From 7f6588e7957e16134160588dc1e6136bb71cdbc4 Mon Sep 17 00:00:00 2001 From: Ross Wolf <31489089+rw-access@users.noreply.github.com> Date: Fri, 24 Jan 2020 12:26:13 -0700 Subject: [PATCH 1/8] Add PE field set under file and process --- code/go/ecs/pe.go | 38 +++++ docs/field-details.asciidoc | 91 +++++++++++ docs/fields.asciidoc | 2 + generated/beats/fields.ecs.yml | 123 ++++++++++++++ generated/csv/fields.csv | 15 ++ generated/ecs/ecs_flat.yml | 192 ++++++++++++++++++++++ generated/ecs/ecs_nested.yml | 203 ++++++++++++++++++++++++ generated/elasticsearch/6/template.json | 72 +++++++++ generated/elasticsearch/7/template.json | 72 +++++++++ schemas/pe.yml | 50 ++++++ 10 files changed, 858 insertions(+) create mode 100644 code/go/ecs/pe.go create mode 100644 schemas/pe.yml diff --git a/code/go/ecs/pe.go b/code/go/ecs/pe.go new file mode 100644 index 0000000000..6e918b290a --- /dev/null +++ b/code/go/ecs/pe.go @@ -0,0 +1,38 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +// These fields contain Windows PE (Portable Executable) metadata. +type Pe struct { + // Internal name of the file, provided at compile-time. + OriginalFileName string `ecs:"original_file_name"` + + // Internal version of the file, provided at compile-time. + FileVersion string `ecs:"file_version"` + + // Internal description of the file, provided at compile-time. + Description string `ecs:"description"` + + // Internal product name of the file, provided at compile-time. + Product string `ecs:"product"` + + // Internal company name of the file, provided at compile-time. + Company string `ecs:"company"` +} diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 6cdbbb963e..db2511dd4c 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -1725,6 +1725,12 @@ example: `1001` // =============================================================== +| <> +| These fields contain Windows PE (Portable Executable) metadata. + +// =============================================================== + + |===== [[ecs-geo]] @@ -3075,6 +3081,85 @@ example: `1.12.9` |===== +[[ecs-pe]] +=== PE Header Fields + +These fields contain Windows PE (Portable Executable) metadata. + +==== PE Header Field Details + +[options="header"] +|===== +| Field | Description | Level + +// =============================================================== + +| pe.company +| Internal company name of the file, provided at compile-time. + +type: keyword + +example: `Microsoft Corporation` + +| extended + +// =============================================================== + +| pe.description +| Internal description of the file, provided at compile-time. + +type: keyword + +example: `Paint` + +| extended + +// =============================================================== + +| pe.file_version +| Internal version of the file, provided at compile-time. + +type: keyword + +example: `6.3.9600.17415` + +| extended + +// =============================================================== + +| pe.original_file_name +| Internal name of the file, provided at compile-time. + +type: keyword + +example: `MSPAINT.EXE` + +| extended + +// =============================================================== + +| pe.product +| Internal product name of the file, provided at compile-time. + +type: keyword + +example: `Microsoft® Windows® Operating System` + +| extended + +// =============================================================== + +|===== + +==== Field Reuse + +The `pe` fields are expected to be nested at: `file.pe`, `process.pe`. + +Note also that the `pe` fields are not expected to be used directly at the top level. + + + + [[ecs-process]] === Process Fields @@ -3527,6 +3612,12 @@ example: `/home/alice` // =============================================================== +| <> +| These fields contain Windows PE (Portable Executable) metadata. + +// =============================================================== + + |===== [[ecs-registry]] diff --git a/docs/fields.asciidoc b/docs/fields.asciidoc index c3a11635b1..4f1ae4a7de 100644 --- a/docs/fields.asciidoc +++ b/docs/fields.asciidoc @@ -64,6 +64,8 @@ all fields are defined. | <> | These fields contain information about an installed software package. +| <> | These fields contain Windows PE (Portable Executable) metadata. + | <> | These fields contain information about a process. | <> | Fields related to Windows Registry operations. diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 98257e129d..33c8ca8c27 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -1310,6 +1310,45 @@ description: Full path to the file, including the file name. It should include the drive letter, when appropriate. example: /home/alice/example.png + - name: pe.company + level: extended + type: keyword + ignore_above: 1024 + format: string + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + default_field: false + - name: pe.description + level: extended + type: keyword + ignore_above: 1024 + format: string + description: