020-11-05T17:25:47.000Z' - flat_name: process.pe.creation_date - level: extended - name: creation_date - normalize: [] - original_fieldset: pe - short: Build or compile date. - type: date -process.pe.debug: - dashed_name: process-pe-debug - description: 'An array containing an object for each debug entry, if present. - - The expected fields for this nested object fall under the `debug.` prefix.' - flat_name: process.pe.debug - level: extended - name: debug - normalize: - - array - original_fieldset: pe - short: Debug information - type: nested -process.pe.debug.offset: - dashed_name: process-pe-debug-offset - description: Debug offset information. - example: 1296336 - flat_name: process.pe.debug.offset - ignore_above: 1024 - level: extended - name: debug.offset - normalize: [] - original_fieldset: pe - short: Debug offset information. - type: keyword -process.pe.debug.size: - dashed_name: process-pe-debug-size - description: Size of the debug information. - example: 816 - flat_name: process.pe.debug.size - format: bytes - level: extended - name: debug.size - normalize: [] - original_fieldset: pe - short: Size of the debug information. - type: long -process.pe.debug.timestamp: - dashed_name: process-pe-debug-timestamp - description: Timestamp of the debug information. - example: '2020-11-05T17:25:47.000Z' - flat_name: process.pe.debug.timestamp - level: extended - name: debug.timestamp - normalize: [] - original_fieldset: pe - short: Timestamp of the debug information. - type: date -process.pe.debug.type: - dashed_name: process-pe-debug-type - description: Information type generated by the debug options. - example: IMAGE_DEBUG_TYPE_POGO - flat_name: process.pe.debug.type - ignore_above: 1024 - level: extended - name: debug.type - normalize: [] - original_fieldset: pe - short: Information type generated by the debug options. - type: keyword -process.pe.description: - dashed_name: process-pe-description - description: Internal description of the file, provided at compile-time. - example: Paint - flat_name: process.pe.description - ignore_above: 1024 - level: extended - name: description - normalize: [] - original_fieldset: pe - short: Internal description of the file, provided at compile-time. - type: keyword -process.pe.entry_point: - dashed_name: process-pe-entry-point - description: Relative byte offset to the base of the PE file. - example: 25856 - flat_name: process.pe.entry_point - ignore_above: 1024 - level: extended - name: entry_point - normalize: [] - original_fieldset: pe - short: Relative byte offset to the base of the PE file. - type: keyword -process.pe.exports: - dashed_name: process-pe-exports - description: List of symbols exported by PE - example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' - flat_name: process.pe.exports - ignore_above: 1024 - level: extended - name: exports - normalize: - - array - original_fieldset: pe - short: List of symbols exported by PE - type: keyword -process.pe.file_version: - dashed_name: process-pe-file-version - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 - flat_name: process.pe.file_version - ignore_above: 1024 - level: extended - name: file_version - normalize: [] - original_fieldset: pe - short: Process name. - type: keyword -process.pe.icon.hash.dhash: - dashed_name: process-pe-icon-hash-dhash - description: Difference Hash (dhash) to find files with a visually similar icon - or thumbnail. - example: b806e17c8e330d82 - flat_name: process.pe.icon.hash.dhash - ignore_above: 1024 - level: extended - name: icon.hash.dhash - normalize: [] - original_fieldset: pe - short: Difference Hash (dhash) to find files with a visually similar icon or thumbnail. - type: keyword -process.pe.imphash: - dashed_name: process-pe-imphash - description: 'A hash of the imports in a PE file. An imphash -- or import hash -- - can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: process.pe.imphash - ignore_above: 1024 - level: extended - name: imphash - normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. - type: keyword -process.pe.imports: - dashed_name: process-pe-imports - description: List of all imported functions - example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" - }' - flat_name: process.pe.imports - level: extended - name: imports - normalize: [] - original_fieldset: pe - short: List of all imported functions - type: flattened -process.pe.machine_type: - dashed_name: process-pe-machine-type - description: Machine type of the PE file. - example: Intel 386 or later, and compatibles - flat_name: process.pe.machine_type - ignore_above: 1024 - level: extended - name: machine_type - normalize: [] - original_fieldset: pe - short: Machine type of the PE file. - type: keyword -process.pe.original_file_name: - dashed_name: process-pe-original-file-name - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE - flat_name: process.pe.original_file_name - ignore_above: 1024 - level: extended - name: original_file_name - normalize: [] - original_fieldset: pe - short: Internal name of the file, provided at compile-time. - type: keyword -process.pe.packers: - dashed_name: process-pe-packers - description: List of packers and tools used. - example: '["ASPack v2.12", ".NET executable"]' - flat_name: process.pe.packers - ignore_above: 1024 - level: extended - name: packers - normalize: - - array - original_fieldset: pe - short: List of packers and tools used. - type: keyword -process.pe.product: - dashed_name: process-pe-product - description: Internal product name of the file, provided at compile-time. - example: "Microsoft\xAE Windows\xAE Operating System" - flat_name: process.pe.product - ignore_above: 1024 - level: extended - name: product - normalize: [] - original_fieldset: pe - short: Internal product name of the file, provided at compile-time. - type: keyword -process.pe.resources: - dashed_name: process-pe-resources - description: 'An array containing an object for each PE resource, if present. - - The expected fields for this nested object fall under the `resources.` prefix.' - flat_name: process.pe.resources - level: extended - name: resources - normalize: - - array - original_fieldset: pe - short: PE resource information - type: nested -process.pe.resources.chi2: - dashed_name: process-pe-resources-chi2 - description: Chi-square probability distribution. - example: -1 - flat_name: process.pe.resources.chi2 - level: extended - name: resources.chi2 - normalize: [] - original_fieldset: pe - short: Chi-square probability distribution. - type: long -process.pe.resources.entropy: - dashed_name: process-pe-resources-entropy - description: Measurement of entropy randomness in the resources section. - example: 0, 1 - flat_name: process.pe.resources.entropy - level: extended - name: resources.entropy - normalize: [] - original_fieldset: pe - short: Measurement of entropy randomness in the resources section. - type: long -process.pe.resources.filetype: - dashed_name: process-pe-resources-filetype - description: File type of the resources section. - example: Data - flat_name: process.pe.resources.filetype - ignore_above: 1024 - level: extended - name: resources.filetype - normalize: [] - original_fieldset: pe - short: File type of the resources section. - type: keyword -process.pe.resources.language: - dashed_name: process-pe-resources-language - description: Language identification. - example: CHINESE SIMPLIFIED - flat_name: process.pe.resources.language - ignore_above: 1024 - level: extended - name: resources.language - normalize: [] - original_fieldset: pe - short: Language identification. - type: keyword -process.pe.resources.sha256: - dashed_name: process-pe-resources-sha256 - description: SHA256 hash of resources section. - example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - flat_name: process.pe.resources.sha256 - ignore_above: 1024 - level: extended - name: resources.sha256 - normalize: [] - original_fieldset: pe - short: SHA256 hash of resources section. - type: keyword -process.pe.resources.type: - dashed_name: process-pe-resources-type - description: Digest of resource types. - example: '["RT_VERSION", "RT_MANIFEST"]' - flat_name: process.pe.resources.type - ignore_above: 1024 - level: extended - name: resources.type - normalize: - - array - original_fieldset: pe - short: List of resource types. - type: keyword -process.pe.rich_header.hash.md5: - dashed_name: process-pe-rich-header-hash-md5 - description: MD5 hash of the header for the PE file. - example: 5aa1aa0f2b4be70397a1e9e2b87627cd - flat_name: process.pe.rich_header.hash.md5 - ignore_above: 1024 - level: extended - name: rich_header.hash.md5 - normalize: [] - original_fieldset: pe - short: MD5 hash of the header for the PE file. - type: keyword -process.pe.sections: - dashed_name: process-pe-sections - description: Data about sections of compiled binary PE - flat_name: process.pe.sections - level: extended - name: sections - normalize: - - array - original_fieldset: pe - short: Data about sections of the compiled binary PE - type: nested -process.pe.sections.chi2: - dashed_name: process-pe-sections-chi2 - description: Chi-square probability distribution. - example: 3027194 - flat_name: process.pe.sections.chi2 - level: extended - name: sections.chi2 + name: company normalize: [] original_fieldset: pe - short: Chi-square probability distribution. - type: long -process.pe.sections.entropy: - dashed_name: process-pe-sections-entropy - description: Measurement of entropy randomness in the file. - example: 6.24 - flat_name: process.pe.sections.entropy + short: Internal company name of the file, provided at compile-time. + type: keyword +process.pe.description: + dashed_name: process-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: process.pe.description + ignore_above: 1024 level: extended - name: sections.entropy + name: description normalize: [] original_fieldset: pe - short: Measurement of entropy randomness in the file. - type: float -process.pe.sections.flags: - dashed_name: process-pe-sections-flags - description: Section flags of the file. - example: rx - flat_name: process.pe.sections.flags + short: Internal description of the file, provided at compile-time. + type: keyword +process.pe.file_version: + dashed_name: process-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: process.pe.file_version ignore_above: 1024 level: extended - name: sections.flags + name: file_version normalize: [] original_fieldset: pe - short: Section flags of the file. + short: Process name. type: keyword -process.pe.sections.name: - dashed_name: process-pe-sections-name - description: Section names of the file. - example: .text, .data - flat_name: process.pe.sections.name +process.pe.imphash: + dashed_name: process-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash -- + can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: process.pe.imphash ignore_above: 1024 level: extended - name: sections.name + name: imphash normalize: [] original_fieldset: pe - short: Section names of the file. + short: A hash of the imports in a PE file. type: keyword -process.pe.sections.raw_size: - dashed_name: process-pe-sections-raw-size - description: Size of the section or the dize of the initialized data on disk. - example: 198144 - flat_name: process.pe.sections.raw_size - format: bytes +process.pe.original_file_name: + dashed_name: process-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: process.pe.original_file_name + ignore_above: 1024 level: extended - name: sections.raw_size + name: original_file_name normalize: [] original_fieldset: pe - short: Size of the section or the dize of the initialized data on disk. - type: long -process.pe.sections.virtual_address: - dashed_name: process-pe-sections-virtual-address - description: Virtual address available to the file. - example: 8192 - flat_name: process.pe.sections.virtual_address - format: bytes + short: Internal name of the file, provided at compile-time. + type: keyword +process.pe.product: + dashed_name: process-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: process.pe.product + ignore_above: 1024 level: extended - name: sections.virtual_address + name: product normalize: [] original_fieldset: pe - short: Virtual address available to the file. - type: long + short: Internal product name of the file, provided at compile-time. + type: keyword process.pgid: dashed_name: process-pgid description: Identifier of the group of processes the process belongs to. @@ -11985,471 +10501,100 @@ threat.enrichments.indicator.file.path: multi_fields: - flat_name: threat.enrichments.indicator.file.path.text name: text - type: match_only_text - name: path - normalize: [] - original_fieldset: file - short: Full path to the file, including the file name. - type: keyword -threat.enrichments.indicator.file.pe.architecture: - dashed_name: threat-enrichments-indicator-file-pe-architecture - description: CPU architecture target for the file. - example: x64 - flat_name: threat.enrichments.indicator.file.pe.architecture - ignore_above: 1024 - level: extended - name: architecture - normalize: [] - original_fieldset: pe - short: CPU architecture target for the file. - type: keyword -threat.enrichments.indicator.file.pe.authentihash: - dashed_name: threat-enrichments-indicator-file-pe-authentihash - description: Authentihash of the PE file. - example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 - flat_name: threat.enrichments.indicator.file.pe.authentihash - ignore_above: 1024 - level: extended - name: authentihash - normalize: [] - original_fieldset: pe - short: Authentihash of the PE file. - type: keyword -threat.enrichments.indicator.file.pe.company: - dashed_name: threat-enrichments-indicator-file-pe-company - description: Internal company name of the file, provided at compile-time. - example: Microsoft Corporation - flat_name: threat.enrichments.indicator.file.pe.company - ignore_above: 1024 - level: extended - name: company - normalize: [] - original_fieldset: pe - short: Internal company name of the file, provided at compile-time. - type: keyword -threat.enrichments.indicator.file.pe.compile_timestamp: - dashed_name: threat-enrichments-indicator-file-pe-compile-timestamp - description: Compile timestamp of the PE file. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.enrichments.indicator.file.pe.compile_timestamp - level: extended - name: compile_timestamp - normalize: [] - original_fieldset: pe - short: Compile timestamp of the PE file. - type: date -threat.enrichments.indicator.file.pe.compiler.name: - dashed_name: threat-enrichments-indicator-file-pe-compiler-name - description: Name of the compiler - example: Clang - flat_name: threat.enrichments.indicator.file.pe.compiler.name - ignore_above: 1024 - level: extended - name: compiler.name - normalize: [] - original_fieldset: pe - short: Name of the compiler - type: keyword -threat.enrichments.indicator.file.pe.compiler.version: - dashed_name: threat-enrichments-indicator-file-pe-compiler-version - description: Version of the compiler. - example: 11.0.0 - flat_name: threat.enrichments.indicator.file.pe.compiler.version - ignore_above: 1024 - level: extended - name: compiler.version - normalize: [] - original_fieldset: pe - short: Version of the compiler. - type: keyword -threat.enrichments.indicator.file.pe.creation_date: - dashed_name: threat-enrichments-indicator-file-pe-creation-date - description: Extracted when possible from the file's metadata. Indicates when it - was built or compiled. It can also be faked by malware creators. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.enrichments.indicator.file.pe.creation_date - level: extended - name: creation_date - normalize: [] - original_fieldset: pe - short: Build or compile date. - type: date -threat.enrichments.indicator.file.pe.debug: - dashed_name: threat-enrichments-indicator-file-pe-debug - description: 'An array containing an object for each debug entry, if present. - - The expected fields for this nested object fall under the `debug.` prefix.' - flat_name: threat.enrichments.indicator.file.pe.debug - level: extended - name: debug - normalize: - - array - original_fieldset: pe - short: Debug information - type: nested -threat.enrichments.indicator.file.pe.debug.offset: - dashed_name: threat-enrichments-indicator-file-pe-debug-offset - description: Debug offset information. - example: 1296336 - flat_name: threat.enrichments.indicator.file.pe.debug.offset - ignore_above: 1024 - level: extended - name: debug.offset - normalize: [] - original_fieldset: pe - short: Debug offset information. - type: keyword -threat.enrichments.indicator.file.pe.debug.size: - dashed_name: threat-enrichments-indicator-file-pe-debug-size - description: Size of the debug information. - example: 816 - flat_name: threat.enrichments.indicator.file.pe.debug.size - format: bytes - level: extended - name: debug.size - normalize: [] - original_fieldset: pe - short: Size of the debug information. - type: long -threat.enrichments.indicator.file.pe.debug.timestamp: - dashed_name: threat-enrichments-indicator-file-pe-debug-timestamp - description: Timestamp of the debug information. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.enrichments.indicator.file.pe.debug.timestamp - level: extended - name: debug.timestamp - normalize: [] - original_fieldset: pe - short: Timestamp of the debug information. - type: date -threat.enrichments.indicator.file.pe.debug.type: - dashed_name: threat-enrichments-indicator-file-pe-debug-type - description: Information type generated by the debug options. - example: IMAGE_DEBUG_TYPE_POGO - flat_name: threat.enrichments.indicator.file.pe.debug.type - ignore_above: 1024 - level: extended - name: debug.type - normalize: [] - original_fieldset: pe - short: Information type generated by the debug options. - type: keyword -threat.enrichments.indicator.file.pe.description: - dashed_name: threat-enrichments-indicator-file-pe-description - description: Internal description of the file, provided at compile-time. - example: Paint - flat_name: threat.enrichments.indicator.file.pe.description - ignore_above: 1024 - level: extended - name: description - normalize: [] - original_fieldset: pe - short: Internal description of the file, provided at compile-time. - type: keyword -threat.enrichments.indicator.file.pe.entry_point: - dashed_name: threat-enrichments-indicator-file-pe-entry-point - description: Relative byte offset to the base of the PE file. - example: 25856 - flat_name: threat.enrichments.indicator.file.pe.entry_point - ignore_above: 1024 - level: extended - name: entry_point - normalize: [] - original_fieldset: pe - short: Relative byte offset to the base of the PE file. - type: keyword -threat.enrichments.indicator.file.pe.exports: - dashed_name: threat-enrichments-indicator-file-pe-exports - description: List of symbols exported by PE - example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' - flat_name: threat.enrichments.indicator.file.pe.exports - ignore_above: 1024 - level: extended - name: exports - normalize: - - array - original_fieldset: pe - short: List of symbols exported by PE - type: keyword -threat.enrichments.indicator.file.pe.file_version: - dashed_name: threat-enrichments-indicator-file-pe-file-version - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 - flat_name: threat.enrichments.indicator.file.pe.file_version - ignore_above: 1024 - level: extended - name: file_version - normalize: [] - original_fieldset: pe - short: Process name. - type: keyword -threat.enrichments.indicator.file.pe.icon.hash.dhash: - dashed_name: threat-enrichments-indicator-file-pe-icon-hash-dhash - description: Difference Hash (dhash) to find files with a visually similar icon - or thumbnail. - example: b806e17c8e330d82 - flat_name: threat.enrichments.indicator.file.pe.icon.hash.dhash - ignore_above: 1024 - level: extended - name: icon.hash.dhash - normalize: [] - original_fieldset: pe - short: Difference Hash (dhash) to find files with a visually similar icon or thumbnail. - type: keyword -threat.enrichments.indicator.file.pe.imphash: - dashed_name: threat-enrichments-indicator-file-pe-imphash - description: 'A hash of the imports in a PE file. An imphash -- or import hash -- - can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: threat.enrichments.indicator.file.pe.imphash - ignore_above: 1024 - level: extended - name: imphash - normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. - type: keyword -threat.enrichments.indicator.file.pe.imports: - dashed_name: threat-enrichments-indicator-file-pe-imports - description: List of all imported functions - example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" - }' - flat_name: threat.enrichments.indicator.file.pe.imports - level: extended - name: imports - normalize: [] - original_fieldset: pe - short: List of all imported functions - type: flattened -threat.enrichments.indicator.file.pe.machine_type: - dashed_name: threat-enrichments-indicator-file-pe-machine-type - description: Machine type of the PE file. - example: Intel 386 or later, and compatibles - flat_name: threat.enrichments.indicator.file.pe.machine_type - ignore_above: 1024 - level: extended - name: machine_type - normalize: [] - original_fieldset: pe - short: Machine type of the PE file. - type: keyword -threat.enrichments.indicator.file.pe.original_file_name: - dashed_name: threat-enrichments-indicator-file-pe-original-file-name - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE - flat_name: threat.enrichments.indicator.file.pe.original_file_name - ignore_above: 1024 - level: extended - name: original_file_name - normalize: [] - original_fieldset: pe - short: Internal name of the file, provided at compile-time. - type: keyword -threat.enrichments.indicator.file.pe.packers: - dashed_name: threat-enrichments-indicator-file-pe-packers - description: List of packers and tools used. - example: '["ASPack v2.12", ".NET executable"]' - flat_name: threat.enrichments.indicator.file.pe.packers - ignore_above: 1024 - level: extended - name: packers - normalize: - - array - original_fieldset: pe - short: List of packers and tools used. - type: keyword -threat.enrichments.indicator.file.pe.product: - dashed_name: threat-enrichments-indicator-file-pe-product - description: Internal product name of the file, provided at compile-time. - example: "Microsoft\xAE Windows\xAE Operating System" - flat_name: threat.enrichments.indicator.file.pe.product - ignore_above: 1024 - level: extended - name: product - normalize: [] - original_fieldset: pe - short: Internal product name of the file, provided at compile-time. - type: keyword -threat.enrichments.indicator.file.pe.resources: - dashed_name: threat-enrichments-indicator-file-pe-resources - description: 'An array containing an object for each PE resource, if present. - - The expected fields for this nested object fall under the `resources.