Internal description of the file, provided at compile-time. + example: Paint + default_field: false + - name: pe.file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: pe.original_file_name + level: extended + type: keyword + ignore_above: 1024 + format: string + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: pe.product + level: extended + type: keyword + ignore_above: 1024 + format: string + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false - name: size level: extended type: long @@ -2348,6 +2387,51 @@ ignore_above: 1024 description: Package version example: 1.12.9 + - name: pe + title: PE Header + group: 2 + description: These fields contain Windows PE (Portable Executable) metadata. + type: group + fields: + - name: company + level: extended + type: keyword + ignore_above: 1024 + format: string + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + default_field: false + - name: description + level: extended + type: keyword + ignore_above: 1024 + format: string + description: Internal description of the file, provided at compile-time. + example: Paint + default_field: false + - name: file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: original_file_name + level: extended + type: keyword + ignore_above: 1024 + format: string + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: product + level: extended + type: keyword + ignore_above: 1024 + format: string + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false - name: process title: Process group: 2 @@ -2588,6 +2672,45 @@ description: The working directory of the process. example: /home/alice default_field: false + - name: pe.company + level: extended + type: keyword + ignore_above: 1024 + format: string + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + default_field: false + - name: pe.description + level: extended + type: keyword + ignore_above: 1024 + format: string + description: Internal description of the file, provided at compile-time. + example: Paint + default_field: false + - name: pe.file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: pe.original_file_name + level: extended + type: keyword + ignore_above: 1024 + format: string + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: pe.product + level: extended + type: keyword + ignore_above: 1024 + format: string + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false - name: pgid level: extended type: long diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 419079ffb6..bb3fadf23e 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -158,6 +158,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Example,Description 1.5.0-dev,true,file,file.owner,keyword,extended,alice,File owner's username. 1.5.0-dev,true,file,file.path,keyword,extended,/home/alice/example.png,"Full path to the file, including the file name." 1.5.0-dev,true,file,file.path.text,text,extended,/home/alice/example.png,"Full path to the file, including the file name." +1.5.0-dev,true,file,file.pe.company,keyword,extended,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.5.0-dev,true,file,file.pe.description,keyword,extended,Paint,"Internal description of the file, provided at compile-time." +1.5.0-dev,true,file,file.pe.file_version,keyword,extended,6.3.9600.17415,Process name. +1.5.0-dev,true,file,file.pe.original_file_name,keyword,extended,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.5.0-dev,true,file,file.pe.product,keyword,extended,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." 1.5.0-dev,true,file,file.size,long,extended,16384,File size in bytes. 1.5.0-dev,true,file,file.target_path,keyword,extended,,Target path for symlinks. 1.5.0-dev,true,file,file.target_path.text,text,extended,,Target path for symlinks. @@ -298,6 +303,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Example,Description 1.5.0-dev,true,package,package.size,long,extended,62231,Package size in bytes. 1.5.0-dev,true,package,package.type,keyword,extended,rpm,Package type 1.5.0-dev,true,package,package.version,keyword,extended,1.12.9,Package version +1.5.0-dev,true,pe,pe.company,keyword,extended,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.5.0-dev,true,pe,pe.description,keyword,extended,Paint,"Internal description of the file, provided at compile-time." +1.5.0-dev,true,pe,pe.file_version,keyword,extended,6.3.9600.17415,Process name. +1.5.0-dev,true,pe,pe.original_file_name,keyword,extended,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.5.0-dev,true,pe,pe.product,keyword,extended,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." 1.5.0-dev,true,process,process.args,keyword,extended,"['/usr/bin/ssh', '-l', 'user', '10.0.0.16']",Array of process arguments. 1.5.0-dev,true,process,process.args_count,long,extended,4,Length of the process.args array. 