` prefix.' - flat_name: threat.enrichments.indicator.file.pe.resources - level: extended - name: resources - normalize: - - array - original_fieldset: pe - short: PE resource information - type: nested -threat.enrichments.indicator.file.pe.resources.chi2: - dashed_name: threat-enrichments-indicator-file-pe-resources-chi2 - description: Chi-square probability distribution. - example: -1 - flat_name: threat.enrichments.indicator.file.pe.resources.chi2 - level: extended - name: resources.chi2 - normalize: [] - original_fieldset: pe - short: Chi-square probability distribution. - type: long -threat.enrichments.indicator.file.pe.resources.entropy: - dashed_name: threat-enrichments-indicator-file-pe-resources-entropy - description: Measurement of entropy randomness in the resources section. - example: 0, 1 - flat_name: threat.enrichments.indicator.file.pe.resources.entropy - level: extended - name: resources.entropy - normalize: [] - original_fieldset: pe - short: Measurement of entropy randomness in the resources section. - type: long -threat.enrichments.indicator.file.pe.resources.filetype: - dashed_name: threat-enrichments-indicator-file-pe-resources-filetype - description: File type of the resources section. - example: Data - flat_name: threat.enrichments.indicator.file.pe.resources.filetype - ignore_above: 1024 - level: extended - name: resources.filetype + type: match_only_text + name: path normalize: [] - original_fieldset: pe - short: File type of the resources section. + original_fieldset: file + short: Full path to the file, including the file name. type: keyword -threat.enrichments.indicator.file.pe.resources.language: - dashed_name: threat-enrichments-indicator-file-pe-resources-language - description: Language identification. - example: CHINESE SIMPLIFIED - flat_name: threat.enrichments.indicator.file.pe.resources.language +threat.enrichments.indicator.file.pe.architecture: + dashed_name: threat-enrichments-indicator-file-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: threat.enrichments.indicator.file.pe.architecture ignore_above: 1024 level: extended - name: resources.language + name: architecture normalize: [] original_fieldset: pe - short: Language identification. + short: CPU architecture target for the file. type: keyword -threat.enrichments.indicator.file.pe.resources.sha256: - dashed_name: threat-enrichments-indicator-file-pe-resources-sha256 - description: SHA256 hash of resources section. - example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - flat_name: threat.enrichments.indicator.file.pe.resources.sha256 +threat.enrichments.indicator.file.pe.company: + dashed_name: threat-enrichments-indicator-file-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: threat.enrichments.indicator.file.pe.company ignore_above: 1024 level: extended - name: resources.sha256 + name: company normalize: [] original_fieldset: pe - short: SHA256 hash of resources section. + short: Internal company name of the file, provided at compile-time. type: keyword -threat.enrichments.indicator.file.pe.resources.type: - dashed_name: threat-enrichments-indicator-file-pe-resources-type - description: Digest of resource types. - example: '["RT_VERSION", "RT_MANIFEST"]' - flat_name: threat.enrichments.indicator.file.pe.resources.type +threat.enrichments.indicator.file.pe.description: + dashed_name: threat-enrichments-indicator-file-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: threat.enrichments.indicator.file.pe.description ignore_above: 1024 level: extended - name: resources.type - normalize: - - array + name: description + normalize: [] original_fieldset: pe - short: List of resource types. + short: Internal description of the file, provided at compile-time. type: keyword -threat.enrichments.indicator.file.pe.rich_header.hash.md5: - dashed_name: threat-enrichments-indicator-file-pe-rich-header-hash-md5 - description: MD5 hash of the header for the PE file. - example: 5aa1aa0f2b4be70397a1e9e2b87627cd - flat_name: threat.enrichments.indicator.file.pe.rich_header.hash.md5 +threat.enrichments.indicator.file.pe.file_version: + dashed_name: threat-enrichments-indicator-file-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: threat.enrichments.indicator.file.pe.file_version ignore_above: 1024 level: extended - name: rich_header.hash.md5 + name: file_version normalize: [] original_fieldset: pe - short: MD5 hash of the header for the PE file. + short: Process name. type: keyword -threat.enrichments.indicator.file.pe.sections: - dashed_name: threat-enrichments-indicator-file-pe-sections - description: Data about sections of compiled binary PE - flat_name: threat.enrichments.indicator.file.pe.sections - level: extended - name: sections - normalize: - - array - original_fieldset: pe - short: Data about sections of the compiled binary PE - type: nested -threat.enrichments.indicator.file.pe.sections.chi2: - dashed_name: threat-enrichments-indicator-file-pe-sections-chi2 - description: Chi-square probability distribution. - example: 3027194 - flat_name: threat.enrichments.indicator.file.pe.sections.chi2 - level: extended - name: sections.chi2 - normalize: [] - original_fieldset: pe - short: Chi-square probability distribution. - type: long -threat.enrichments.indicator.file.pe.sections.entropy: - dashed_name: threat-enrichments-indicator-file-pe-sections-entropy - description: Measurement of entropy randomness in the file. - example: 6.24 - flat_name: threat.enrichments.indicator.file.pe.sections.entropy - level: extended - name: sections.entropy - normalize: [] - original_fieldset: pe - short: Measurement of entropy randomness in the file. - type: float -threat.enrichments.indicator.file.pe.sections.flags: - dashed_name: threat-enrichments-indicator-file-pe-sections-flags - description: Section flags of the file. - example: rx - flat_name: threat.enrichments.indicator.file.pe.sections.flags +threat.enrichments.indicator.file.pe.imphash: + dashed_name: threat-enrichments-indicator-file-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash -- + can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: threat.enrichments.indicator.file.pe.imphash ignore_above: 1024 level: extended - name: sections.flags + name: imphash normalize: [] original_fieldset: pe - short: Section flags of the file. + short: A hash of the imports in a PE file. type: keyword -threat.enrichments.indicator.file.pe.sections.name: - dashed_name: threat-enrichments-indicator-file-pe-sections-name - description: Section names of the file. - example: .text, .data - flat_name: threat.enrichments.indicator.file.pe.sections.name +threat.enrichments.indicator.file.pe.original_file_name: + dashed_name: threat-enrichments-indicator-file-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: threat.enrichments.indicator.file.pe.original_file_name ignore_above: 1024 level: extended - name: sections.name + name: original_file_name normalize: [] original_fieldset: pe - short: Section names of the file. + short: Internal name of the file, provided at compile-time. type: keyword -threat.enrichments.indicator.file.pe.sections.raw_size: - dashed_name: threat-enrichments-indicator-file-pe-sections-raw-size - description: Size of the section or the dize of the initialized data on disk. - example: 198144 - flat_name: threat.enrichments.indicator.file.pe.sections.raw_size - format: bytes - level: extended - name: sections.raw_size - normalize: [] - original_fieldset: pe - short: Size of the section or the dize of the initialized data on disk. - type: long -threat.enrichments.indicator.file.pe.sections.virtual_address: - dashed_name: threat-enrichments-indicator-file-pe-sections-virtual-address - description: Virtual address available to the file. - example: 8192 - flat_name: threat.enrichments.indicator.file.pe.sections.virtual_address - format: bytes +threat.enrichments.indicator.file.pe.product: + dashed_name: threat-enrichments-indicator-file-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: threat.enrichments.indicator.file.pe.product + ignore_above: 1024 level: extended - name: sections.virtual_address + name: product normalize: [] original_fieldset: pe - short: Virtual address available to the file. - type: long + short: Internal product name of the file, provided at compile-time. + type: keyword threat.enrichments.indicator.file.size: dashed_name: threat-enrichments-indicator-file-size description: 'File size in bytes. @@ -14672,18 +12817,6 @@ threat.indicator.file.pe.architecture: original_fieldset: pe short: CPU architecture target for the file. type: keyword -threat.indicator.file.pe.authentihash: - dashed_name: threat-indicator-file-pe-authentihash - description: Authentihash of the PE file. - example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 - flat_name: threat.indicator.file.pe.authentihash - ignore_above: 1024 - level: extended - name: authentihash - normalize: [] - original_fieldset: pe - short: Authentihash of the PE file. - type: keyword threat.indicator.file.pe.company: dashed_name: threat-indicator-file-pe-company description: Internal company name of the file, provided at compile-time. @@ -14696,113 +12829,6 @@ threat.indicator.file.pe.company: original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword -threat.indicator.file.pe.compile_timestamp: - dashed_name: threat-indicator-file-pe-compile-timestamp - description: Compile timestamp of the PE file. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.file.pe.compile_timestamp - level: extended - name: compile_timestamp - normalize: [] - original_fieldset: pe - short: Compile timestamp of the PE file. - type: date -threat.indicator.file.pe.compiler.name: - dashed_name: threat-indicator-file-pe-compiler-name - description: Name of the compiler - example: Clang - flat_name: threat.indicator.file.pe.compiler.name - ignore_above: 1024 - level: extended - name: compiler.name - normalize: [] - original_fieldset: pe - short: Name of the compiler - type: keyword -threat.indicator.file.pe.compiler.version: - dashed_name: threat-indicator-file-pe-compiler-version - description: Version of the compiler. - example: 11.0.0 - flat_name: threat.indicator.file.pe.compiler.version - ignore_above: 1024 - level: extended - name: compiler.version - normalize: [] - original_fieldset: pe - short: Version of the compiler. - type: keyword -threat.indicator.file.pe.creation_date: - dashed_name: threat-indicator-file-pe-creation-date - description: Extracted when possible from the file's metadata. Indicates when it - was built or compiled. It can also be faked by malware creators. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.file.pe.creation_date - level: extended - name: creation_date - normalize: [] - original_fieldset: pe - short: Build or compile date. - type: date -threat.indicator.file.pe.debug: - dashed_name: threat-indicator-file-pe-debug - description: 'An array containing an object for each debug entry, if present. - - The expected fields for this nested object fall under the `debug.` prefix.' - flat_name: threat.indicator.file.pe.debug - level: extended - name: debug - normalize: - - array - original_fieldset: pe - short: Debug information - type: nested -threat.indicator.file.pe.debug.offset: - dashed_name: threat-indicator-file-pe-debug-offset - description: Debug offset information. - example: 1296336 - flat_name: threat.indicator.file.pe.debug.offset - ignore_above: 1024 - level: extended - name: debug.offset - normalize: [] - original_fieldset: pe - short: Debug offset information. - type: keyword -threat.indicator.file.pe.debug.size: - dashed_name: threat-indicator-file-pe-debug-size - description: Size of the debug information. - example: 816 - flat_name: threat.indicator.file.pe.debug.size - format: bytes - level: extended - name: debug.size - normalize: [] - original_fieldset: pe - short: Size of the debug information. - type: long -threat.indicator.file.pe.debug.timestamp: - dashed_name: threat-indicator-file-pe-debug-timestamp - description: Timestamp of the debug information. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.file.pe.debug.timestamp - level: extended - name: debug.timestamp - normalize: [] - original_fieldset: pe - short: Timestamp of the debug information. - type: date -threat.indicator.file.pe.debug.type: - dashed_name: threat-indicator-file-pe-debug-type - description: Information type generated by the debug options. - example: IMAGE_DEBUG_TYPE_POGO - flat_name: threat.indicator.file.pe.debug.type - ignore_above: 1024 - level: extended - name: debug.type - normalize: [] - original_fieldset: pe - short: Information type generated by the debug options. - type: keyword threat.indicator.file.pe.description: dashed_name: threat-indicator-file-pe-description description: Internal description of the file, provided at compile-time. @@ -14815,31 +12841,6 @@ threat.indicator.file.pe.description: original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword -threat.indicator.file.pe.entry_point: - dashed_name: threat-indicator-file-pe-entry-point - description: Relative byte offset to the base of the PE file. - example: 25856 - flat_name: threat.indicator.file.pe.entry_point - ignore_above: 1024 - level: extended - name: entry_point - normalize: [] - original_fieldset: pe - short: Relative byte offset to the base of the PE file. - type: keyword -threat.indicator.file.pe.exports: - dashed_name: threat-indicator-file-pe-exports - description: List of symbols exported by PE - example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' - flat_name: threat.indicator.file.pe.exports - ignore_above: 1024 - level: extended - name: exports - normalize: - - array - original_fieldset: pe - short: List of symbols exported by PE - type: keyword threat.indicator.file.pe.file_version: dashed_name: threat-indicator-file-pe-file-version description: Internal version of the file, provided at compile-time. @@ -14852,19 +12853,6 @@ threat.indicator.file.pe.file_version: original_fieldset: pe short: Process name. type: keyword -threat.indicator.file.pe.icon.hash.dhash: - dashed_name: threat-indicator-file-pe-icon-hash-dhash - description: Difference Hash (dhash) to find files with a visually similar icon - or thumbnail. - example: b806e17c8e330d82 - flat_name: threat.indicator.file.pe.icon.hash.dhash - ignore_above: 1024 - level: extended - name: icon.hash.dhash - normalize: [] - original_fieldset: pe - short: Difference Hash (dhash) to find files with a visually similar icon or thumbnail. - type: keyword threat.indicator.file.pe.imphash: dashed_name: threat-indicator-file-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash -- @@ -14881,30 +12869,6 @@ threat.indicator.file.pe.imphash: original_fieldset: pe short: A hash of the imports in a PE file. type: keyword -threat.indicator.file.pe.imports: - dashed_name: threat-indicator-file-pe-imports - description: List of all imported functions - example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" - }' - flat_name: threat.indicator.file.pe.imports - level: extended - name: imports - normalize: [] - original_fieldset: pe - short: List of all imported functions - type: flattened -threat.indicator.file.pe.machine_type: - dashed_name: threat-indicator-file-pe-machine-type - description: Machine type of the PE file. - example: Intel 386 or later, and compatibles - flat_name: threat.indicator.file.pe.machine_type - ignore_above: 1024 - level: extended - name: machine_type - normalize: [] - original_fieldset: pe - short: Machine type of the PE file. - type: keyword threat.indicator.file.pe.original_file_name: dashed_name: threat-indicator-file-pe-original-file-name description: Internal name of the file, provided at compile-time. @@ -14917,19 +12881,6 @@ threat.indicator.file.pe.original_file_name: original_fieldset: pe short: Internal name of the file, provided at compile-time. type: keyword -threat.indicator.file.pe.packers: - dashed_name: threat-indicator-file-pe-packers - description: List of packers and tools used. - example: '["ASPack v2.12", ".NET executable"]' - flat_name: threat.indicator.file.pe.packers - ignore_above: 1024 - level: extended - name: packers - normalize: - - array - original_fieldset: pe - short: List of packers and tools used. - type: keyword threat.indicator.file.pe.product: dashed_name: threat-indicator-file-pe-product description: Internal product name of the file, provided at compile-time. @@ -14942,183 +12893,6 @@ threat.indicator.file.pe.product: original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword -threat.indicator.file.pe.resources: - dashed_name: threat-indicator-file-pe-resources - description: 'An array containing an object for each PE resource, if present. - - The expected fields for this nested object fall under the `resources.` prefix.' - flat_name: threat.indicator.file.pe.resources - level: extended - name: resources - normalize: - - array - original_fieldset: pe - short: PE resource information - type: nested -threat.indicator.file.pe.resources.chi2: - dashed_name: threat-indicator-file-pe-resources-chi2 - description: Chi-square probability distribution. - example: -1 - flat_name: threat.indicator.file.pe.resources.chi2 - level: extended - name: resources.chi2 - normalize: [] - original_fieldset: pe - short: Chi-square probability distribution. - type: long -threat.indicator.file.pe.resources.entropy: - dashed_name: threat-indicator-file-pe-resources-entropy - description: Measurement of entropy randomness in the resources section. - example: 0, 1 - flat_name: threat.indicator.file.pe.resources.entropy - level: extended - name: resources.entropy - normalize: [] - original_fieldset: pe - short: Measurement of entropy randomness in the resources section. - type: long -threat.indicator.file.pe.resources.filetype: - dashed_name: threat-indicator-file-pe-resources-filetype - description: File type of the resources section. - example: Data - flat_name: threat.indicator.file.pe.resources.filetype - ignore_above: 1024 - level: extended - name: resources.filetype - normalize: [] - original_fieldset: pe - short: File type of the resources section. - type: keyword -threat.indicator.file.pe.resources.language: - dashed_name: threat-indicator-file-pe-resources-language - description: Language identification. - example: CHINESE SIMPLIFIED - flat_name: threat.indicator.file.pe.resources.language - ignore_above: 1024 - level: extended - name: resources.language - normalize: [] - original_fieldset: pe - short: Language identification. - type: keyword -threat.indicator.file.pe.resources.sha256: - dashed_name: threat-indicator-file-pe-resources-sha256 - description: SHA256 hash of resources section. - example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - flat_name: threat.indicator.file.pe.resources.sha256 - ignore_above: 1024 - level: extended - name: resources.sha256 - normalize: [] - original_fieldset: pe - short: SHA256 hash of resources section. - type: keyword -threat.indicator.file.pe.resources.type: - dashed_name: threat-indicator-file-pe-resources-type - description: Digest of resource types. - example: '["RT_VERSION", "RT_MANIFEST"]' - flat_name: threat.indicator.file.pe.resources.type - ignore_above: 1024 - level: extended - name: resources.type - normalize: - - array - original_fieldset: pe - short: List of resource types. - type: keyword -threat.indicator.file.pe.rich_header.hash.md5: - dashed_name: threat-indicator-file-pe-rich-header-hash-md5 - description: MD5 hash of the header for the PE file. - example: 5aa1aa0f2b4be70397a1e9e2b87627cd - flat_name: threat.indicator.file.pe.rich_header.hash.md5 - ignore_above: 1024 - level: extended - name: rich_header.hash.md5 - normalize: [] - original_fieldset: pe - short: MD5 hash of the header for the PE file. - type: keyword -threat.indicator.file.pe.sections: - dashed_name: threat-indicator-file-pe-sections - description: Data about sections of compiled binary PE - flat_name: threat.indicator.file.pe.sections - level: extended - name: sections - normalize: - - array - original_fieldset: pe - short: Data about sections of the compiled binary PE - type: nested -threat.indicator.file.pe.sections.chi2: - dashed_name: threat-indicator-file-pe-sections-chi2 - description: Chi-square probability distribution. - example: 3027194 - flat_name: threat.indicator.file.pe.sections.chi2 - level: extended - name: sections.chi2 - normalize: [] - original_fieldset: pe - short: Chi-square probability distribution. - type: long -threat.indicator.file.pe.sections.entropy: - dashed_name: threat-indicator-file-pe-sections-entropy - description: Measurement of entropy randomness in the file. - example: 6.24 - flat_name: threat.indicator.file.pe.sections.entropy - level: extended - name: sections.entropy - normalize: [] - original_fieldset: pe - short: Measurement of entropy randomness in the file. - type: float -threat.indicator.file.pe.sections.flags: - dashed_name: threat-indicator-file-pe-sections-flags - description: Section flags of the file. - example: rx - flat_name: threat.indicator.file.pe.sections.flags - ignore_above: 1024 - level: extended - name: sections.flags - normalize: [] - original_fieldset: pe - short: Section flags of the file. - type: keyword -threat.indicator.file.pe.sections.name: - dashed_name: threat-indicator-file-pe-sections-name - description: Section names of the file. - example: .text, .data - flat_name: threat.indicator.file.pe.