1.5.0-dev,true,process,process.command_line,keyword,extended,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. @@ -331,6 +341,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Example,Description 1.5.0-dev,true,process,process.parent.uptime,long,extended,1325,Seconds the process has been up. 1.5.0-dev,true,process,process.parent.working_directory,keyword,extended,/home/alice,The working directory of the process. 1.5.0-dev,true,process,process.parent.working_directory.text,text,extended,/home/alice,The working directory of the process. +1.5.0-dev,true,process,process.pe.company,keyword,extended,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.5.0-dev,true,process,process.pe.description,keyword,extended,Paint,"Internal description of the file, provided at compile-time." +1.5.0-dev,true,process,process.pe.file_version,keyword,extended,6.3.9600.17415,Process name. +1.5.0-dev,true,process,process.pe.original_file_name,keyword,extended,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.5.0-dev,true,process,process.pe.product,keyword,extended,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." 1.5.0-dev,true,process,process.pgid,long,extended,,Identifier of the group of processes the process belongs to. 1.5.0-dev,true,process,process.pid,long,core,4242,Process id. 1.5.0-dev,true,process,process.ppid,long,extended,4241,Parent process' pid. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 712aa5e6c0..b900cfcc89 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -2190,6 +2190,70 @@ file.path: order: 4 short: Full path to the file, including the file name. type: keyword +file.pe.company: + dashed_name: file-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: file.pe.company + format: string + ignore_above: 1024 + level: extended + name: company + order: 4 + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword +file.pe.description: + dashed_name: file-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: file.pe.description + format: string + ignore_above: 1024 + level: extended + name: description + order: 2 + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword +file.pe.file_version: + dashed_name: file-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: file.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + order: 1 + original_fieldset: pe + short: Process name. + type: keyword +file.pe.original_file_name: + dashed_name: file-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: file.pe.original_file_name + format: string + ignore_above: 1024 + level: extended + name: original_file_name + order: 0 + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: keyword +file.pe.product: + dashed_name: file-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: file.pe.product + format: string + ignore_above: 1024 + level: extended + name: product + order: 3 + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword file.size: dashed_name: file-size description: 'File size in bytes. @@ -3843,6 +3907,70 @@ package.version: order: 1 short: Package version type: keyword +pe.company: + dashed_name: pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: pe.company + format: string + ignore_above: 1024 + level: extended + name: company + order: 4 + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword +pe.description: + dashed_name: pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: pe.description + format: string + ignore_above: 1024 + level: extended + name: description + order: 2 + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword +pe.file_version: + dashed_name: pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: pe.file_version + ignore_above: 1024 + level: extended + name: file_version + order: 1 + original_fieldset: pe + short: Process name. + type: keyword +pe.original_file_name: + dashed_name: pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: pe.original_file_name + format: string + ignore_above: 1024 + level: extended + name: original_file_name + order: 0 + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: keyword +pe.product: + dashed_name: pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: pe.product + format: string + ignore_above: 1024 + level: extended + name: product + order: 3 + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword process.args: dashed_name: process-args description: 'Array of process arguments, starting with the absolute path to the @@ -4190,6 +4318,70 @@ process.parent.working_directory: order: 27 short: The working directory of the process. type: keyword +process.pe.company: + dashed_name: process-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: process.pe.company + format: string + ignore_above: 1024 + level: extended + name: company + order: 4 + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword +process.pe.description: + dashed_name: process-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: process.pe.description + format: string + ignore_above: 1024 + level: extended + name: description + order: 2 + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword +process.pe.file_version: + dashed_name: process-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: process.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + order: 1 + original_fieldset: pe + short: Process name. + type: keyword +process.pe.original_file_name: + dashed_name: process-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: process.pe.original_file_name + format: string + ignore_above: 1024 + level: extended + name: original_file_name + order: 0 + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: keyword +process.pe.product: + dashed_name: process-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: process.pe.product + format: string + ignore_above: 1024 + level: extended + name: product + order: 3 + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword process.pgid: dashed_name: process-pgid description: Identifier of the group of processes the process belongs to. diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 3403d3cb49..cf8e49d641 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -2426,6 +2426,70 @@ file: order: 4 short: Full path to the file, including the file name. type: keyword + pe.company: + dashed_name: file-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: file.pe.company + format: string + ignore_above: 1024 + level: extended + name: company + order: 4 + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword + pe.description: + dashed_name: file-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: file.pe.description + format: string + ignore_above: 1024 + level: extended + name: description + order: 2 + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword + pe.file_version: + dashed_name: file-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: file.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + order: 1 + original_fieldset: pe + short: Process name. + type: keyword + pe.original_file_name: + dashed_name: file-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: file.pe.original_file_name + format: string + ignore_above: 1024 + level: extended + name: original_file_name + order: 0 + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: keyword + pe.product: + dashed_name: file-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: file.pe.product + format: string + ignore_above: 1024 + level: extended + name: product + order: 3 + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword size: dashed_name: file-size description: 'File size in bytes. @@ -2479,6 +2543,7 @@ file: name: file nestings: - hash + - pe prefix: file. short: Fields describing files. title: File @@ -4212,6 +4277,79 @@ package: short: These fields contain information about an installed software package. title: Package type: group +pe: + description: These fields contain Windows PE (Portable Executable) metadata. + fields: + company: + dashed_name: pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: pe.company + format: string + ignore_above: 1024 + level: extended + name: company + order: 4 + short: Internal company name of the file, provided at compile-time. + type: keyword + description: + dashed_name: pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: pe.description + format: string + ignore_above: 1024 + level: extended + name: description + order: 2 + short: Internal description of the file, provided at compile-time. + type: keyword + file_version: + dashed_name: pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: pe.file_version + ignore_above: 1024 + level: extended + name: file_version + order: 1 + short: Process name. + type: keyword + original_file_name: + dashed_name: pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: pe.original_file_name + format: string + ignore_above: 1024 + level: extended + name: original_file_name + order: 0 + short: Internal name of the file, provided at compile-time. + type: keyword + product: + dashed_name: pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: pe.product + format: string + ignore_above: 1024 + level: extended + name: product + order: 3 + short: Internal product name of the file, provided at compile-time. + type: keyword + group: 2 + name: pe + prefix: pe. + reusable: + expected: + - file + - process + top_level: false + short: These fields contain Windows PE (Portable Executable) metadata. + title: PE Header + type: group process: description: 'These fields contain information about a process. @@ -4566,6 +4704,70 @@ process: order: 27 short: The working directory of the process. type: keyword + pe.company: + dashed_name: process-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: process.pe.company + format: string + ignore_above: 1024 + level: extended + name: company + order: 4 + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword + pe.description: + dashed_name: process-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: process.pe.description + format: string + ignore_above: 1024 + level: extended + name: description + order: 2 + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword + pe.file_version: + dashed_name: process-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: process.