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: pe - short: Section names of the file. - type: keyword -threat.indicator.file.pe.sections.raw_size: - dashed_name: threat-indicator-file-pe-sections-raw-size - description: Size of the section or the dize of the initialized data on disk. - example: 198144 - flat_name: threat.indicator.file.pe.sections.raw_size - format: bytes - level: extended - name: sections.raw_size - normalize: [] - original_fieldset: pe - short: Size of the section or the dize of the initialized data on disk. - type: long -threat.indicator.file.pe.sections.virtual_address: - dashed_name: threat-indicator-file-pe-sections-virtual-address - description: Virtual address available to the file. - example: 8192 - flat_name: threat.indicator.file.pe.sections.virtual_address - format: bytes - level: extended - name: sections.virtual_address - normalize: [] - original_fieldset: pe - short: Virtual address available to the file. - type: long threat.indicator.file.size: dashed_name: threat-indicator-file-size description: 'File size in bytes. diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index db3c71822..bd9e1a2bf 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -2348,18 +2348,6 @@ dll: original_fieldset: pe short: CPU architecture target for the file. type: keyword - dll.pe.authentihash: - dashed_name: dll-pe-authentihash - description: Authentihash of the PE file. - example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 - flat_name: dll.pe.authentihash - ignore_above: 1024 - level: extended - name: authentihash - normalize: [] - original_fieldset: pe - short: Authentihash of the PE file. - type: keyword dll.pe.company: dashed_name: dll-pe-company description: Internal company name of the file, provided at compile-time. @@ -2372,113 +2360,6 @@ dll: original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword - dll.pe.compile_timestamp: - dashed_name: dll-pe-compile-timestamp - description: Compile timestamp of the PE file. - example: '2020-11-05T17:25:47.000Z' - flat_name: dll.pe.compile_timestamp - level: extended - name: compile_timestamp - normalize: [] - original_fieldset: pe - short: Compile timestamp of the PE file. - type: date - dll.pe.compiler.name: - dashed_name: dll-pe-compiler-name - description: Name of the compiler - example: Clang - flat_name: dll.pe.compiler.name - ignore_above: 1024 - level: extended - name: compiler.name - normalize: [] - original_fieldset: pe - short: Name of the compiler - type: keyword - dll.pe.compiler.version: - dashed_name: dll-pe-compiler-version - description: Version of the compiler. - example: 11.0.0 - flat_name: dll.pe.compiler.version - ignore_above: 1024 - level: extended - name: compiler.version - normalize: [] - original_fieldset: pe - short: Version of the compiler. - type: keyword - dll.pe.creation_date: - dashed_name: dll-pe-creation-date - description: Extracted when possible from the file's metadata. Indicates when - it was built or compiled. It can also be faked by malware creators. - example: '2020-11-05T17:25:47.000Z' - flat_name: dll.pe.creation_date - level: extended - name: creation_date - normalize: [] - original_fieldset: pe - short: Build or compile date. - type: date - dll.pe.debug: - dashed_name: dll-pe-debug - description: 'An array containing an object for each debug entry, if present. - - The expected fields for this nested object fall under the `debug.` prefix.' - flat_name: dll.pe.debug - level: extended - name: debug - normalize: - - array - original_fieldset: pe - short: Debug information - type: nested - dll.pe.debug.offset: - dashed_name: dll-pe-debug-offset - description: Debug offset information. - example: 1296336 - flat_name: dll.pe.debug.offset - ignore_above: 1024 - level: extended - name: debug.offset - normalize: [] - original_fieldset: pe - short: Debug offset information. - type: keyword - dll.pe.debug.size: - dashed_name: dll-pe-debug-size - description: Size of the debug information. - example: 816 - flat_name: dll.pe.debug.size - format: bytes - level: extended - name: debug.size - normalize: [] - original_fieldset: pe - short: Size of the debug information. - type: long - dll.pe.debug.timestamp: - dashed_name: dll-pe-debug-timestamp - description: Timestamp of the debug information. - example: '2020-11-05T17:25:47.000Z' - flat_name: dll.pe.debug.timestamp - level: extended - name: debug.timestamp - normalize: [] - original_fieldset: pe - short: Timestamp of the debug information. - type: date - dll.pe.debug.type: - dashed_name: dll-pe-debug-type - description: Information type generated by the debug options. - example: IMAGE_DEBUG_TYPE_POGO - flat_name: dll.pe.debug.type - ignore_above: 1024 - level: extended - name: debug.type - normalize: [] - original_fieldset: pe - short: Information type generated by the debug options. - type: keyword dll.pe.description: dashed_name: dll-pe-description description: Internal description of the file, provided at compile-time. @@ -2491,31 +2372,6 @@ dll: original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword - dll.pe.entry_point: - dashed_name: dll-pe-entry-point - description: Relative byte offset to the base of the PE file. - example: 25856 - flat_name: dll.pe.entry_point - ignore_above: 1024 - level: extended - name: entry_point - normalize: [] - original_fieldset: pe - short: Relative byte offset to the base of the PE file. - type: keyword - dll.pe.exports: - dashed_name: dll-pe-exports - description: List of symbols exported by PE - example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' - flat_name: dll.pe.exports - ignore_above: 1024 - level: extended - name: exports - normalize: - - array - original_fieldset: pe - short: List of symbols exported by PE - type: keyword dll.pe.file_version: dashed_name: dll-pe-file-version description: Internal version of the file, provided at compile-time. @@ -2528,20 +2384,6 @@ dll: original_fieldset: pe short: Process name. type: keyword - dll.pe.icon.hash.dhash: - dashed_name: dll-pe-icon-hash-dhash - description: Difference Hash (dhash) to find files with a visually similar icon - or thumbnail. - example: b806e17c8e330d82 - flat_name: dll.pe.icon.hash.dhash - ignore_above: 1024 - level: extended - name: icon.hash.dhash - normalize: [] - original_fieldset: pe - short: Difference Hash (dhash) to find files with a visually similar icon or - thumbnail. - type: keyword dll.pe.imphash: dashed_name: dll-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash @@ -2558,30 +2400,6 @@ dll: original_fieldset: pe short: A hash of the imports in a PE file. type: keyword - dll.pe.imports: - dashed_name: dll-pe-imports - description: List of all imported functions - example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" - }' - flat_name: dll.pe.imports - level: extended - name: imports - normalize: [] - original_fieldset: pe - short: List of all imported functions - type: flattened - dll.pe.machine_type: - dashed_name: dll-pe-machine-type - description: Machine type of the PE file. - example: Intel 386 or later, and compatibles - flat_name: dll.pe.machine_type - ignore_above: 1024 - level: extended - name: machine_type - normalize: [] - original_fieldset: pe - short: Machine type of the PE file. - type: keyword dll.pe.original_file_name: dashed_name: dll-pe-original-file-name description: Internal name of the file, provided at compile-time. @@ -2594,19 +2412,6 @@ dll: original_fieldset: pe short: Internal name of the file, provided at compile-time. type: keyword - dll.pe.packers: - dashed_name: dll-pe-packers - description: List of packers and tools used. - example: '["ASPack v2.12", ".NET executable"]' - flat_name: dll.pe.packers - ignore_above: 1024 - level: extended - name: packers - normalize: - - array - original_fieldset: pe - short: List of packers and tools used. - type: keyword dll.pe.product: dashed_name: dll-pe-product description: Internal product name of the file, provided at compile-time. @@ -2619,183 +2424,6 @@ dll: original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword - dll.pe.resources: - dashed_name: dll-pe-resources - description: 'An array containing an object for each PE resource, if present. - - The expected fields for this nested object fall under the `resources.` prefix.' - flat_name: dll.pe.resources - level: extended - name: resources - normalize: - - array - original_fieldset: pe - short: PE resource information - type: nested - dll.pe.resources.chi2: - dashed_name: dll-pe-resources-chi2 - description: Chi-square probability distribution. - example: -1 - flat_name: dll.pe.resources.chi2 - level: extended - name: resources.chi2 - normalize: [] - original_fieldset: pe - short: Chi-square probability distribution. - type: long - dll.pe.resources.entropy: - dashed_name: dll-pe-resources-entropy - description: Measurement of entropy randomness in the resources section. - example: 0, 1 - flat_name: dll.pe.resources.entropy - level: extended - name: resources.entropy - normalize: [] - original_fieldset: pe - short: Measurement of entropy randomness in the resources section. - type: long - dll.pe.resources.filetype: - dashed_name: dll-pe-resources-filetype - description: File type of the resources section. - example: Data - flat_name: dll.pe.resources.filetype - ignore_above: 1024 - level: extended - name: resources.filetype - normalize: [] - original_fieldset: pe - short: File type of the resources section. - type: keyword - dll.pe.resources.language: - dashed_name: dll-pe-resources-language - description: Language identification. - example: CHINESE SIMPLIFIED - flat_name: dll.pe.resources.language - ignore_above: 1024 - level: extended - name: resources.language - normalize: [] - original_fieldset: pe - short: Language identification. - type: keyword - dll.pe.resources.sha256: - dashed_name: dll-pe-resources-sha256 - description: SHA256 hash of resources section. - example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - flat_name: dll.pe.resources.sha256 - ignore_above: 1024 - level: extended - name: resources.sha256 - normalize: [] - original_fieldset: pe - short: SHA256 hash of resources section. - type: keyword - dll.pe.resources.type: - dashed_name: dll-pe-resources-type - description: Digest of resource types. - example: '["RT_VERSION", "RT_MANIFEST"]' - flat_name: dll.pe.resources.type - ignore_above: 1024 - level: extended - name: resources.type - normalize: - - array - original_fieldset: pe - short: List of resource types. - type: keyword - dll.pe.rich_header.hash.md5: - dashed_name: dll-pe-rich-header-hash-md5 - description: MD5 hash of the header for the PE file. - example: 5aa1aa0f2b4be70397a1e9e2b87627cd - flat_name: dll.pe.rich_header.hash.md5 - ignore_above: 1024 - level: extended - name: rich_header.hash.md5 - normalize: [] - original_fieldset: pe - short: MD5 hash of the header for the PE file. - type: keyword - dll.pe.sections: - dashed_name: dll-pe-sections - description: Data about sections of compiled binary PE - flat_name: dll.pe.sections - level: extended - name: sections - normalize: - - array - original_fieldset: pe - short: Data about sections of the compiled binary PE - type: nested - dll.pe.sections.chi2: - dashed_name: dll-pe-sections-chi2 - description: Chi-square probability distribution. - example: 3027194 - flat_name: dll.pe.sections.chi2 - level: extended - name: sections.chi2 - normalize: [] - original_fieldset: pe - short: Chi-square probability distribution. - type: long - dll.pe.sections.entropy: - dashed_name: dll-pe-sections-entropy - description: Measurement of entropy randomness in the file. - example: 6.24 - flat_name: dll.pe.sections.entropy - level: extended - name: sections.entropy - normalize: [] - original_fieldset: pe - short: Measurement of entropy randomness in the file. - type: float - dll.pe.sections.flags: - dashed_name: dll-pe-sections-flags - description: Section flags of the file. - example: rx - flat_name: dll.pe.sections.flags - ignore_above: 1024 - level: extended - name: sections.flags - normalize: [] - original_fieldset: pe - short: Section flags of the file. - type: keyword - dll.pe.sections.name: - dashed_name: dll-pe-sections-name - description: Section names of the file. - example: .text, .data - flat_name: dll.pe.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: pe - short: Section names of the file. - type: keyword - dll.pe.sections.raw_size: - dashed_name: dll-pe-sections-raw-size - description: Size of the section or the dize of the initialized data on disk. - example: 198144 - flat_name: dll.pe.sections.raw_size - format: bytes - level: extended - name: sections.raw_size - normalize: [] - original_fieldset: pe - short: Size of the section or the dize of the initialized data on disk. - type: long - dll.pe.sections.virtual_address: - dashed_name: dll-pe-sections-virtual-address - description: Virtual address available to the file. - example: 8192 - flat_name: dll.pe.sections.virtual_address - format: bytes - level: extended - name: sections.virtual_address - normalize: [] - original_fieldset: pe - short: Virtual address available to the file. - type: long group: 2 name: dll nestings: @@ -5413,18 +5041,6 @@ file: original_fieldset: pe short: CPU architecture target for the file. type: keyword - file.pe.authentihash: - dashed_name: file-pe-authentihash - description: Authentihash of the PE file. - example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 - flat_name: file.pe.authentihash - ignore_above: 1024 - level: extended - name: authentihash - normalize: [] - original_fieldset: pe - short: Authentihash of the PE file. - type: keyword file.pe.company: dashed_name: file-pe-company description: Internal company name of the file, provided at compile-time. @@ -5437,113 +5053,6 @@ file: original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword - file.pe.compile_timestamp: - dashed_name: file-pe-compile-timestamp - description: Compile timestamp of the PE file. - example: '2020-11-05T17:25:47.000Z' - flat_name: file.pe.compile_timestamp - level: extended - name: compile_timestamp - normalize: [] - original_fieldset: pe - short: Compile timestamp of the PE file. - type: date - file.pe.compiler.name: - dashed_name: file-pe-compiler-name - description: Name of the compiler - example: Clang - flat_name: file.pe.compiler.name - ignore_above: 1024 - level: extended - name: compiler.name - normalize: [] - original_fieldset: pe - short: Name of the compiler - type: keyword - file.pe.compiler.version: - dashed_name: file-pe-compiler-version - description: Version of the compiler. - example: 11.0.0 - flat_name: file.pe.compiler.version - ignore_above: 1024 - level: extended - name: compiler.version - normalize: [] - original_fieldset: pe - short: Version of the compiler. - type: keyword - file.pe.creation_date: - dashed_name: file-pe-creation-date - description: Extracted when possible from the file's metadata. Indicates when - it was built or compiled. It can also be faked by malware creators. - example: '2020-11-05T17:25:47.000Z' - flat_name: file.pe.creation_date - level: extended - name: creation_date - normalize: [] - original_fieldset: pe - short: Build or compile date. - type: date - file.pe.debug: - dashed_name: file-pe-debug - description: 'An array containing an object for each debug entry, if present. - - The expected fields for this nested object fall under the `debug.` prefix.' - flat_name: file.pe.debug - level: extended - name: debug - normalize: - - array - original_fieldset: pe - short: Debug information - type: nested - file.pe.debug.offset: - dashed_name: file-pe-debug-offset - description: Debug offset information. - example: 1296336 - flat_name: file.pe.debug.offset - ignore_above: 1024 - level: extended - name: debug.offset - normalize: [] - original_fieldset: pe - short: Debug offset information. - type: keyword - file.pe.debug.size: - dashed_name: file-pe-debug-size - description: Size of the debug information. - example: 816 - flat_name: file.pe.debug.size - format: bytes - level: extended - name: debug.size - normalize: [] - original_fieldset: pe - short: Size of the debug information. - type: long - file.pe.debug.timestamp: - dashed_name: file-pe-debug-timestamp - description: Timestamp of the debug information. - example: '2020-11-05T17:25:47.000Z' - flat_name: file.pe.debug.timestamp - level: extended - name: debug.timestamp - normalize: [] - original_fieldset: pe - short: Timestamp of the debug information. - type: date - file.pe.debug.type: - dashed_name: file-pe-debug-type - description: Information type generated by the debug options. - example: IMAGE_DEBUG_TYPE_POGO - flat_name: file.pe.debug.type - ignore_above: 1024 - level: extended - name: debug.type - normalize: [] - original_fieldset: pe - short: Information type generated by the debug options. - type: keyword file.pe.description: dashed_name: file-pe-description description: Internal description of the file, provided at compile-time. @@ -5556,31 +5065,6 @@ file: original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword - file.pe.entry_point: - dashed_name: file-pe-entry-point - description: Relative byte offset to the base of the PE file. - example: 25856 - flat_name: file.pe.entry_point - ignore_above: 1024 - level: extended - name: entry_point - normalize: [] - original_fieldset: pe - short: Relative byte offset to the base of the PE file. - type: keyword - file.pe.exports: - dashed_name: file-pe-exports - description: List of symbols exported by PE - example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' - flat_name: file.pe.exports - ignore_above: 1024 - level: extended - name: exports - normalize: - - array - original_fieldset: pe - short: List of symbols exported by PE - type: keyword file.pe.file_version: dashed_name: file-pe-file-version description: Internal version of the file, provided at compile-time. @@ -5593,20 +5077,6 @@ file: original_fieldset: pe short: Process name. type: keyword - file.pe.icon.hash.dhash: - dashed_name: file-pe-icon-hash-dhash - description: Difference Hash (dhash) to find files with a visually similar icon - or thumbnail. - example: b806e17c8e330d82 - flat_name: file.pe.icon.hash.dhash - ignore_above: 1024 - level: extended - name: icon.hash.dhash - normalize: [] - original_fieldset: pe - short: Difference Hash (dhash) to find files with a visually similar icon or - thumbnail. - type: keyword file.pe.imphash: dashed_name: file-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash @@ -5623,30 +5093,6 @@ file: original_fieldset: pe short: A hash of the imports in a PE file. type: keyword - file.pe.imports: - dashed_name: file-pe-imports - description: List of all imported functions - example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" - }' - flat_name: file.pe.imports - level: extended - name: imports - normalize: [] - original_fieldset: pe - short: List of all imported functions - type: flattened - file.pe.machine_type: - dashed_name: file-pe-machine-type - description: Machine type of the PE file. - example: Intel 386 or later, and compatibles - flat_name: file.pe.machine_type - ignore_above: 1024 - level: extended - name: machine_type - normalize: [] - original_fieldset: pe - short: Machine type of the PE file. - type: keyword file.pe.original_file_name: dashed_name: file-pe-original-file-name description: Internal name of the file, provided at compile-time. @@ -5659,19 +5105,6 @@ file: original_fieldset: pe short: Internal name of the file, provided at compile-time. type: keyword - file.pe.packers: - dashed_name: file-pe-packers - description: List of packers and tools used. - example: '["ASPack v2.12", ".NET executable"]' - flat_name: file.pe.packers - ignore_above: 1024 - level: extended - name: packers - normalize: - - array - original_fieldset: pe - short: List of packers and tools used. - type: keyword file.pe.product: dashed_name: file-pe-product description: Internal product name of the file, provided at compile-time. @@ -5684,183 +5117,6 @@ file: original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword - file.pe.resources: - dashed_name: file-pe-resources - description: 'An array containing an object for each PE resource, if present. - - The expected fields for this nested object fall under the `resources.