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + order: 1 + original_fieldset: pe + short: Process name. + type: keyword + pe.original_file_name: + dashed_name: process-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: process.pe.original_file_name + format: string + ignore_above: 1024 + level: extended + name: original_file_name + order: 0 + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: keyword + pe.product: + dashed_name: process-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: process.pe.product + format: string + ignore_above: 1024 + level: extended + name: product + order: 3 + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword pgid: dashed_name: process-pgid description: Identifier of the group of processes the process belongs to. @@ -4678,6 +4880,7 @@ process: name: process nestings: - hash + - pe prefix: process. short: These fields contain information about a process. title: Process diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index 73913739e4..07e8148442 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -751,6 +751,30 @@ "ignore_above": 1024, "type": "keyword" }, + "pe": { + "properties": { + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "size": { "type": "long" }, @@ -1426,6 +1450,30 @@ } } }, + "pe": { + "properties": { + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "process": { "properties": { "args": { @@ -1578,6 +1626,30 @@ } } }, + "pe": { + "properties": { + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "pgid": { "type": "long" }, diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index a509ae3619..c78b2347de 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -750,6 +750,30 @@ "ignore_above": 1024, "type": "keyword" }, + "pe": { + "properties": { + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "size": { "type": "long" }, @@ -1425,6 +1449,30 @@ } } }, + "pe": { + "properties": { + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "process": { "properties": { "args": { @@ -1577,6 +1625,30 @@ } } }, + "pe": { + "properties": { + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "pgid": { "type": "long" }, diff --git a/schemas/pe.yml b/schemas/pe.yml new file mode 100644 index 0000000000..48f39ca03d --- /dev/null +++ b/schemas/pe.yml @@ -0,0 +1,50 @@ +--- +- name: pe + title: PE Header + group: 2 + description: These fields contain Windows PE (Portable Executable) metadata. + type: group + reusable: + top_level: false + expected: + - file + - process + fields: + + - name: original_file_name + format: string + level: extended + type: keyword + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + + + - name: file_version + level: extended + type: keyword + short: Process name. + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + + + - name: description + format: string + level: extended + type: keyword + description: Internal description of the file, provided at compile-time. + example: Paint + + - name: product + format: string + level: extended + type: keyword + description: Internal product name of the file, provided at compile-time. + example: Microsoft® Windows® Operating System + + + - name: company + format: string + level: extended + type: keyword + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation From 89b66e64784639ad075c0938792c60071708d6aa Mon Sep 17 00:00:00 2001 From: Ross Wolf <31489089+rw-access@users.noreply.github.com> Date: Fri, 24 Jan 2020 12:28:01 -0700 Subject: [PATCH 2/8] Add PE to changelog --- CHANGELOG.next.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 161fe3144b..9a197adde1 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -16,6 +16,8 @@ Thanks, you're awesome :-) --> #### Added +* Fieldset for PE metadata. #731 + #### Improvements * Temporary workaround for Beats templates' `default_field` growing too big. #687 From 9e8d7b2e4a648f5d77d5616014471d87f5eae4cb Mon Sep 17 00:00:00 2001 From: Ross Wolf <31489089+rw-access@users.noreply.github.com> Date: Fri, 24 Jan 2020 12:39:13 -0700 Subject: [PATCH 3/8] Put acronym in parentheses --- schemas/pe.