` prefix.' - flat_name: file.pe.resources - level: extended - name: resources - normalize: - - array - original_fieldset: pe - short: PE resource information - type: nested - file.pe.resources.chi2: - dashed_name: file-pe-resources-chi2 - description: Chi-square probability distribution. - example: -1 - flat_name: file.pe.resources.chi2 - level: extended - name: resources.chi2 - normalize: [] - original_fieldset: pe - short: Chi-square probability distribution. - type: long - file.pe.resources.entropy: - dashed_name: file-pe-resources-entropy - description: Measurement of entropy randomness in the resources section. - example: 0, 1 - flat_name: file.pe.resources.entropy - level: extended - name: resources.entropy - normalize: [] - original_fieldset: pe - short: Measurement of entropy randomness in the resources section. - type: long - file.pe.resources.filetype: - dashed_name: file-pe-resources-filetype - description: File type of the resources section. - example: Data - flat_name: file.pe.resources.filetype - ignore_above: 1024 - level: extended - name: resources.filetype - normalize: [] - original_fieldset: pe - short: File type of the resources section. - type: keyword - file.pe.resources.language: - dashed_name: file-pe-resources-language - description: Language identification. - example: CHINESE SIMPLIFIED - flat_name: file.pe.resources.language - ignore_above: 1024 - level: extended - name: resources.language - normalize: [] - original_fieldset: pe - short: Language identification. - type: keyword - file.pe.resources.sha256: - dashed_name: file-pe-resources-sha256 - description: SHA256 hash of resources section. - example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - flat_name: file.pe.resources.sha256 - ignore_above: 1024 - level: extended - name: resources.sha256 - normalize: [] - original_fieldset: pe - short: SHA256 hash of resources section. - type: keyword - file.pe.resources.type: - dashed_name: file-pe-resources-type - description: Digest of resource types. - example: '["RT_VERSION", "RT_MANIFEST"]' - flat_name: file.pe.resources.type - ignore_above: 1024 - level: extended - name: resources.type - normalize: - - array - original_fieldset: pe - short: List of resource types. - type: keyword - file.pe.rich_header.hash.md5: - dashed_name: file-pe-rich-header-hash-md5 - description: MD5 hash of the header for the PE file. - example: 5aa1aa0f2b4be70397a1e9e2b87627cd - flat_name: file.pe.rich_header.hash.md5 - ignore_above: 1024 - level: extended - name: rich_header.hash.md5 - normalize: [] - original_fieldset: pe - short: MD5 hash of the header for the PE file. - type: keyword - file.pe.sections: - dashed_name: file-pe-sections - description: Data about sections of compiled binary PE - flat_name: file.pe.sections - level: extended - name: sections - normalize: - - array - original_fieldset: pe - short: Data about sections of the compiled binary PE - type: nested - file.pe.sections.chi2: - dashed_name: file-pe-sections-chi2 - description: Chi-square probability distribution. - example: 3027194 - flat_name: file.pe.sections.chi2 - level: extended - name: sections.chi2 - normalize: [] - original_fieldset: pe - short: Chi-square probability distribution. - type: long - file.pe.sections.entropy: - dashed_name: file-pe-sections-entropy - description: Measurement of entropy randomness in the file. - example: 6.24 - flat_name: file.pe.sections.entropy - level: extended - name: sections.entropy - normalize: [] - original_fieldset: pe - short: Measurement of entropy randomness in the file. - type: float - file.pe.sections.flags: - dashed_name: file-pe-sections-flags - description: Section flags of the file. - example: rx - flat_name: file.pe.sections.flags - ignore_above: 1024 - level: extended - name: sections.flags - normalize: [] - original_fieldset: pe - short: Section flags of the file. - type: keyword - file.pe.sections.name: - dashed_name: file-pe-sections-name - description: Section names of the file. - example: .text, .data - flat_name: file.pe.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: pe - short: Section names of the file. - type: keyword - file.pe.sections.raw_size: - dashed_name: file-pe-sections-raw-size - description: Size of the section or the dize of the initialized data on disk. - example: 198144 - flat_name: file.pe.sections.raw_size - format: bytes - level: extended - name: sections.raw_size - normalize: [] - original_fieldset: pe - short: Size of the section or the dize of the initialized data on disk. - type: long - file.pe.sections.virtual_address: - dashed_name: file-pe-sections-virtual-address - description: Virtual address available to the file. - example: 8192 - flat_name: file.pe.sections.virtual_address - format: bytes - level: extended - name: sections.virtual_address - normalize: [] - original_fieldset: pe - short: Virtual address available to the file. - type: long file.size: dashed_name: file-size description: 'File size in bytes. @@ -8665,17 +7921,6 @@ pe: normalize: [] short: CPU architecture target for the file. type: keyword - pe.authentihash: - dashed_name: pe-authentihash - description: Authentihash of the PE file. - example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 - flat_name: pe.authentihash - ignore_above: 1024 - level: extended - name: authentihash - normalize: [] - short: Authentihash of the PE file. - type: keyword pe.company: dashed_name: pe-company description: Internal company name of the file, provided at compile-time. @@ -8687,104 +7932,6 @@ pe: normalize: [] short: Internal company name of the file, provided at compile-time. type: keyword - pe.compile_timestamp: - dashed_name: pe-compile-timestamp - description: Compile timestamp of the PE file. - example: '2020-11-05T17:25:47.000Z' - flat_name: pe.compile_timestamp - level: extended - name: compile_timestamp - normalize: [] - short: Compile timestamp of the PE file. - type: date - pe.compiler.name: - dashed_name: pe-compiler-name - description: Name of the compiler - example: Clang - flat_name: pe.compiler.name - ignore_above: 1024 - level: extended - name: compiler.name - normalize: [] - short: Name of the compiler - type: keyword - pe.compiler.version: - dashed_name: pe-compiler-version - description: Version of the compiler. - example: 11.0.0 - flat_name: pe.compiler.version - ignore_above: 1024 - level: extended - name: compiler.version - normalize: [] - short: Version of the compiler. - type: keyword - pe.creation_date: - dashed_name: pe-creation-date - description: Extracted when possible from the file's metadata. Indicates when - it was built or compiled. It can also be faked by malware creators. - example: '2020-11-05T17:25:47.000Z' - flat_name: pe.creation_date - level: extended - name: creation_date - normalize: [] - short: Build or compile date. - type: date - pe.debug: - dashed_name: pe-debug - description: 'An array containing an object for each debug entry, if present. - - The expected fields for this nested object fall under the `debug.` prefix.' - flat_name: pe.debug - level: extended - name: debug - normalize: - - array - short: Debug information - type: nested - pe.debug.offset: - dashed_name: pe-debug-offset - description: Debug offset information. - example: 1296336 - flat_name: pe.debug.offset - ignore_above: 1024 - level: extended - name: debug.offset - normalize: [] - short: Debug offset information. - type: keyword - pe.debug.size: - dashed_name: pe-debug-size - description: Size of the debug information. - example: 816 - flat_name: pe.debug.size - format: bytes - level: extended - name: debug.size - normalize: [] - short: Size of the debug information. - type: long - pe.debug.timestamp: - dashed_name: pe-debug-timestamp - description: Timestamp of the debug information. - example: '2020-11-05T17:25:47.000Z' - flat_name: pe.debug.timestamp - level: extended - name: debug.timestamp - normalize: [] - short: Timestamp of the debug information. - type: date - pe.debug.type: - dashed_name: pe-debug-type - description: Information type generated by the debug options. - example: IMAGE_DEBUG_TYPE_POGO - flat_name: pe.debug.type - ignore_above: 1024 - level: extended - name: debug.type - normalize: [] - short: Information type generated by the debug options. - type: keyword pe.description: dashed_name: pe-description description: Internal description of the file, provided at compile-time. @@ -8796,29 +7943,6 @@ pe: normalize: [] short: Internal description of the file, provided at compile-time. type: keyword - pe.entry_point: - dashed_name: pe-entry-point - description: Relative byte offset to the base of the PE file. - example: 25856 - flat_name: pe.entry_point - ignore_above: 1024 - level: extended - name: entry_point - normalize: [] - short: Relative byte offset to the base of the PE file. - type: keyword - pe.exports: - dashed_name: pe-exports - description: List of symbols exported by PE - example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' - flat_name: pe.exports - ignore_above: 1024 - level: extended - name: exports - normalize: - - array - short: List of symbols exported by PE - type: keyword pe.file_version: dashed_name: pe-file-version description: Internal version of the file, provided at compile-time. @@ -8830,19 +7954,6 @@ pe: normalize: [] short: Process name. type: keyword - pe.icon.hash.dhash: - dashed_name: pe-icon-hash-dhash - description: Difference Hash (dhash) to find files with a visually similar icon - or thumbnail. - example: b806e17c8e330d82 - flat_name: pe.icon.hash.dhash - ignore_above: 1024 - level: extended - name: icon.hash.dhash - normalize: [] - short: Difference Hash (dhash) to find files with a visually similar icon or - thumbnail. - type: keyword pe.imphash: dashed_name: pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash @@ -8858,28 +7969,6 @@ pe: normalize: [] short: A hash of the imports in a PE file. type: keyword - pe.imports: - dashed_name: pe-imports - description: List of all imported functions - example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" - }' - flat_name: pe.imports - level: extended - name: imports - normalize: [] - short: List of all imported functions - type: flattened - pe.machine_type: - dashed_name: pe-machine-type - description: Machine type of the PE file. - example: Intel 386 or later, and compatibles - flat_name: pe.machine_type - ignore_above: 1024 - level: extended - name: machine_type - normalize: [] - short: Machine type of the PE file. - type: keyword pe.original_file_name: dashed_name: pe-original-file-name description: Internal name of the file, provided at compile-time. @@ -8891,18 +7980,6 @@ pe: normalize: [] short: Internal name of the file, provided at compile-time. type: keyword - pe.packers: - dashed_name: pe-packers - description: List of packers and tools used. - example: '["ASPack v2.12", ".NET executable"]' - flat_name: pe.packers - ignore_above: 1024 - level: extended - name: packers - normalize: - - array - short: List of packers and tools used. - type: keyword pe.product: dashed_name: pe-product description: Internal product name of the file, provided at compile-time. @@ -8914,168 +7991,6 @@ pe: normalize: [] short: Internal product name of the file, provided at compile-time. type: keyword - pe.resources: - dashed_name: pe-resources - description: 'An array containing an object for each PE resource, if present. - - The expected fields for this nested object fall under the `resources.` prefix.' - flat_name: pe.resources - level: extended - name: resources - normalize: - - array - short: PE resource information - type: nested - pe.resources.chi2: - dashed_name: pe-resources-chi2 - description: Chi-square probability distribution. - example: -1 - flat_name: pe.resources.chi2 - level: extended - name: resources.chi2 - normalize: [] - short: Chi-square probability distribution. - type: long - pe.resources.entropy: - dashed_name: pe-resources-entropy - description: Measurement of entropy randomness in the resources section. - example: 0, 1 - flat_name: pe.resources.entropy - level: extended - name: resources.entropy - normalize: [] - short: Measurement of entropy randomness in the resources section. - type: long - pe.resources.filetype: - dashed_name: pe-resources-filetype - description: File type of the resources section. - example: Data - flat_name: pe.resources.filetype - ignore_above: 1024 - level: extended - name: resources.filetype - normalize: [] - short: File type of the resources section. - type: keyword - pe.resources.language: - dashed_name: pe-resources-language - description: Language identification. - example: CHINESE SIMPLIFIED - flat_name: pe.resources.language - ignore_above: 1024 - level: extended - name: resources.language - normalize: [] - short: Language identification. - type: keyword - pe.resources.sha256: - dashed_name: pe-resources-sha256 - description: SHA256 hash of resources section. - example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - flat_name: pe.resources.sha256 - ignore_above: 1024 - level: extended - name: resources.sha256 - normalize: [] - short: SHA256 hash of resources section. - type: keyword - pe.resources.type: - dashed_name: pe-resources-type - description: Digest of resource types. - example: '["RT_VERSION", "RT_MANIFEST"]' - flat_name: pe.resources.type - ignore_above: 1024 - level: extended - name: resources.type - normalize: - - array - short: List of resource types. - type: keyword - pe.rich_header.hash.md5: - dashed_name: pe-rich-header-hash-md5 - description: MD5 hash of the header for the PE file. - example: 5aa1aa0f2b4be70397a1e9e2b87627cd - flat_name: pe.rich_header.hash.md5 - ignore_above: 1024 - level: extended - name: rich_header.hash.md5 - normalize: [] - short: MD5 hash of the header for the PE file. - type: keyword - pe.sections: - dashed_name: pe-sections - description: Data about sections of compiled binary PE - flat_name: pe.sections - level: extended - name: sections - normalize: - - array - short: Data about sections of the compiled binary PE - type: nested - pe.sections.chi2: - dashed_name: pe-sections-chi2 - description: Chi-square probability distribution. - example: 3027194 - flat_name: pe.sections.chi2 - level: extended - name: sections.chi2 - normalize: [] - short: Chi-square probability distribution. - type: long - pe.sections.entropy: - dashed_name: pe-sections-entropy - description: Measurement of entropy randomness in the file. - example: 6.24 - flat_name: pe.sections.entropy - level: extended - name: sections.entropy - normalize: [] - short: Measurement of entropy randomness in the file. - type: float - pe.sections.flags: - dashed_name: pe-sections-flags - description: Section flags of the file. - example: rx - flat_name: pe.sections.flags - ignore_above: 1024 - level: extended - name: sections.flags - normalize: [] - short: Section flags of the file. - type: keyword - pe.sections.name: - dashed_name: pe-sections-name - description: Section names of the file. - example: .text, .data - flat_name: pe.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - short: Section names of the file. - type: keyword - pe.sections.raw_size: - dashed_name: pe-sections-raw-size - description: Size of the section or the dize of the initialized data on disk. - example: 198144 - flat_name: pe.sections.raw_size - format: bytes - level: extended - name: sections.raw_size - normalize: [] - short: Size of the section or the dize of the initialized data on disk. - type: long - pe.sections.virtual_address: - dashed_name: pe-sections-virtual-address - description: Virtual address available to the file. - example: 8192 - flat_name: pe.sections.virtual_address - format: bytes - level: extended - name: sections.virtual_address - normalize: [] - short: Virtual address available to the file. - type: long group: 2 name: pe prefix: pe. @@ -10377,18 +9292,6 @@ process: original_fieldset: pe short: CPU architecture target for the file. type: keyword - process.parent.pe.authentihash: - dashed_name: process-parent-pe-authentihash - description: Authentihash of the PE file. - example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 - flat_name: process.parent.pe.authentihash - ignore_above: 1024 - level: extended - name: authentihash - normalize: [] - original_fieldset: pe - short: Authentihash of the PE file. - type: keyword process.parent.pe.company: dashed_name: process-parent-pe-company description: Internal company name of the file, provided at compile-time. @@ -10401,216 +9304,46 @@ process: original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword - process.parent.pe.compile_timestamp: - dashed_name: process-parent-pe-compile-timestamp - description: Compile timestamp of the PE file. - example: '2020-11-05T17:25:47.000Z' - flat_name: process.parent.pe.compile_timestamp - level: extended - name: compile_timestamp - normalize: [] - original_fieldset: pe - short: Compile timestamp of the PE file. - type: date - process.parent.pe.compiler.name: - dashed_name: process-parent-pe-compiler-name - description: Name of the compiler - example: Clang - flat_name: process.parent.pe.compiler.name + process.parent.pe.description: + dashed_name: process-parent-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: process.parent.pe.description ignore_above: 1024 level: extended - name: compiler.name + name: description normalize: [] original_fieldset: pe - short: Name of the compiler + short: Internal description of the file, provided at compile-time. type: keyword - process.parent.pe.compiler.version: - dashed_name: process-parent-pe-compiler-version - description: Version of the compiler. - example: 11.0.0 - flat_name: process.parent.pe.compiler.version + process.parent.pe.file_version: + dashed_name: process-parent-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: process.parent.pe.file_version ignore_above: 1024 level: extended - name: compiler.version + name: file_version normalize: [] original_fieldset: pe - short: Version of the compiler. + short: Process name. type: keyword - process.parent.pe.creation_date: - dashed_name: process-parent-pe-creation-date - description: Extracted when possible from the file's metadata. Indicates when - it was built or compiled. It can also be faked by malware creators. - example: '2020-11-05T17:25:47.000Z' - flat_name: process.parent.pe.creation_date + process.parent.pe.imphash: + dashed_name: process-parent-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: process.parent.pe.imphash + ignore_above: 1024 level: extended - name: creation_date - normalize: [] - original_fieldset: pe - short: Build or compile date. - type: date - process.parent.pe.debug: - dashed_name: process-parent-pe-debug - description: 'An array containing an object for each debug entry, if present. - - The expected fields for this nested object fall under the `debug.