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schemas/pe.yml b/schemas/pe.yml index 48f39ca03d..e1f32fdb27 100644 --- a/schemas/pe.yml +++ b/schemas/pe.yml @@ -2,7 +2,7 @@ - name: pe title: PE Header group: 2 - description: These fields contain Windows PE (Portable Executable) metadata. + description: These fields contain Windows Portable Executable (PE) metadata. type: group reusable: top_level: false From 9c89f4d747f300c4e1e93bec7ad22ae69d6f8e9d Mon Sep 17 00:00:00 2001 From: Ross Wolf <31489089+rw-access@users.noreply.github.com> Date: Tue, 4 Feb 2020 12:55:10 -0700 Subject: [PATCH 4/8] Rebuild after yaml change --- code/go/ecs/pe.go | 2 +- docs/field-details.asciidoc | 6 +++--- docs/fields.asciidoc | 2 +- generated/beats/fields.ecs.yml | 2 +- generated/ecs/ecs_nested.yml | 4 ++-- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/code/go/ecs/pe.go b/code/go/ecs/pe.go index 6e918b290a..983585597a 100644 --- a/code/go/ecs/pe.go +++ b/code/go/ecs/pe.go @@ -19,7 +19,7 @@ package ecs -// These fields contain Windows PE (Portable Executable) metadata. +// These fields contain Windows Portable Executable (PE) metadata. type Pe struct { // Internal name of the file, provided at compile-time. OriginalFileName string `ecs:"original_file_name"` diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index db2511dd4c..2161515e1a 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -1726,7 +1726,7 @@ example: `1001` | <> -| These fields contain Windows PE (Portable Executable) metadata. +| These fields contain Windows Portable Executable (PE) metadata. // =============================================================== @@ -3084,7 +3084,7 @@ example: `1.12.9` [[ecs-pe]] === PE Header Fields -These fields contain Windows PE (Portable Executable) metadata. +These fields contain Windows Portable Executable (PE) metadata. ==== PE Header Field Details @@ -3613,7 +3613,7 @@ example: `/home/alice` | <> -| These fields contain Windows PE (Portable Executable) metadata. +| These fields contain Windows Portable Executable (PE) metadata. // =============================================================== diff --git a/docs/fields.asciidoc b/docs/fields.asciidoc index 4f1ae4a7de..68ebc8179d 100644 --- a/docs/fields.asciidoc +++ b/docs/fields.asciidoc @@ -64,7 +64,7 @@ all fields are defined. | <> | These fields contain information about an installed software package. -| <> | These fields contain Windows PE (Portable Executable) metadata. +| <> | These fields contain Windows Portable Executable (PE) metadata. | <> | These fields contain information about a process. diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 33c8ca8c27..b2ffc5ade7 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -2390,7 +2390,7 @@ - name: pe title: PE Header group: 2 - description: These fields contain Windows PE (Portable Executable) metadata. + description: These fields contain Windows Portable Executable (PE) metadata. type: group fields: - name: company diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index cf8e49d641..e4878fa914 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -4278,7 +4278,7 @@ package: title: Package type: group pe: - description: These fields contain Windows PE (Portable Executable) metadata. + description: These fields contain Windows Portable Executable (PE) metadata. fields: company: dashed_name: pe-company @@ -4347,7 +4347,7 @@ pe: - file - process top_level: false - short: These fields contain Windows PE (Portable Executable) metadata. + short: These fields contain Windows Portable Executable (PE) metadata. title: PE Header type: group process: From faceb1c752c5ffa23f20062a44f628a5474d8dea Mon Sep 17 00:00:00 2001 From: Ross Wolf <31489089+rw-access@users.noreply.github.com> Date: Fri, 7 Feb 2020 10:56:52 -0700 Subject: [PATCH 5/8] PE: Remove format: string --- schemas/pe.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/schemas/pe.yml b/schemas/pe.yml index e1f32fdb27..3ace3362d2 100644 --- a/schemas/pe.yml +++ b/schemas/pe.yml @@ -12,7 +12,6 @@ fields: - name: original_file_name - format: string level: extended type: keyword description: Internal name of the file, provided at compile-time. @@ -28,7 +27,6 @@ - name: description - format: string level: extended type: keyword description: Internal description of the file, provided at compile-time. @@ -43,7 +41,6 @@ - name: company - format: string level: extended type: keyword description: Internal company name of the file, provided at compile-time. From 9df5b299c7fef212b15e3d1beb8c450bbaa89ad7 Mon Sep 17 00:00:00 2001 From: Ross Wolf <31489089+rw-access@users.noreply.github.com> Date: Wed, 12 Feb 2020 14:03:37 -0700 Subject: [PATCH 6/8] Nest dll.pe --- schemas/pe.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/schemas/pe.yml b/schemas/pe.yml index 3ace3362d2..44014374d2 100644 --- a/schemas/pe.yml +++ b/schemas/pe.yml @@ -8,6 +8,7 @@ top_level: false expected: - file + - dll - process fields: From 4da7e789995121cca0803533b5b61ba94cdef487 Mon Sep 17 00:00:00 2001 From: Ross Wolf <31489089+rw-access@users.noreply.github.com> Date: Wed, 12 Feb 2020 14:04:49 -0700 Subject: [PATCH 7/8] Format changelog, regen --- CHANGELOG.next.md | 1 - docs/field-details.asciidoc | 8 ++- generated/beats/fields.ecs.yml | 36 +++++++++++++ generated/csv/fields.csv | 5 ++ generated/ecs/ecs_flat.yml | 66 ++++++++++++++++++++++++ generated/ecs/ecs_nested.yml | 68 +++++++++++++++++++++++++ generated/elasticsearch/6/template.json | 24 +++++++++ generated/elasticsearch/7/template.json | 24 +++++++++ 8 files changed, 230 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index f5bca874ef..ef3e354452 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -16,7 +16,6 @@ Thanks, you're awesome :-) --> #### Added * Added `dll.*` fields (#679) - * Fieldset for PE metadata. #731 #### Improvements diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index e4760f5850..10dd88f038 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -931,6 +931,12 @@ example: `C:\Windows\System32\kernel32.dll` // =============================================================== +| <> +| These fields contain Windows Portable Executable (PE) metadata. + +// =============================================================== + + |===== [[ecs-dns]] @@ -3673,7 +3679,7 @@ example: `Microsoft® Windows® Operating System` ==== Field Reuse -The `pe` fields are expected to be nested at: `file.pe`, `process.pe`. +The `pe` fields are expected to be nested at: `dll.pe`, `file.pe`, `process.pe`. Note also that the `pe` fields are not expected to be used directly at the top level. diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 5ed2f3bd83..a666727f5f 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -749,6 +749,42 @@ description: Full file path of the library. example: C:\Windows\System32\kernel32.dll default_field: false + - name: pe.company + level: extended + type: keyword + ignore_above: 1024 + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + default_field: false + - name: pe.description + level: extended + type: keyword + ignore_above: 1024 + description: Internal description of the file, provided at compile-time. + example: Paint + default_field: false + - name: pe.file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: pe.original_file_name + level: extended + type: keyword + ignore_above: 1024 + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: pe.product + level: extended + type: keyword + ignore_above: 1024 + format: string + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false - name: dns title: DNS group: 2 diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index ce344fd42e..4af0e4ebe8 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -96,6 +96,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.5.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash. 1.5.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library. 1.5.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library. +1.5.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.5.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.5.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.5.0-dev,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.5.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." 1.5.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers. 1.5.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record. 1.5.0-dev,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index f2fc4f50bf..70561583e8 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -1184,6 +1184,72 @@ dll.path: order: 1 short: Full file path of the library. type: keyword +dll.pe.company: + dashed_name: dll-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: dll.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + order: 4 + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword +dll.pe.description: + dashed_name: dll-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: dll.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + order: 2 + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword +dll.pe.file_version: + dashed_name: dll-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: dll.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + order: 1 + original_fieldset: pe + short: Process name. + type: keyword +dll.pe.original_file_name: + dashed_name: dll-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: dll.pe.original_file_name + ignore_above: 1024 + level: extended + name: original_file_name + normalize: [] + order: 0 + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: keyword +dll.pe.product: + dashed_name: dll-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: dll.pe.product + format: string + ignore_above: 1024 + level: extended + name: product + normalize: [] + order: 3 + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword dns.answers: dashed_name: dns-answers description: 'An array containing an object for each answer section returned by diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index b3cda2ac67..7d7d8f6589 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -1364,10 +1364,77 @@ dll: order: 1 short: Full file path of the library. type: keyword + pe.company: + dashed_name: dll-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: dll.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + order: 4 + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword + pe.description: + dashed_name: dll-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: dll.