` prefix.' - flat_name: process.parent.pe.debug - level: extended - name: debug - normalize: - - array - original_fieldset: pe - short: Debug information - type: nested - process.parent.pe.debug.offset: - dashed_name: process-parent-pe-debug-offset - description: Debug offset information. - example: 1296336 - flat_name: process.parent.pe.debug.offset - ignore_above: 1024 - level: extended - name: debug.offset - normalize: [] - original_fieldset: pe - short: Debug offset information. - type: keyword - process.parent.pe.debug.size: - dashed_name: process-parent-pe-debug-size - description: Size of the debug information. - example: 816 - flat_name: process.parent.pe.debug.size - format: bytes - level: extended - name: debug.size - normalize: [] - original_fieldset: pe - short: Size of the debug information. - type: long - process.parent.pe.debug.timestamp: - dashed_name: process-parent-pe-debug-timestamp - description: Timestamp of the debug information. - example: '2020-11-05T17:25:47.000Z' - flat_name: process.parent.pe.debug.timestamp - level: extended - name: debug.timestamp - normalize: [] - original_fieldset: pe - short: Timestamp of the debug information. - type: date - process.parent.pe.debug.type: - dashed_name: process-parent-pe-debug-type - description: Information type generated by the debug options. - example: IMAGE_DEBUG_TYPE_POGO - flat_name: process.parent.pe.debug.type - ignore_above: 1024 - level: extended - name: debug.type - normalize: [] - original_fieldset: pe - short: Information type generated by the debug options. - type: keyword - process.parent.pe.description: - dashed_name: process-parent-pe-description - description: Internal description of the file, provided at compile-time. - example: Paint - flat_name: process.parent.pe.description - ignore_above: 1024 - level: extended - name: description - normalize: [] - original_fieldset: pe - short: Internal description of the file, provided at compile-time. - type: keyword - process.parent.pe.entry_point: - dashed_name: process-parent-pe-entry-point - description: Relative byte offset to the base of the PE file. - example: 25856 - flat_name: process.parent.pe.entry_point - ignore_above: 1024 - level: extended - name: entry_point - normalize: [] - original_fieldset: pe - short: Relative byte offset to the base of the PE file. - type: keyword - process.parent.pe.exports: - dashed_name: process-parent-pe-exports - description: List of symbols exported by PE - example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' - flat_name: process.parent.pe.exports - ignore_above: 1024 - level: extended - name: exports - normalize: - - array - original_fieldset: pe - short: List of symbols exported by PE - type: keyword - process.parent.pe.file_version: - dashed_name: process-parent-pe-file-version - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 - flat_name: process.parent.pe.file_version - ignore_above: 1024 - level: extended - name: file_version - normalize: [] - original_fieldset: pe - short: Process name. - type: keyword - process.parent.pe.icon.hash.dhash: - dashed_name: process-parent-pe-icon-hash-dhash - description: Difference Hash (dhash) to find files with a visually similar icon - or thumbnail. - example: b806e17c8e330d82 - flat_name: process.parent.pe.icon.hash.dhash - ignore_above: 1024 - level: extended - name: icon.hash.dhash - normalize: [] - original_fieldset: pe - short: Difference Hash (dhash) to find files with a visually similar icon or - thumbnail. - type: keyword - process.parent.pe.imphash: - dashed_name: process-parent-pe-imphash - description: 'A hash of the imports in a PE file. An imphash -- or import hash - -- can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: process.parent.pe.imphash - ignore_above: 1024 - level: extended - name: imphash + name: imphash normalize: [] original_fieldset: pe short: A hash of the imports in a PE file. type: keyword - process.parent.pe.imports: - dashed_name: process-parent-pe-imports - description: List of all imported functions - example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" - }' - flat_name: process.parent.pe.imports - level: extended - name: imports - normalize: [] - original_fieldset: pe - short: List of all imported functions - type: flattened - process.parent.pe.machine_type: - dashed_name: process-parent-pe-machine-type - description: Machine type of the PE file. - example: Intel 386 or later, and compatibles - flat_name: process.parent.pe.machine_type - ignore_above: 1024 - level: extended - name: machine_type - normalize: [] - original_fieldset: pe - short: Machine type of the PE file. - type: keyword process.parent.pe.original_file_name: dashed_name: process-parent-pe-original-file-name description: Internal name of the file, provided at compile-time. @@ -10623,19 +9356,6 @@ process: original_fieldset: pe short: Internal name of the file, provided at compile-time. type: keyword - process.parent.pe.packers: - dashed_name: process-parent-pe-packers - description: List of packers and tools used. - example: '["ASPack v2.12", ".NET executable"]' - flat_name: process.parent.pe.packers - ignore_above: 1024 - level: extended - name: packers - normalize: - - array - original_fieldset: pe - short: List of packers and tools used. - type: keyword process.parent.pe.product: dashed_name: process-parent-pe-product description: Internal product name of the file, provided at compile-time. @@ -10648,183 +9368,6 @@ process: original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword - process.parent.pe.resources: - dashed_name: process-parent-pe-resources - description: 'An array containing an object for each PE resource, if present. - - The expected fields for this nested object fall under the `resources.` prefix.' - flat_name: process.parent.pe.resources - level: extended - name: resources - normalize: - - array - original_fieldset: pe - short: PE resource information - type: nested - process.parent.pe.resources.chi2: - dashed_name: process-parent-pe-resources-chi2 - description: Chi-square probability distribution. - example: -1 - flat_name: process.parent.pe.resources.chi2 - level: extended - name: resources.chi2 - normalize: [] - original_fieldset: pe - short: Chi-square probability distribution. - type: long - process.parent.pe.resources.entropy: - dashed_name: process-parent-pe-resources-entropy - description: Measurement of entropy randomness in the resources section. - example: 0, 1 - flat_name: process.parent.pe.resources.entropy - level: extended - name: resources.entropy - normalize: [] - original_fieldset: pe - short: Measurement of entropy randomness in the resources section. - type: long - process.parent.pe.resources.filetype: - dashed_name: process-parent-pe-resources-filetype - description: File type of the resources section. - example: Data - flat_name: process.parent.pe.resources.filetype - ignore_above: 1024 - level: extended - name: resources.filetype - normalize: [] - original_fieldset: pe - short: File type of the resources section. - type: keyword - process.parent.pe.resources.language: - dashed_name: process-parent-pe-resources-language - description: Language identification. - example: CHINESE SIMPLIFIED - flat_name: process.parent.pe.resources.language - ignore_above: 1024 - level: extended - name: resources.language - normalize: [] - original_fieldset: pe - short: Language identification. - type: keyword - process.parent.pe.resources.sha256: - dashed_name: process-parent-pe-resources-sha256 - description: SHA256 hash of resources section. - example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - flat_name: process.parent.pe.resources.sha256 - ignore_above: 1024 - level: extended - name: resources.sha256 - normalize: [] - original_fieldset: pe - short: SHA256 hash of resources section. - type: keyword - process.parent.pe.resources.type: - dashed_name: process-parent-pe-resources-type - description: Digest of resource types. - example: '["RT_VERSION", "RT_MANIFEST"]' - flat_name: process.parent.pe.resources.type - ignore_above: 1024 - level: extended - name: resources.type - normalize: - - array - original_fieldset: pe - short: List of resource types. - type: keyword - process.parent.pe.rich_header.hash.md5: - dashed_name: process-parent-pe-rich-header-hash-md5 - description: MD5 hash of the header for the PE file. - example: 5aa1aa0f2b4be70397a1e9e2b87627cd - flat_name: process.parent.pe.rich_header.hash.md5 - ignore_above: 1024 - level: extended - name: rich_header.hash.md5 - normalize: [] - original_fieldset: pe - short: MD5 hash of the header for the PE file. - type: keyword - process.parent.pe.sections: - dashed_name: process-parent-pe-sections - description: Data about sections of compiled binary PE - flat_name: process.parent.pe.sections - level: extended - name: sections - normalize: - - array - original_fieldset: pe - short: Data about sections of the compiled binary PE - type: nested - process.parent.pe.sections.chi2: - dashed_name: process-parent-pe-sections-chi2 - description: Chi-square probability distribution. - example: 3027194 - flat_name: process.parent.pe.sections.chi2 - level: extended - name: sections.chi2 - normalize: [] - original_fieldset: pe - short: Chi-square probability distribution. - type: long - process.parent.pe.sections.entropy: - dashed_name: process-parent-pe-sections-entropy - description: Measurement of entropy randomness in the file. - example: 6.24 - flat_name: process.parent.pe.sections.entropy - level: extended - name: sections.entropy - normalize: [] - original_fieldset: pe - short: Measurement of entropy randomness in the file. - type: float - process.parent.pe.sections.flags: - dashed_name: process-parent-pe-sections-flags - description: Section flags of the file. - example: rx - flat_name: process.parent.pe.sections.flags - ignore_above: 1024 - level: extended - name: sections.flags - normalize: [] - original_fieldset: pe - short: Section flags of the file. - type: keyword - process.parent.pe.sections.name: - dashed_name: process-parent-pe-sections-name - description: Section names of the file. - example: .text, .data - flat_name: process.parent.pe.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: pe - short: Section names of the file. - type: keyword - process.parent.pe.sections.raw_size: - dashed_name: process-parent-pe-sections-raw-size - description: Size of the section or the dize of the initialized data on disk. - example: 198144 - flat_name: process.parent.pe.sections.raw_size - format: bytes - level: extended - name: sections.raw_size - normalize: [] - original_fieldset: pe - short: Size of the section or the dize of the initialized data on disk. - type: long - process.parent.pe.sections.virtual_address: - dashed_name: process-parent-pe-sections-virtual-address - description: Virtual address available to the file. - example: 8192 - flat_name: process.parent.pe.sections.virtual_address - format: bytes - level: extended - name: sections.virtual_address - normalize: [] - original_fieldset: pe - short: Virtual address available to the file. - type: long process.parent.pgid: dashed_name: process-parent-pgid description: Identifier of the group of processes the process belongs to. @@ -10940,18 +9483,6 @@ process: original_fieldset: pe short: CPU architecture target for the file. type: keyword - process.pe.authentihash: - dashed_name: process-pe-authentihash - description: Authentihash of the PE file. - example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 - flat_name: process.pe.authentihash - ignore_above: 1024 - level: extended - name: authentihash - normalize: [] - original_fieldset: pe - short: Authentihash of the PE file. - type: keyword process.pe.company: dashed_name: process-pe-company description: Internal company name of the file, provided at compile-time. @@ -10959,435 +9490,75 @@ process: flat_name: process.pe.company ignore_above: 1024 level: extended - name: company - normalize: [] - original_fieldset: pe - short: Internal company name of the file, provided at compile-time. - type: keyword - process.pe.compile_timestamp: - dashed_name: process-pe-compile-timestamp - description: Compile timestamp of the PE file. - example: '2020-11-05T17:25:47.000Z' - flat_name: process.pe.compile_timestamp - level: extended - name: compile_timestamp - normalize: [] - original_fieldset: pe - short: Compile timestamp of the PE file. - type: date - process.pe.compiler.name: - dashed_name: process-pe-compiler-name - description: Name of the compiler - example: Clang - flat_name: process.pe.compiler.name - ignore_above: 1024 - level: extended - name: compiler.name - normalize: [] - original_fieldset: pe - short: Name of the compiler - type: keyword - process.pe.compiler.version: - dashed_name: process-pe-compiler-version - description: Version of the compiler. - example: 11.0.0 - flat_name: process.pe.compiler.version - ignore_above: 1024 - level: extended - name: compiler.version - normalize: [] - original_fieldset: pe - short: Version of the compiler. - type: keyword - process.pe.creation_date: - dashed_name: process-pe-creation-date - description: Extracted when possible from the file's metadata. Indicates when - it was built or compiled. It can also be faked by malware creators. - example: '2020-11-05T17:25:47.000Z' - flat_name: process.pe.creation_date - level: extended - name: creation_date - normalize: [] - original_fieldset: pe - short: Build or compile date. - type: date - process.pe.debug: - dashed_name: process-pe-debug - description: 'An array containing an object for each debug entry, if present. - - The expected fields for this nested object fall under the `debug.` prefix.' - flat_name: process.pe.debug - level: extended - name: debug - normalize: - - array - original_fieldset: pe - short: Debug information - type: nested - process.pe.debug.offset: - dashed_name: process-pe-debug-offset - description: Debug offset information. - example: 1296336 - flat_name: process.pe.debug.offset - ignore_above: 1024 - level: extended - name: debug.offset - normalize: [] - original_fieldset: pe - short: Debug offset information. - type: keyword - process.pe.debug.size: - dashed_name: process-pe-debug-size - description: Size of the debug information. - example: 816 - flat_name: process.pe.debug.size - format: bytes - level: extended - name: debug.size - normalize: [] - original_fieldset: pe - short: Size of the debug information. - type: long - process.pe.debug.timestamp: - dashed_name: process-pe-debug-timestamp - description: Timestamp of the debug information. - example: '2020-11-05T17:25:47.000Z' - flat_name: process.pe.debug.timestamp - level: extended - name: debug.timestamp - normalize: [] - original_fieldset: pe - short: Timestamp of the debug information. - type: date - process.pe.debug.type: - dashed_name: process-pe-debug-type - description: Information type generated by the debug options. - example: IMAGE_DEBUG_TYPE_POGO - flat_name: process.pe.debug.type - ignore_above: 1024 - level: extended - name: debug.type - normalize: [] - original_fieldset: pe - short: Information type generated by the debug options. - type: keyword - process.pe.description: - dashed_name: process-pe-description - description: Internal description of the file, provided at compile-time. - example: Paint - flat_name: process.pe.description - ignore_above: 1024 - level: extended - name: description - normalize: [] - original_fieldset: pe - short: Internal description of the file, provided at compile-time. - type: keyword - process.pe.entry_point: - dashed_name: process-pe-entry-point - description: Relative byte offset to the base of the PE file. - example: 25856 - flat_name: process.pe.entry_point - ignore_above: 1024 - level: extended - name: entry_point - normalize: [] - original_fieldset: pe - short: Relative byte offset to the base of the PE file. - type: keyword - process.pe.exports: - dashed_name: process-pe-exports - description: List of symbols exported by PE - example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' - flat_name: process.pe.exports - ignore_above: 1024 - level: extended - name: exports - normalize: - - array - original_fieldset: pe - short: List of symbols exported by PE - type: keyword - process.pe.file_version: - dashed_name: process-pe-file-version - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 - flat_name: process.pe.file_version - ignore_above: 1024 - level: extended - name: file_version - normalize: [] - original_fieldset: pe - short: Process name. - type: keyword - process.pe.icon.hash.dhash: - dashed_name: process-pe-icon-hash-dhash - description: Difference Hash (dhash) to find files with a visually similar icon - or thumbnail. - example: b806e17c8e330d82 - flat_name: process.pe.icon.hash.dhash - ignore_above: 1024 - level: extended - name: icon.hash.dhash - normalize: [] - original_fieldset: pe - short: Difference Hash (dhash) to find files with a visually similar icon or - thumbnail. - type: keyword - process.pe.imphash: - dashed_name: process-pe-imphash - description: 'A hash of the imports in a PE file. An imphash -- or import hash - -- can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: process.pe.imphash - ignore_above: 1024 - level: extended - name: imphash - normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. - type: keyword - process.pe.imports: - dashed_name: process-pe-imports - description: List of all imported functions - example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" - }' - flat_name: process.pe.imports - level: extended - name: imports - normalize: [] - original_fieldset: pe - short: List of all imported functions - type: flattened - process.pe.machine_type: - dashed_name: process-pe-machine-type - description: Machine type of the PE file. - example: Intel 386 or later, and compatibles - flat_name: process.pe.machine_type - ignore_above: 1024 - level: extended - name: machine_type - normalize: [] - original_fieldset: pe - short: Machine type of the PE file. - type: keyword - process.pe.original_file_name: - dashed_name: process-pe-original-file-name - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE - flat_name: process.pe.original_file_name - ignore_above: 1024 - level: extended - name: original_file_name - normalize: [] - original_fieldset: pe - short: Internal name of the file, provided at compile-time. - type: keyword - process.pe.packers: - dashed_name: process-pe-packers - description: List of packers and tools used. - example: '["ASPack v2.12", ".NET executable"]' - flat_name: process.pe.packers - ignore_above: 1024 - level: extended - name: packers - normalize: - - array - original_fieldset: pe - short: List of packers and tools used. - type: keyword - process.pe.product: - dashed_name: process-pe-product - description: Internal product name of the file, provided at compile-time. - example: "Microsoft\xAE Windows\xAE Operating System" - flat_name: process.pe.product - ignore_above: 1024 - level: extended - name: product - normalize: [] - original_fieldset: pe - short: Internal product name of the file, provided at compile-time. - type: keyword - process.pe.resources: - dashed_name: process-pe-resources - description: 'An array containing an object for each PE resource, if present. - - The expected fields for this nested object fall under the `resources.` prefix.' - flat_name: process.pe.resources - level: extended - name: resources - normalize: - - array - original_fieldset: pe - short: PE resource information - type: nested - process.pe.resources.chi2: - dashed_name: process-pe-resources-chi2 - description: Chi-square probability distribution. - example: -1 - flat_name: process.pe.resources.chi2 - level: extended - name: resources.chi2 - normalize: [] - original_fieldset: pe - short: Chi-square probability distribution. - type: long - process.pe.resources.entropy: - dashed_name: process-pe-resources-entropy - description: Measurement of entropy randomness in the resources section. - example: 0, 1 - flat_name: process.pe.resources.entropy - level: extended - name: resources.entropy - normalize: [] - original_fieldset: pe - short: Measurement of entropy randomness in the resources section. - type: long - process.pe.resources.filetype: - dashed_name: process-pe-resources-filetype - description: File type of the resources section. - example: Data - flat_name: process.pe.resources.filetype - ignore_above: 1024 - level: extended - name: resources.filetype - normalize: [] - original_fieldset: pe - short: File type of the resources section. - type: keyword - process.pe.resources.language: - dashed_name: process-pe-resources-language - description: Language identification. - example: CHINESE SIMPLIFIED - flat_name: process.pe.resources.language - ignore_above: 1024 - level: extended - name: resources.language - normalize: [] - original_fieldset: pe - short: Language identification. - type: keyword - process.pe.resources.sha256: - dashed_name: process-pe-resources-sha256 - description: SHA256 hash of resources section. - example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - flat_name: process.pe.resources.sha256 - ignore_above: 1024 - level: extended - name: resources.sha256 - normalize: [] - original_fieldset: pe - short: SHA256 hash of resources section. - type: keyword - process.pe.resources.type: - dashed_name: process-pe-resources-type - description: Digest of resource types. - example: '["RT_VERSION", "RT_MANIFEST"]' - flat_name: process.pe.resources.type - ignore_above: 1024 - level: extended - name: resources.type - normalize: - - array - original_fieldset: pe - short: List of resource types. - type: keyword - process.pe.rich_header.hash.md5: - dashed_name: process-pe-rich-header-hash-md5 - description: MD5 hash of the header for the PE file. - example: 5aa1aa0f2b4be70397a1e9e2b87627cd - flat_name: process.pe.rich_header.hash.md5 - ignore_above: 1024 - level: extended - name: rich_header.hash.md5 - normalize: [] - original_fieldset: pe - short: MD5 hash of the header for the PE file. - type: keyword - process.pe.sections: - dashed_name: process-pe-sections - description: Data about sections of compiled binary PE - flat_name: process.pe.sections - level: extended - name: sections - normalize: - - array - original_fieldset: pe - short: Data about sections of the compiled binary PE - type: nested - process.pe.sections.chi2: - dashed_name: process-pe-sections-chi2 - description: Chi-square probability distribution. - example: 3027194 - flat_name: process.pe.sections.chi2 - level: extended - name: sections.chi2 + name: company normalize: [] original_fieldset: pe - short: Chi-square probability distribution. - type: long - process.pe.sections.entropy: - dashed_name: process-pe-sections-entropy - description: Measurement of entropy randomness in the file. - example: 6.24 - flat_name: process.pe.sections.entropy + short: Internal company name of the file, provided at compile-time. + type: keyword + process.pe.description: + dashed_name: process-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: process.pe.description + ignore_above: 1024 level: extended - name: sections.entropy + name: description normalize: [] original_fieldset: pe - short: Measurement of entropy randomness in the file. - type: float - process.pe.sections.flags: - dashed_name: process-pe-sections-flags - description: Section flags of the file. - example: rx - flat_name: process.pe.sections.flags + short: Internal description of the file, provided at compile-time. + type: keyword + process.pe.file_version: + dashed_name: process-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: process.pe.file_version ignore_above: 1024 level: extended - name: sections.flags + name: file_version normalize: [] original_fieldset: pe - short: Section flags of the file. + short: Process name. type: keyword - process.pe.sections.name: - dashed_name: process-pe-sections-name - description: Section names of the file. - example: .text, .data - flat_name: process.pe.sections.name + process.pe.imphash: + dashed_name: process-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: process.pe.imphash ignore_above: 1024 level: extended - name: sections.name + name: imphash normalize: [] original_fieldset: pe - short: Section names of the file. + short: A hash of the imports in a PE file. type: keyword - process.pe.sections.raw_size: - dashed_name: process-pe-sections-raw-size - description: Size of the section or the dize of the initialized data on disk. - example: 198144 - flat_name: process.pe.sections.raw_size - format: bytes + process.pe.original_file_name: + dashed_name: process-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: process.pe.original_file_name + ignore_above: 1024 level: extended - name: sections.raw_size + name: original_file_name normalize: [] original_fieldset: pe - short: Size of the section or the dize of the initialized data on disk. - type: long - process.pe.sections.virtual_address: - dashed_name: process-pe-sections-virtual-address - description: Virtual address available to the file. - example: 8192 - flat_name: process.pe.sections.virtual_address - format: bytes + short: Internal name of the file, provided at compile-time. + type: keyword + process.pe.product: + dashed_name: process-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: process.pe.product + ignore_above: 1024 level: extended - name: sections.virtual_address + name: product normalize: [] original_fieldset: pe - short: Virtual address available to the file. - type: long + short: Internal product name of the file, provided at compile-time. + type: keyword process.pgid: dashed_name: process-pgid description: Identifier of the group of processes the process belongs to. @@ -14154,472 +12325,100 @@ threat: multi_fields: - flat_name: threat.enrichments.indicator.file.path.text name: text - type: match_only_text - name: path - normalize: [] - original_fieldset: file - short: Full path to the file, including the file name. - type: keyword - threat.enrichments.indicator.file.pe.architecture: - dashed_name: threat-enrichments-indicator-file-pe-architecture - description: CPU architecture target for the file. - example: x64 - flat_name: threat.enrichments.indicator.file.pe.architecture - ignore_above: 1024 - level: extended - name: architecture - normalize: [] - original_fieldset: pe - short: CPU architecture target for the file. - type: keyword - threat.enrichments.indicator.file.pe.authentihash: - dashed_name: threat-enrichments-indicator-file-pe-authentihash - description: Authentihash of the PE file. - example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 - flat_name: threat.enrichments.indicator.file.pe.authentihash - ignore_above: 1024 - level: extended - name: authentihash - normalize: [] - original_fieldset: pe - short: Authentihash of the PE file. - type: keyword - threat.enrichments.indicator.file.pe.company: - dashed_name: threat-enrichments-indicator-file-pe-company - description: Internal company name of the file, provided at compile-time. - example: Microsoft Corporation - flat_name: threat.enrichments.indicator.file.pe.company - ignore_above: 1024 - level: extended - name: company - normalize: [] - original_fieldset: pe - short: Internal company name of the file, provided at compile-time. - type: keyword - threat.enrichments.indicator.file.pe.compile_timestamp: - dashed_name: threat-enrichments-indicator-file-pe-compile-timestamp - description: Compile timestamp of the PE file. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.enrichments.indicator.file.pe.compile_timestamp - level: extended - name: compile_timestamp - normalize: [] - original_fieldset: pe - short: Compile timestamp of the PE file. - type: date - threat.enrichments.indicator.file.pe.compiler.name: - dashed_name: threat-enrichments-indicator-file-pe-compiler-name - description: Name of the compiler - example: Clang - flat_name: threat.enrichments.indicator.file.pe.compiler.name - ignore_above: 1024 - level: extended - name: compiler.name - normalize: [] - original_fieldset: pe - short: Name of the compiler - type: keyword - threat.enrichments.indicator.file.pe.compiler.version: - dashed_name: threat-enrichments-indicator-file-pe-compiler-version - description: Version of the compiler. - example: 11.0.0 - flat_name: threat.enrichments.indicator.file.pe.compiler.version - ignore_above: 1024 - level: extended - name: compiler.version - normalize: [] - original_fieldset: pe - short: Version of the compiler. - type: keyword - threat.enrichments.indicator.file.pe.creation_date: - dashed_name: threat-enrichments-indicator-file-pe-creation-date - description: Extracted when possible from the file's metadata. Indicates when - it was built or compiled. It can also be faked by malware creators. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.enrichments.indicator.file.pe.creation_date - level: extended - name: creation_date - normalize: [] - original_fieldset: pe - short: Build or compile date. - type: date - threat.enrichments.indicator.file.pe.debug: - dashed_name: threat-enrichments-indicator-file-pe-debug - description: 'An array containing an object for each debug entry, if present. - - The expected fields for this nested object fall under the `debug.` prefix.' - flat_name: threat.enrichments.indicator.file.pe.debug - level: extended - name: debug - normalize: - - array - original_fieldset: pe - short: Debug information - type: nested - threat.enrichments.indicator.file.pe.debug.offset: - dashed_name: threat-enrichments-indicator-file-pe-debug-offset - description: Debug offset information. - example: 1296336 - flat_name: threat.enrichments.indicator.file.pe.debug.offset - ignore_above: 1024 - level: extended - name: debug.offset - normalize: [] - original_fieldset: pe - short: Debug offset information. - type: keyword - threat.enrichments.indicator.file.pe.debug.size: - dashed_name: threat-enrichments-indicator-file-pe-debug-size - description: Size of the debug information. - example: 816 - flat_name: threat.enrichments.indicator.file.pe.debug.size - format: bytes - level: extended - name: debug.size - normalize: [] - original_fieldset: pe - short: Size of the debug information. - type: long - threat.enrichments.indicator.file.pe.debug.timestamp: - dashed_name: threat-enrichments-indicator-file-pe-debug-timestamp - description: Timestamp of the debug information. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.enrichments.indicator.file.pe.debug.timestamp - level: extended - name: debug.timestamp - normalize: [] - original_fieldset: pe - short: Timestamp of the debug information. - type: date - threat.enrichments.indicator.file.pe.debug.type: - dashed_name: threat-enrichments-indicator-file-pe-debug-type - description: Information type generated by the debug options. - example: IMAGE_DEBUG_TYPE_POGO - flat_name: threat.enrichments.indicator.file.pe.debug.type - ignore_above: 1024 - level: extended - name: debug.type - normalize: [] - original_fieldset: pe - short: Information type generated by the debug options. - type: keyword - threat.enrichments.indicator.file.pe.description: - dashed_name: threat-enrichments-indicator-file-pe-description - description: Internal description of the file, provided at compile-time. - example: Paint - flat_name: threat.enrichments.indicator.file.pe.description - ignore_above: 1024 - level: extended - name: description - normalize: [] - original_fieldset: pe - short: Internal description of the file, provided at compile-time. - type: keyword - threat.enrichments.indicator.file.pe.entry_point: - dashed_name: threat-enrichments-indicator-file-pe-entry-point - description: Relative byte offset to the base of the PE file. - example: 25856 - flat_name: threat.enrichments.indicator.file.pe.entry_point - ignore_above: 1024 - level: extended - name: entry_point - normalize: [] - original_fieldset: pe - short: Relative byte offset to the base of the PE file. - type: keyword - threat.enrichments.indicator.file.pe.exports: - dashed_name: threat-enrichments-indicator-file-pe-exports - description: List of symbols exported by PE - example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' - flat_name: threat.enrichments.indicator.file.pe.exports - ignore_above: 1024 - level: extended - name: exports - normalize: - - array - original_fieldset: pe - short: List of symbols exported by PE - type: keyword - threat.enrichments.indicator.file.pe.file_version: - dashed_name: threat-enrichments-indicator-file-pe-file-version - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 - flat_name: threat.enrichments.indicator.file.pe.file_version - ignore_above: 1024 - level: extended - name: file_version - normalize: [] - original_fieldset: pe - short: Process name. - type: keyword - threat.enrichments.indicator.file.pe.icon.hash.dhash: - dashed_name: threat-enrichments-indicator-file-pe-icon-hash-dhash - description: Difference Hash (dhash) to find files with a visually similar icon - or thumbnail. - example: b806e17c8e330d82 - flat_name: threat.enrichments.indicator.file.pe.icon.hash.dhash - ignore_above: 1024 - level: extended - name: icon.hash.dhash - normalize: [] - original_fieldset: pe - short: Difference Hash (dhash) to find files with a visually similar icon or - thumbnail. - type: keyword - threat.enrichments.indicator.file.pe.imphash: - dashed_name: threat-enrichments-indicator-file-pe-imphash - description: 'A hash of the imports in a PE file. An imphash -- or import hash - -- can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: threat.enrichments.indicator.file.pe.imphash - ignore_above: 1024 - level: extended - name: imphash - normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. - type: keyword - threat.enrichments.indicator.file.pe.imports: - dashed_name: threat-enrichments-indicator-file-pe-imports - description: List of all imported functions - example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" - }' - flat_name: threat.enrichments.indicator.file.pe.imports - level: extended - name: imports - normalize: [] - original_fieldset: pe - short: List of all imported functions - type: flattened - threat.enrichments.indicator.file.pe.machine_type: - dashed_name: threat-enrichments-indicator-file-pe-machine-type - description: Machine type of the PE file. - example: Intel 386 or later, and compatibles - flat_name: threat.enrichments.indicator.file.pe.machine_type - ignore_above: 1024 - level: extended - name: machine_type - normalize: [] - original_fieldset: pe - short: Machine type of the PE file. - type: keyword - threat.enrichments.indicator.file.pe.original_file_name: - dashed_name: threat-enrichments-indicator-file-pe-original-file-name - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE - flat_name: threat.enrichments.indicator.file.pe.original_file_name - ignore_above: 1024 - level: extended - name: original_file_name - normalize: [] - original_fieldset: pe - short: Internal name of the file, provided at compile-time. - type: keyword - threat.enrichments.indicator.file.pe.packers: - dashed_name: threat-enrichments-indicator-file-pe-packers - description: List of packers and tools used. - example: '["ASPack v2.12", ".NET executable"]' - flat_name: threat.enrichments.indicator.file.pe.packers - ignore_above: 1024 - level: extended - name: packers - normalize: - - array - original_fieldset: pe - short: List of packers and tools used. - type: keyword - threat.enrichments.indicator.file.pe.product: - dashed_name: threat-enrichments-indicator-file-pe-product - description: Internal product name of the file, provided at compile-time. - example: "Microsoft\xAE Windows\xAE Operating System" - flat_name: threat.enrichments.indicator.file.pe.product - ignore_above: 1024 - level: extended - name: product - normalize: [] - original_fieldset: pe - short: Internal product name of the file, provided at compile-time. - type: keyword - threat.enrichments.indicator.file.pe.resources: - dashed_name: threat-enrichments-indicator-file-pe-resources - description: 'An array containing an object for each PE resource, if present. - - The expected fields for this nested object fall under the `resources.` prefix.' - flat_name: threat.enrichments.indicator.file.pe.resources - level: extended - name: resources - normalize: - - array - original_fieldset: pe - short: PE resource information - type: nested - threat.enrichments.indicator.file.pe.resources.chi2: - dashed_name: threat-enrichments-indicator-file-pe-resources-chi2 - description: Chi-square probability distribution. - example: -1 - flat_name: threat.enrichments.indicator.file.pe.resources.chi2 - level: extended - name: resources.chi2 - normalize: [] - original_fieldset: pe - short: Chi-square probability distribution. - type: long - threat.enrichments.indicator.file.pe.resources.entropy: - dashed_name: threat-enrichments-indicator-file-pe-resources-entropy - description: Measurement of entropy randomness in the resources section. - example: 0, 1 - flat_name: threat.enrichments.indicator.file.pe.resources.entropy - level: extended - name: resources.entropy - normalize: [] - original_fieldset: pe - short: Measurement of entropy randomness in the resources section. - type: long - threat.enrichments.indicator.file.pe.resources.filetype: - dashed_name: threat-enrichments-indicator-file-pe-resources-filetype - description: File type of the resources section. - example: Data - flat_name: threat.enrichments.indicator.file.pe.resources.filetype - ignore_above: 1024 - level: extended - name: resources.filetype + type: match_only_text + name: path normalize: [] - original_fieldset: pe - short: File type of the resources section. + original_fieldset: file + short: Full path to the file, including the file name. type: keyword - threat.enrichments.indicator.file.pe.resources.language: - dashed_name: threat-enrichments-indicator-file-pe-resources-language - description: Language identification. - example: CHINESE SIMPLIFIED - flat_name: threat.enrichments.indicator.file.pe.resources.language + threat.enrichments.indicator.file.pe.architecture: + dashed_name: threat-enrichments-indicator-file-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: threat.enrichments.indicator.file.pe.architecture ignore_above: 1024 level: extended - name: resources.language + name: architecture normalize: [] original_fieldset: pe - short: Language identification. + short: CPU architecture target for the file. type: keyword - threat.enrichments.indicator.file.pe.resources.sha256: - dashed_name: threat-enrichments-indicator-file-pe-resources-sha256 - description: SHA256 hash of resources section. - example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - flat_name: threat.enrichments.indicator.file.pe.resources.sha256 + threat.enrichments.indicator.file.pe.company: + dashed_name: threat-enrichments-indicator-file-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: threat.enrichments.indicator.file.pe.company ignore_above: 1024 level: extended - name: resources.sha256 + name: company normalize: [] original_fieldset: pe - short: SHA256 hash of resources section. + short: Internal company name of the file, provided at compile-time. type: keyword - threat.enrichments.indicator.file.pe.resources.type: - dashed_name: threat-enrichments-indicator-file-pe-resources-type - description: Digest of resource types. - example: '["RT_VERSION", "RT_MANIFEST"]' - flat_name: threat.enrichments.indicator.file.pe.resources.type + threat.enrichments.indicator.file.pe.description: + dashed_name: threat-enrichments-indicator-file-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: threat.enrichments.indicator.file.pe.description ignore_above: 1024 level: extended - name: resources.type - normalize: - - array + name: description + normalize: [] original_fieldset: pe - short: List of resource types. + short: Internal description of the file, provided at compile-time. type: keyword - threat.enrichments.indicator.file.pe.rich_header.hash.md5: - dashed_name: threat-enrichments-indicator-file-pe-rich-header-hash-md5 - description: MD5 hash of the header for the PE file. - example: 5aa1aa0f2b4be70397a1e9e2b87627cd - flat_name: threat.enrichments.indicator.file.pe.rich_header.hash.md5 + threat.enrichments.indicator.file.pe.file_version: + dashed_name: threat-enrichments-indicator-file-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: threat.enrichments.indicator.file.pe.file_version ignore_above: 1024 level: extended - name: rich_header.hash.md5 + name: file_version normalize: [] original_fieldset: pe - short: MD5 hash of the header for the PE file. + short: Process name. type: keyword - threat.enrichments.indicator.file.pe.sections: - dashed_name: threat-enrichments-indicator-file-pe-sections - description: Data about sections of compiled binary PE - flat_name: threat.enrichments.indicator.file.pe.sections - level: extended - name: sections - normalize: - - array - original_fieldset: pe - short: Data about sections of the compiled binary PE - type: nested - threat.enrichments.indicator.file.pe.sections.chi2: - dashed_name: threat-enrichments-indicator-file-pe-sections-chi2 - description: Chi-square probability distribution. - example: 3027194 - flat_name: threat.enrichments.indicator.file.pe.sections.chi2 - level: extended - name: sections.chi2 - normalize: [] - original_fieldset: pe - short: Chi-square probability distribution. - type: long - threat.enrichments.indicator.file.pe.sections.entropy: - dashed_name: threat-enrichments-indicator-file-pe-sections-entropy - description: Measurement of entropy randomness in the file. - example: 6.24 - flat_name: threat.enrichments.indicator.file.pe.sections.entropy - level: extended - name: sections.entropy - normalize: [] - original_fieldset: pe - short: Measurement of entropy randomness in the file. - type: float - threat.enrichments.indicator.file.pe.sections.flags: - dashed_name: threat-enrichments-indicator-file-pe-sections-flags - description: Section flags of the file. - example: rx - flat_name: threat.enrichments.indicator.file.pe.sections.flags + threat.enrichments.indicator.file.pe.imphash: + dashed_name: threat-enrichments-indicator-file-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: threat.enrichments.indicator.file.pe.imphash ignore_above: 1024 level: extended - name: sections.flags + name: imphash normalize: [] original_fieldset: pe - short: Section flags of the file. + short: A hash of the imports in a PE file. type: keyword - threat.enrichments.indicator.file.pe.sections.name: - dashed_name: threat-enrichments-indicator-file-pe-sections-name - description: Section names of the file. - example: .text, .data - flat_name: threat.enrichments.indicator.file.pe.sections.name + threat.enrichments.indicator.file.pe.original_file_name: + dashed_name: threat-enrichments-indicator-file-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: threat.enrichments.indicator.file.pe.original_file_name ignore_above: 1024 level: extended - name: sections.name + name: original_file_name normalize: [] original_fieldset: pe - short: Section names of the file. + short: Internal name of the file, provided at compile-time. type: keyword - threat.enrichments.indicator.file.pe.sections.raw_size: - dashed_name: threat-enrichments-indicator-file-pe-sections-raw-size - description: Size of the section or the dize of the initialized data on disk. - example: 198144 - flat_name: threat.enrichments.indicator.file.pe.sections.raw_size - format: bytes - level: extended - name: sections.raw_size - normalize: [] - original_fieldset: pe - short: Size of the section or the dize of the initialized data on disk. - type: long - threat.enrichments.indicator.file.pe.sections.virtual_address: - dashed_name: threat-enrichments-indicator-file-pe-sections-virtual-address - description: Virtual address available to the file. - example: 8192 - flat_name: threat.enrichments.indicator.file.pe.sections.virtual_address - format: bytes + threat.enrichments.indicator.file.pe.product: + dashed_name: threat-enrichments-indicator-file-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: threat.enrichments.indicator.file.pe.product + ignore_above: 1024 level: extended - name: sections.virtual_address + name: product normalize: [] original_fieldset: pe - short: Virtual address available to the file. - type: long + short: Internal product name of the file, provided at compile-time. + type: keyword threat.enrichments.indicator.file.size: dashed_name: threat-enrichments-indicator-file-size description: 'File size in bytes. @@ -16846,18 +14645,6 @@ threat: original_fieldset: pe short: CPU architecture target for the file. type: keyword - threat.indicator.file.pe.authentihash: - dashed_name: threat-indicator-file-pe-authentihash - description: Authentihash of the PE file. - example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 - flat_name: threat.indicator.file.pe.authentihash - ignore_above: 1024 - level: extended - name: authentihash - normalize: [] - original_fieldset: pe - short: Authentihash of the PE file. - type: keyword threat.indicator.file.pe.company: dashed_name: threat-indicator-file-pe-company description: Internal company name of the file, provided at compile-time. @@ -16870,113 +14657,6 @@ threat: original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword - threat.indicator.file.pe.compile_timestamp: - dashed_name: threat-indicator-file-pe-compile-timestamp - description: Compile timestamp of the PE file. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.file.pe.compile_timestamp - level: extended - name: compile_timestamp - normalize: [] - original_fieldset: pe - short: Compile timestamp of the PE file. - type: date - threat.indicator.file.pe.compiler.name: - dashed_name: threat-indicator-file-pe-compiler-name - description: Name of the compiler - example: Clang - flat_name: threat.indicator.file.pe.compiler.name - ignore_above: 1024 - level: extended - name: compiler.name - normalize: [] - original_fieldset: pe - short: Name of the compiler - type: keyword - threat.indicator.file.pe.compiler.version: - dashed_name: threat-indicator-file-pe-compiler-version - description: Version of the compiler. - example: 11.0.0 - flat_name: threat.indicator.file.pe.compiler.version - ignore_above: 1024 - level: extended - name: compiler.version - normalize: [] - original_fieldset: pe - short: Version of the compiler. - type: keyword - threat.indicator.file.pe.creation_date: - dashed_name: threat-indicator-file-pe-creation-date - description: Extracted when possible from the file's metadata. Indicates when - it was built or compiled. It can also be faked by malware creators. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.file.pe.creation_date - level: extended - name: creation_date - normalize: [] - original_fieldset: pe - short: Build or compile date. - type: date - threat.indicator.file.pe.debug: - dashed_name: threat-indicator-file-pe-debug - description: 'An array containing an object for each debug entry, if present. - - The expected fields for this nested object fall under the `debug.` prefix.' - flat_name: threat.indicator.file.pe.debug - level: extended - name: debug - normalize: - - array - original_fieldset: pe - short: Debug information - type: nested - threat.indicator.file.pe.debug.offset: - dashed_name: threat-indicator-file-pe-debug-offset - description: Debug offset information. - example: 1296336 - flat_name: threat.indicator.file.pe.debug.offset - ignore_above: 1024 - level: extended - name: debug.offset - normalize: [] - original_fieldset: pe - short: Debug offset information. - type: keyword - threat.indicator.file.pe.debug.size: - dashed_name: threat-indicator-file-pe-debug-size - description: Size of the debug information. - example: 816 - flat_name: threat.indicator.file.pe.debug.size - format: bytes - level: extended - name: debug.size - normalize: [] - original_fieldset: pe - short: Size of the debug information. - type: long - threat.indicator.file.pe.debug.timestamp: - dashed_name: threat-indicator-file-pe-debug-timestamp - description: Timestamp of the debug information. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.file.pe.debug.timestamp - level: extended - name: debug.timestamp - normalize: [] - original_fieldset: pe - short: Timestamp of the debug information. - type: date - threat.indicator.file.pe.debug.type: - dashed_name: threat-indicator-file-pe-debug-type - description: Information type generated by the debug options. - example: IMAGE_DEBUG_TYPE_POGO - flat_name: threat.indicator.file.pe.debug.type - ignore_above: 1024 - level: extended - name: debug.type - normalize: [] - original_fieldset: pe - short: Information type generated by the debug options. - type: keyword threat.indicator.file.pe.description: dashed_name: threat-indicator-file-pe-description description: Internal description of the file, provided at compile-time. @@ -16989,31 +14669,6 @@ threat: original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword - threat.indicator.file.pe.entry_point: - dashed_name: threat-indicator-file-pe-entry-point - description: Relative byte offset to the base of the PE file. - example: 25856 - flat_name: threat.indicator.file.pe.entry_point - ignore_above: 1024 - level: extended - name: entry_point - normalize: [] - original_fieldset: pe - short: Relative byte offset to the base of the PE file. - type: keyword - threat.indicator.file.pe.exports: - dashed_name: threat-indicator-file-pe-exports - description: List of symbols exported by PE - example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' - flat_name: threat.indicator.file.pe.exports - ignore_above: 1024 - level: extended - name: exports - normalize: - - array - original_fieldset: pe - short: List of symbols exported by PE - type: keyword threat.indicator.file.pe.file_version: dashed_name: threat-indicator-file-pe-file-version description: Internal version of the file, provided at compile-time. @@ -17026,20 +14681,6 @@ threat: original_fieldset: pe short: Process name. type: keyword - threat.indicator.file.pe.icon.hash.dhash: - dashed_name: threat-indicator-file-pe-icon-hash-dhash - description: Difference Hash (dhash) to find files with a visually similar icon - or thumbnail. - example: b806e17c8e330d82 - flat_name: threat.indicator.file.pe.icon.hash.dhash - ignore_above: 1024 - level: extended - name: icon.hash.dhash - normalize: [] - original_fieldset: pe - short: Difference Hash (dhash) to find files with a visually similar icon or - thumbnail. - type: keyword threat.indicator.file.pe.imphash: dashed_name: threat-indicator-file-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash @@ -17056,30 +14697,6 @@ threat: original_fieldset: pe short: A hash of the imports in a PE file. type: keyword - threat.indicator.file.pe.imports: - dashed_name: threat-indicator-file-pe-imports - description: List of all imported functions - example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" - }' - flat_name: threat.indicator.file.pe.imports - level: extended - name: imports - normalize: [] - original_fieldset: pe - short: List of all imported functions - type: flattened - threat.indicator.file.pe.machine_type: - dashed_name: threat-indicator-file-pe-machine-type - description: Machine type of the PE file. - example: Intel 386 or later, and compatibles - flat_name: threat.indicator.file.pe.machine_type - ignore_above: 1024 - level: extended - name: machine_type - normalize: [] - original_fieldset: pe - short: Machine type of the PE file. - type: keyword threat.indicator.file.pe.original_file_name: dashed_name: threat-indicator-file-pe-original-file-name description: Internal name of the file, provided at compile-time. @@ -17092,19 +14709,6 @@ threat: original_fieldset: pe short: Internal name of the file, provided at compile-time. type: keyword - threat.indicator.file.pe.packers: - dashed_name: threat-indicator-file-pe-packers - description: List of packers and tools used. - example: '["ASPack v2.12", ".NET executable"]' - flat_name: threat.indicator.file.pe.packers - ignore_above: 1024 - level: extended - name: packers - normalize: - - array - original_fieldset: pe - short: List of packers and tools used. - type: keyword threat.indicator.file.pe.product: dashed_name: threat-indicator-file-pe-product description: Internal product name of the file, provided at compile-time. @@ -17117,183 +14721,6 @@ threat: original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword - threat.indicator.file.pe.resources: - dashed_name: threat-indicator-file-pe-resources - description: 'An array containing an object for each PE resource, if present. - - The expected fields for this nested object fall under the `resources.` prefix.' - flat_name: threat.indicator.file.pe.resources - level: extended - name: resources - normalize: - - array - original_fieldset: pe - short: PE resource information - type: nested - threat.indicator.file.pe.resources.chi2: - dashed_name: threat-indicator-file-pe-resources-chi2 - description: Chi-square probability distribution. - example: -1 - flat_name: threat.indicator.file.pe.resources.chi2 - level: extended - name: resources.chi2 - normalize: [] - original_fieldset: pe - short: Chi-square probability distribution. - type: long - threat.indicator.file.pe.resources.entropy: - dashed_name: threat-indicator-file-pe-resources-entropy - description: Measurement of entropy randomness in the resources section. - example: 0, 1 - flat_name: threat.indicator.file.pe.resources.entropy - level: extended - name: resources.entropy - normalize: [] - original_fieldset: pe - short: Measurement of entropy randomness in the resources section. - type: long - threat.indicator.file.pe.resources.filetype: - dashed_name: threat-indicator-file-pe-resources-filetype - description: File type of the resources section. - example: Data - flat_name: threat.indicator.file.pe.resources.filetype - ignore_above: 1024 - level: extended - name: resources.filetype - normalize: [] - original_fieldset: pe - short: File type of the resources section. - type: keyword - threat.indicator.file.pe.resources.language: - dashed_name: threat-indicator-file-pe-resources-language - description: Language identification. - example: CHINESE SIMPLIFIED - flat_name: threat.indicator.file.pe.resources.language - ignore_above: 1024 - level: extended - name: resources.language - normalize: [] - original_fieldset: pe - short: Language identification. - type: keyword - threat.indicator.file.pe.resources.sha256: - dashed_name: threat-indicator-file-pe-resources-sha256 - description: SHA256 hash of resources section. - example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - flat_name: threat.indicator.file.pe.resources.sha256 - ignore_above: 1024 - level: extended - name: resources.sha256 - normalize: [] - original_fieldset: pe - short: SHA256 hash of resources section. - type: keyword - threat.indicator.file.pe.resources.type: - dashed_name: threat-indicator-file-pe-resources-type - description: Digest of resource types. - example: '["RT_VERSION", "RT_MANIFEST"]' - flat_name: threat.indicator.file.pe.resources.type - ignore_above: 1024 - level: extended - name: resources.type - normalize: - - array - original_fieldset: pe - short: List of resource types. - type: keyword - threat.indicator.file.pe.rich_header.hash.md5: - dashed_name: threat-indicator-file-pe-rich-header-hash-md5 - description: MD5 hash of the header for the PE file. - example: 5aa1aa0f2b4be70397a1e9e2b87627cd - flat_name: threat.indicator.file.pe.rich_header.hash.md5 - ignore_above: 1024 - level: extended - name: rich_header.hash.md5 - normalize: [] - original_fieldset: pe - short: MD5 hash of the header for the PE file. - type: keyword - threat.indicator.file.pe.sections: - dashed_name: threat-indicator-file-pe-sections - description: Data about sections of compiled binary PE - flat_name: threat.indicator.file.pe.sections - level: extended - name: sections - normalize: - - array - original_fieldset: pe - short: Data about sections of the compiled binary PE - type: nested - threat.indicator.file.pe.sections.chi2: - dashed_name: threat-indicator-file-pe-sections-chi2 - description: Chi-square probability distribution. - example: 3027194 - flat_name: threat.indicator.file.pe.sections.chi2 - level: extended - name: sections.chi2 - normalize: [] - original_fieldset: pe - short: Chi-square probability distribution. - type: long - threat.indicator.file.pe.sections.entropy: - dashed_name: threat-indicator-file-pe-sections-entropy - description: Measurement of entropy randomness in the file. - example: 6.24 - flat_name: threat.indicator.file.pe.sections.entropy - level: extended - name: sections.entropy - normalize: [] - original_fieldset: pe - short: Measurement of entropy randomness in the file. - type: float - threat.indicator.file.pe.sections.flags: - dashed_name: threat-indicator-file-pe-sections-flags - description: Section flags of the file. - example: rx - flat_name: threat.indicator.file.pe.sections.flags - ignore_above: 1024 - level: extended - name: sections.flags - normalize: [] - original_fieldset: pe - short: Section flags of the file. - type: keyword - threat.indicator.file.pe.sections.name: - dashed_name: threat-indicator-file-pe-sections-name - description: Section names of the file. - example: .text, .data - flat_name: threat.indicator.file.pe.sections.name - ignore_above: 1024 - level: extended - name: sections.name - normalize: [] - original_fieldset: pe - short: Section names of the file. - type: keyword - threat.indicator.file.pe.sections.raw_size: - dashed_name: threat-indicator-file-pe-sections-raw-size - description: Size of the section or the dize of the initialized data on disk. - example: 198144 - flat_name: threat.indicator.file.pe.sections.raw_size - format: bytes - level: extended - name: sections.raw_size - normalize: [] - original_fieldset: pe - short: Size of the section or the dize of the initialized data on disk. - type: long - threat.indicator.file.pe.sections.virtual_address: - dashed_name: threat-indicator-file-pe-sections-virtual-address - description: Virtual address available to the file. - example: 8192 - flat_name: threat.indicator.file.pe.sections.virtual_address - format: bytes - level: extended - name: sections.virtual_address - normalize: [] - original_fieldset: pe - short: Virtual address available to the file. - type: long threat.indicator.file.size: dashed_name: threat-indicator-file-size description: 'File size in bytes. diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json index 95533648a..5169ded78 100644 --- a/experimental/generated/elasticsearch/7/template.json +++ b/experimental/generated/elasticsearch/7/template.json @@ -822,165 +822,29 @@ "ignore_above": 1024, "type": "keyword" }, - "authentihash": { - "ignore_above": 1024, - "type": "keyword" - }, "company": { "ignore_above": 1024, "type": "keyword" }, - "compile_timestamp": { - "type": "date" - }, - "compiler": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "creation_date": { - "type": "date" - }, - "debug": { - "properties": { - "offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "timestamp": { - "type": "date" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, "description": { "ignore_above": 1024, "type": "keyword" }, - "entry_point": { - "ignore_above": 1024, - "type": "keyword" - }, - "exports": { - "ignore_above": 1024, - "type": "keyword" - }, "file_version": { "ignore_above": 1024, "type": "keyword" }, - "icon": { - "properties": { - "hash": { - "properties": { - "dhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, "imphash": { "ignore_above": 1024, "type": "keyword" }, - "imports": { - "type": "flattened" - }, - "machine_type": { - "ignore_above": 1024, - "type": "keyword" - }, "original_file_name": { "ignore_above": 1024, "type": "keyword" }, - "packers": { - "ignore_above": 1024, - "type": "keyword" - }, "product": { "ignore_above": 1024, "type": "keyword" - }, - "resources": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "filetype": { - "ignore_above": 1024, - "type": "keyword" - }, - "language": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, - "rich_header": { - "properties": { - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "float" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "raw_size": { - "type": "long" - }, - "virtual_address": { - "type": "long" - } - }, - "type": "nested" } } } @@ -1581,165 +1445,29 @@ "ignore_above": 1024, "type": "keyword" }, - "authentihash": { - "ignore_above": 1024, - "type": "keyword" - }, "company": { "ignore_above": 1024, "type": "keyword" }, - "compile_timestamp": { - "type": "date" - }, - "compiler": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "creation_date": { - "type": "date" - }, - "debug": { - "properties": { - "offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "timestamp": { - "type": "date" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, "description": { "ignore_above": 1024, "type": "keyword" }, - "entry_point": { - "ignore_above": 1024, - "type": "keyword" - }, - "exports": { - "ignore_above": 1024, - "type": "keyword" - }, "file_version": { "ignore_above": 1024, "type": "keyword" }, - "icon": { - "properties": { - "hash": { - "properties": { - "dhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, "imphash": { "ignore_above": 1024, "type": "keyword" }, - "imports": { - "type": "flattened" - }, - "machine_type": { - "ignore_above": 1024, - "type": "keyword" - }, "original_file_name": { "ignore_above": 1024, "type": "keyword" }, - "packers": { - "ignore_above": 1024, - "type": "keyword" - }, "product": { "ignore_above": 1024, "type": "keyword" - }, - "resources": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "filetype": { - "ignore_above": 1024, - "type": "keyword" - }, - "language": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, - "rich_header": { - "properties": { - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "float" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "raw_size": { - "type": "long" - }, - "virtual_address": { - "type": "long" - } - }, - "type": "nested" } } }, @@ -3059,165 +2787,29 @@ "ignore_above": 1024, "type": "keyword" }, - "authentihash": { + "company": { "ignore_above": 1024, "type": "keyword" }, - "company": { + "description": { "ignore_above": 1024, "type": "keyword" }, - "compile_timestamp": { - "type": "date" - }, - "compiler": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "creation_date": { - "type": "date" - }, - "debug": { - "properties": { - "offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "timestamp": { - "type": "date" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "entry_point": { - "ignore_above": 1024, - "type": "keyword" - }, - "exports": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "icon": { - "properties": { - "hash": { - "properties": { - "dhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } + "file_version": { + "ignore_above": 1024, + "type": "keyword" }, "imphash": { "ignore_above": 1024, "type": "keyword" }, - "imports": { - "type": "flattened" - }, - "machine_type": { - "ignore_above": 1024, - "type": "keyword" - }, "original_file_name": { "ignore_above": 1024, "type": "keyword" }, - "packers": { - "ignore_above": 1024, - "type": "keyword" - }, "product": { "ignore_above": 1024, "type": "keyword" - }, - "resources": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "filetype": { - "ignore_above": 1024, - "type": "keyword" - }, - "language": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, - "rich_header": { - "properties": { - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "float" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "raw_size": { - "type": "long" - }, - "virtual_address": { - "type": "long" - } - }, - "type": "nested" } } }, @@ -3270,165 +2862,29 @@ "ignore_above": 1024, "type": "keyword" }, - "authentihash": { - "ignore_above": 1024, - "type": "keyword" - }, "company": { "ignore_above": 1024, "type": "keyword" }, - "compile_timestamp": { - "type": "date" - }, - "compiler": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "creation_date": { - "type": "date" - }, - "debug": { - "properties": { - "offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "timestamp": { - "type": "date" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, "description": { "ignore_above": 1024, "type": "keyword" }, - "entry_point": { - "ignore_above": 1024, - "type": "keyword" - }, - "exports": { - "ignore_above": 1024, - "type": "keyword" - }, "file_version": { "ignore_above": 1024, "type": "keyword" }, - "icon": { - "properties": { - "hash": { - "properties": { - "dhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, "imphash": { "ignore_above": 1024, "type": "keyword" }, - "imports": { - "type": "flattened" - }, - "machine_type": { - "ignore_above": 1024, - "type": "keyword" - }, "original_file_name": { "ignore_above": 1024, "type": "keyword" }, - "packers": { - "ignore_above": 1024, - "type": "keyword" - }, "product": { "ignore_above": 1024, "type": "keyword" - }, - "resources": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "filetype": { - "ignore_above": 1024, - "type": "keyword" - }, - "language": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, - "rich_header": { - "properties": { - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "float" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "raw_size": { - "type": "long" - }, - "virtual_address": { - "type": "long" - } - }, - "type": "nested" } } }, @@ -4367,165 +3823,29 @@ "ignore_above": 1024, "type": "keyword" }, - "authentihash": { - "ignore_above": 1024, - "type": "keyword" - }, "company": { "ignore_above": 1024, "type": "keyword" }, - "compile_timestamp": { - "type": "date" - }, - "compiler": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "creation_date": { - "type": "date" - }, - "debug": { - "properties": { - "offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "timestamp": { - "type": "date" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, "description": { "ignore_above": 1024, "type": "keyword" }, - "entry_point": { - "ignore_above": 1024, - "type": "keyword" - }, - "exports": { - "ignore_above": 1024, - "type": "keyword" - }, "file_version": { "ignore_above": 1024, "type": "keyword" }, - "icon": { - "properties": { - "hash": { - "properties": { - "dhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, "imphash": { "ignore_above": 1024, "type": "keyword" }, - "imports": { - "type": "flattened" - }, - "machine_type": { - "ignore_above": 1024, - "type": "keyword" - }, "original_file_name": { "ignore_above": 1024, "type": "keyword" }, - "packers": { - "ignore_above": 1024, - "type": "keyword" - }, "product": { "ignore_above": 1024, "type": "keyword" - }, - "resources": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "filetype": { - "ignore_above": 1024, - "type": "keyword" - }, - "language": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, - "rich_header": { - "properties": { - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "float" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "raw_size": { - "type": "long" - }, - "virtual_address": { - "type": "long" - } - }, - "type": "nested" } } }, @@ -5305,165 +4625,29 @@ "ignore_above": 1024, "type": "keyword" }, - "authentihash": { - "ignore_above": 1024, - "type": "keyword" - }, "company": { "ignore_above": 1024, "type": "keyword" }, - "compile_timestamp": { - "type": "date" - }, - "compiler": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "creation_date": { - "type": "date" - }, - "debug": { - "properties": { - "offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "timestamp": { - "type": "date" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, "description": { "ignore_above": 1024, "type": "keyword" }, - "entry_point": { - "ignore_above": 1024, - "type": "keyword" - }, - "exports": { - "ignore_above": 1024, - "type": "keyword" - }, "file_version": { "ignore_above": 1024, "type": "keyword" }, - "icon": { - "properties": { - "hash": { - "properties": { - "dhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, "imphash": { "ignore_above": 1024, "type": "keyword" }, - "imports": { - "type": "flattened" - }, - "machine_type": { - "ignore_above": 1024, - "type": "keyword" - }, "original_file_name": { "ignore_above": 1024, "type": "keyword" }, - "packers": { - "ignore_above": 1024, - "type": "keyword" - }, "product": { "ignore_above": 1024, "type": "keyword" - }, - "resources": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "filetype": { - "ignore_above": 1024, - "type": "keyword" - }, - "language": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, - "rich_header": { - "properties": { - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "float" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "raw_size": { - "type": "long" - }, - "virtual_address": { - "type": "long" - } - }, - "type": "nested" } } }, diff --git a/experimental/generated/elasticsearch/component/dll.json b/experimental/generated/elasticsearch/component/dll.json index 7c3a3da55..194190243 100644 --- a/experimental/generated/elasticsearch/component/dll.json +++ b/experimental/generated/elasticsearch/component/dll.json @@ -82,165 +82,29 @@ "ignore_above": 1024, "type": "keyword" }, - "authentihash": { - "ignore_above": 1024, - "type": "keyword" - }, "company": { "ignore_above": 1024, "type": "keyword" }, - "compile_timestamp": { - "type": "date" - }, - "compiler": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "creation_date": { - "type": "date" - }, - "debug": { - "properties": { - "offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "timestamp": { - "type": "date" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, "description": { "ignore_above": 1024, "type": "keyword" }, - "entry_point": { - "ignore_above": 1024, - "type": "keyword" - }, - "exports": { - "ignore_above": 1024, - "type": "keyword" - }, "file_version": { "ignore_above": 1024, "type": "keyword" }, - "icon": { - "properties": { - "hash": { - "properties": { - "dhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, "imphash": { "ignore_above": 1024, "type": "keyword" }, - "imports": { - "type": "flattened" - }, - "machine_type": { - "ignore_above": 1024, - "type": "keyword" - }, "original_file_name": { "ignore_above": 1024, "type": "keyword" }, - "packers": { - "ignore_above": 1024, - "type": "keyword" - }, "product": { "ignore_above": 1024, "type": "keyword" - }, - "resources": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "filetype": { - "ignore_above": 1024, - "type": "keyword" - }, - "language": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, - "rich_header": { - "properties": { - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "float" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "raw_size": { - "type": "long" - }, - "virtual_address": { - "type": "long" - } - }, - "type": "nested" } } } diff --git a/experimental/generated/elasticsearch/component/file.json b/experimental/generated/elasticsearch/component/file.json index 7feb3cd0f..216f5323c 100644 --- a/experimental/generated/elasticsearch/component/file.json +++ b/experimental/generated/elasticsearch/component/file.json @@ -264,165 +264,29 @@ "ignore_above": 1024, "type": "keyword" }, - "authentihash": { - "ignore_above": 1024, - "type": "keyword" - }, "company": { "ignore_above": 1024, "type": "keyword" }, - "compile_timestamp": { - "type": "date" - }, - "compiler": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "creation_date": { - "type": "date" - }, - "debug": { - "properties": { - "offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "timestamp": { - "type": "date" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, "description": { "ignore_above": 1024, "type": "keyword" }, - "entry_point": { - "ignore_above": 1024, - "type": "keyword" - }, - "exports": { - "ignore_above": 1024, - "type": "keyword" - }, "file_version": { "ignore_above": 1024, "type": "keyword" }, - "icon": { - "properties": { - "hash": { - "properties": { - "dhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, "imphash": { "ignore_above": 1024, "type": "keyword" }, - "imports": { - "type": "flattened" - }, - "machine_type": { - "ignore_above": 1024, - "type": "keyword" - }, "original_file_name": { "ignore_above": 1024, "type": "keyword" }, - "packers": { - "ignore_above": 1024, - "type": "keyword" - }, "product": { "ignore_above": 1024, "type": "keyword" - }, - "resources": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "filetype": { - "ignore_above": 1024, - "type": "keyword" - }, - "language": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, - "rich_header": { - "properties": { - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "float" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "raw_size": { - "type": "long" - }, - "virtual_address": { - "type": "long" - } - }, - "type": "nested" } } }, diff --git a/experimental/generated/elasticsearch/component/process.json b/experimental/generated/elasticsearch/component/process.json index 627687754..7ef40b65a 100644 --- a/experimental/generated/elasticsearch/component/process.json +++ b/experimental/generated/elasticsearch/component/process.json @@ -456,165 +456,29 @@ "ignore_above": 1024, "type": "keyword" }, - "authentihash": { - "ignore_above": 1024, - "type": "keyword" - }, "company": { "ignore_above": 1024, "type": "keyword" }, - "compile_timestamp": { - "type": "date" - }, - "compiler": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "creation_date": { - "type": "date" - }, - "debug": { - "properties": { - "offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "timestamp": { - "type": "date" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, "description": { "ignore_above": 1024, "type": "keyword" }, - "entry_point": { - "ignore_above": 1024, - "type": "keyword" - }, - "exports": { - "ignore_above": 1024, - "type": "keyword" - }, "file_version": { "ignore_above": 1024, "type": "keyword" }, - "icon": { - "properties": { - "hash": { - "properties": { - "dhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, "imphash": { "ignore_above": 1024, "type": "keyword" }, - "imports": { - "type": "flattened" - }, - "machine_type": { - "ignore_above": 1024, - "type": "keyword" - }, "original_file_name": { "ignore_above": 1024, "type": "keyword" }, - "packers": { - "ignore_above": 1024, - "type": "keyword" - }, "product": { "ignore_above": 1024, "type": "keyword" - }, - "resources": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "filetype": { - "ignore_above": 1024, - "type": "keyword" - }, - "language": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, - "rich_header": { - "properties": { - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "float" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "raw_size": { - "type": "long" - }, - "virtual_address": { - "type": "long" - } - }, - "type": "nested" } } }, @@ -667,165 +531,29 @@ "ignore_above": 1024, "type": "keyword" }, - "authentihash": { - "ignore_above": 1024, - "type": "keyword" - }, "company": { "ignore_above": 1024, "type": "keyword" }, - "compile_timestamp": { - "type": "date" - }, - "compiler": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "creation_date": { - "type": "date" - }, - "debug": { - "properties": { - "offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "timestamp": { - "type": "date" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, "description": { "ignore_above": 1024, "type": "keyword" }, - "entry_point": { - "ignore_above": 1024, - "type": "keyword" - }, - "exports": { - "ignore_above": 1024, - "type": "keyword" - }, "file_version": { "ignore_above": 1024, "type": "keyword" }, - "icon": { - "properties": { - "hash": { - "properties": { - "dhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, "imphash": { "ignore_above": 1024, "type": "keyword" }, - "imports": { - "type": "flattened" - }, - "machine_type": { - "ignore_above": 1024, - "type": "keyword" - }, "original_file_name": { "ignore_above": 1024, "type": "keyword" }, - "packers": { - "ignore_above": 1024, - "type": "keyword" - }, "product": { "ignore_above": 1024, "type": "keyword" - }, - "resources": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "filetype": { - "ignore_above": 1024, - "type": "keyword" - }, - "language": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, - "rich_header": { - "properties": { - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "float" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "raw_size": { - "type": "long" - }, - "virtual_address": { - "type": "long" - } - }, - "type": "nested" } } }, diff --git a/experimental/generated/elasticsearch/component/threat.json b/experimental/generated/elasticsearch/component/threat.json index bc31872b2..d5ae504ab 100644 --- a/experimental/generated/elasticsearch/component/threat.json +++ b/experimental/generated/elasticsearch/component/threat.json @@ -306,165 +306,29 @@ "ignore_above": 1024, "type": "keyword" }, - "authentihash": { - "ignore_above": 1024, - "type": "keyword" - }, "company": { "ignore_above": 1024, "type": "keyword" }, - "compile_timestamp": { - "type": "date" - }, - "compiler": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "creation_date": { - "type": "date" - }, - "debug": { - "properties": { - "offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "timestamp": { - "type": "date" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, "description": { "ignore_above": 1024, "type": "keyword" }, - "entry_point": { - "ignore_above": 1024, - "type": "keyword" - }, - "exports": { - "ignore_above": 1024, - "type": "keyword" - }, "file_version": { "ignore_above": 1024, "type": "keyword" }, - "icon": { - "properties": { - "hash": { - "properties": { - "dhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, "imphash": { "ignore_above": 1024, "type": "keyword" }, - "imports": { - "type": "flattened" - }, - "machine_type": { - "ignore_above": 1024, - "type": "keyword" - }, "original_file_name": { "ignore_above": 1024, "type": "keyword" }, - "packers": { - "ignore_above": 1024, - "type": "keyword" - }, "product": { "ignore_above": 1024, "type": "keyword" - }, - "resources": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "filetype": { - "ignore_above": 1024, - "type": "keyword" - }, - "language": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, - "rich_header": { - "properties": { - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "float" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "raw_size": { - "type": "long" - }, - "virtual_address": { - "type": "long" - } - }, - "type": "nested" } } }, @@ -1244,165 +1108,29 @@ "ignore_above": 1024, "type": "keyword" }, - "authentihash": { - "ignore_above": 1024, - "type": "keyword" - }, "company": { "ignore_above": 1024, "type": "keyword" }, - "compile_timestamp": { - "type": "date" - }, - "compiler": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "creation_date": { - "type": "date" - }, - "debug": { - "properties": { - "offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "timestamp": { - "type": "date" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, "description": { "ignore_above": 1024, "type": "keyword" }, - "entry_point": { - "ignore_above": 1024, - "type": "keyword" - }, - "exports": { - "ignore_above": 1024, - "type": "keyword" - }, "file_version": { "ignore_above": 1024, "type": "keyword" }, - "icon": { - "properties": { - "hash": { - "properties": { - "dhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, "imphash": { "ignore_above": 1024, "type": "keyword" }, - "imports": { - "type": "flattened" - }, - "machine_type": { - "ignore_above": 1024, - "type": "keyword" - }, "original_file_name": { "ignore_above": 1024, "type": "keyword" }, - "packers": { - "ignore_above": 1024, - "type": "keyword" - }, "product": { "ignore_above": 1024, "type": "keyword" - }, - "resources": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "filetype": { - "ignore_above": 1024, - "type": "keyword" - }, - "language": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, - "rich_header": { - "properties": { - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "float" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "raw_size": { - "type": "long" - }, - "virtual_address": { - "type": "long" - } - }, - "type": "nested" } } }, diff --git a/experimental/schemas/pe.yml b/experimental/schemas/pe.yml deleted file mode 100644 index b576e42f6..000000000 --- a/experimental/schemas/pe.yml +++ /dev/null @@ -1,228 +0,0 @@ ---- -- name: pe - - fields: - - name: icon.hash.dhash - level: extended - type: keyword - description: > - Difference Hash (dhash) to find files with a visually similar icon or thumbnail. - - example: b806e17c8e330d82 - - - name: debug - level: extended - type: nested - short: Debug information - description: > - An array containing an object for each debug entry, if present. - - The expected fields for this nested object fall under the `debug.` prefix. - normalize: - - array - - - name: debug.offset - level: extended - type: keyword - description: Debug offset information. - example: 1296336 - - - name: debug.size - level: extended - type: long - format: bytes - description: Size of the debug information. - example: 816 - - - name: debug.type - level: extended - type: keyword - description: Information type generated by the debug options. - example: IMAGE_DEBUG_TYPE_POGO - - - name: debug.timestamp - level: extended - type: date - description: Timestamp of the debug information. - example: "2020-11-05T17:25:47.000Z" - - - name: imports - level: extended - type: flattened - description: List of all imported functions - example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" }' - - - name: sections - level: extended - short: Data about sections of the compiled binary PE - description: > - Data about sections of compiled binary PE - type: nested - normalize: - - array - - - name: sections.chi2 - level: extended - description: Chi-square probability distribution. - type: long - example: 3027194 - - - name: sections.virtual_address - level: extended - description: Virtual address available to the file. - type: long - format: bytes - example: 8192 - - - name: sections.entropy - level: extended - description: Measurement of entropy randomness in the file. - type: float - example: 6.24 - - - name: sections.flags - level: extended - description: Section flags of the file. - type: keyword - example: rx - - - name: sections.name - level: extended - description: Section names of the file. - type: keyword - example: .text, .data - - - name: sections.raw_size - level: extended - description: Size of the section or the dize of the initialized data on disk. - type: long - format: bytes - example: 198144 - - - name: resources - level: extended - type: nested - short: PE resource information - description: > - An array containing an object for each PE resource, if present. - - The expected fields for this nested object fall under the `resources.` prefix. - normalize: - - array - - - name: resources.chi2 - level: extended - description: Chi-square probability distribution. - type: long - example: -1 - - - name: resources.filetype - level: extended - description: File type of the resources section. - type: keyword - example: Data - - - name: resources.entropy - level: extended - description: Measurement of entropy randomness in the resources section. - type: long - example: 0, 1 - - - name: resources.sha256 - level: extended - description: SHA256 hash of resources section. - type: keyword - example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - - - name: resources.language - level: extended - description: Language identification. - type: keyword - example: "CHINESE SIMPLIFIED" - - - name: resources.type - level: extended - type: keyword - short: List of resource types. - description: > - Digest of resource types. - example: '["RT_VERSION", "RT_MANIFEST"]' - normalize: - - array - - - name: exports - level: extended - type: keyword - description: > - List of symbols exported by PE - example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' - normalize: - - array - - - name: creation_date - level: extended - short: Build or compile date. - description: > - Extracted when possible from the file's metadata. Indicates when it was - built or compiled. It can also be faked by malware creators. - type: date - example: "2020-11-05T17:25:47.000Z" - - - name: authentihash - level: extended - description: > - Authentihash of the PE file. - type: keyword - example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 - - - name: compile_timestamp - level: extended - description: > - Compile timestamp of the PE file. - type: date - example: "2020-11-05T17:25:47.000Z" - - - name: compiler.name - level: extended - type: keyword - description: > - Name of the compiler - example: Clang - - - name: compiler.version - level: extended - type: keyword - description: > - Version of the compiler. - example: 11.0.0 - - - name: rich_header.hash.md5 - level: extended - type: keyword - description: > - MD5 hash of the header for the PE file. - - example: 5aa1aa0f2b4be70397a1e9e2b87627cd - - - name: entry_point - level: extended - description: > - Relative byte offset to the base of the PE file. - type: keyword - example: 25856 - - - name: machine_type - level: extended - description: > - Machine type of the PE file. - type: keyword - example: "Intel 386 or later, and compatibles" - - - name: packers - level: extended - description: > - List of packers and tools used. - type: keyword - example: '["ASPack v2.12", ".NET executable"]' - normalize: - - array diff --git a/rfcs/text/0014-extend-file-pe.md b/rfcs/text/0014-extend-file-pe.md index f1cddf435..6bfcd30c0 100644 --- a/rfcs/text/0014-extend-file-pe.md +++ b/rfcs/text/0014-extend-file-pe.md @@ -1,10 +1,14 @@ # 0014: Extend the PE field set -- Stage: **1 (draft)** -- Date: **2021-02-08** +- Stage: **X (abandoned)** +- Date: **2021-11-18** The Portable Executable (PE) sub-field, of the `file` top-level fieldset, can be updated to include more file attributes to aid in file analysis. This additional document metadata can be used for malware research, as well as coding and other application development efforts. +## Stage X + +This RFC is not being worked on actively, and it has been marked as abandoned. If an individual wishes to advance it in the future, open a new pull request against this proposal. + ## Fields This RFC is to create 25 additional sub-fields within the `file.pe` fieldset. @@ -132,6 +136,7 @@ The following are the people that consulted on the contents of this RFC. * Stage 1: https://github.com/elastic/ecs/pull/1071 +* Stage X: https://github.com/elastic/ecs/pull/1670