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + order: 2 + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword + pe.file_version: + dashed_name: dll-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: dll.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + order: 1 + original_fieldset: pe + short: Process name. + type: keyword + pe.original_file_name: + dashed_name: dll-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: dll.pe.original_file_name + ignore_above: 1024 + level: extended + name: original_file_name + normalize: [] + order: 0 + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: keyword + pe.product: + dashed_name: dll-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: dll.pe.product + format: string + ignore_above: 1024 + level: extended + name: product + normalize: [] + order: 3 + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword group: 2 name: dll nestings: - hash + - pe prefix: dll. short: These fields contain information about code libraries dynamically loaded into processes. @@ -4738,6 +4805,7 @@ pe: reusable: expected: - file + - dll - process top_level: false short: These fields contain Windows Portable Executable (PE) metadata. diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index 823e56afe9..2bb1fab8bc 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -488,6 +488,30 @@ "path": { "ignore_above": 1024, "type": "keyword" + }, + "pe": { + "properties": { + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 6c4540b495..7c2e8e7d7a 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -487,6 +487,30 @@ "path": { "ignore_above": 1024, "type": "keyword" + }, + "pe": { + "properties": { + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, From 08b22fd2960bfb105937237cc3c8a371b288275d Mon Sep 17 00:00:00 2001 From: Ross Wolf <31489089+rw-access@users.noreply.github.com> Date: Wed, 12 Feb 2020 14:06:03 -0700 Subject: [PATCH 8/8] Remove format:string --- generated/beats/fields.ecs.yml | 4 ---- generated/ecs/ecs_flat.yml | 4 ---- generated/ecs/ecs_nested.yml | 4 ---- schemas/pe.yml | 1 - 4 files changed, 13 deletions(-) diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index a666727f5f..8a66797378 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -781,7 +781,6 @@ level: extended type: keyword ignore_above: 1024 - format: string description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" default_field: false @@ -1435,7 +1434,6 @@ level: extended type: keyword ignore_above: 1024 - format: string description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" default_field: false @@ -2515,7 +2513,6 @@ level: extended type: keyword ignore_above: 1024 - format: string description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" default_field: false @@ -2815,7 +2812,6 @@ level: extended type: keyword ignore_above: 1024 - format: string description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" default_field: false diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 70561583e8..2311f18445 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -1241,7 +1241,6 @@ dll.pe.product: description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" flat_name: dll.pe.product - format: string ignore_above: 1024 level: extended name: product @@ -2541,7 +2540,6 @@ file.pe.product: description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" flat_name: file.pe.product - format: string ignore_above: 1024 level: extended name: product @@ -4394,7 +4392,6 @@ pe.product: description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" flat_name: pe.product - format: string ignore_above: 1024 level: extended name: product @@ -4882,7 +4879,6 @@ process.pe.product: description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" flat_name: process.pe.product - format: string ignore_above: 1024 level: extended name: product diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 7d7d8f6589..c0016813c9 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -1421,7 +1421,6 @@ dll: description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" flat_name: dll.pe.product - format: string ignore_above: 1024 level: extended name: product @@ -2805,7 +2804,6 @@ file: description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" flat_name: file.pe.product - format: string ignore_above: 1024 level: extended name: product @@ -4791,7 +4789,6 @@ pe: description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" flat_name: pe.product - format: string ignore_above: 1024 level: extended name: product @@ -5297,7 +5294,6 @@ process: description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" flat_name: process.pe.product - format: string ignore_above: 1024 level: extended name: product diff --git a/schemas/pe.yml b/schemas/pe.yml index 44014374d2..ccc11289fe 100644 --- a/schemas/pe.yml +++ b/schemas/pe.yml @@ -34,7 +34,6 @@ example: Paint - name: product - format: string level: extended type: keyword description: Internal product name of the file, provided at compile-time.