Add DLL fieldset (#679)

elastic · Feb 12, 2020 · 0e4cdd3 · 0e4cdd3
1 parent 8cddc23
commit 0e4cdd3
Show file tree

Hide file tree

Showing 12 changed files with 448 additions and 1 deletion.
diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
@@ -15,6 +15,7 @@ Thanks, you're awesome :-) -->
 #### Bugfixes
 
 #### Added
+* Added `dll.*` fields (#679)
 
 #### Improvements
 

diff --git a/code/go/ecs/dll.go b/code/go/ecs/dll.go
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
@@ -855,6 +855,82 @@ example: `co.uk`
 // ===============================================================
 
 
+|=====
+
+[[ecs-dll]]
+=== DLL Fields
+
+These fields contain information about code libraries dynamically loaded into processes.
+
+
+
+Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following:
+
+* Dynamic-link library (`.dll`) commonly used on Windows
+
+* Shared Object (`.so`) commonly used on Unix-like operating systems
+
+* Dynamic library (`.dylib`) commonly used on macOS
+
+==== DLL Field Details
+
+[options="header"]
+|=====
+| Field  | Description | Level
+
+// ===============================================================
+
+| dll.name
+| Name of the library.
+
+This generally maps to the name of the file on disk.
+
+type: keyword
+
+
+
+example: `kernel32.dll`
+
+| core
+
+// ===============================================================
+
+| dll.path
+| Full file path of the library.
+
+type: keyword
+
+
+
+example: `C:\Windows\System32\kernel32.dll`
+
+| extended
+
+// ===============================================================
+
+|=====
+
+==== Field Reuse
+
+
+
+
+[[ecs-dll-nestings]]
+===== Field sets that can be nested under DLL
+
+[options="header"]
+|=====
+| Nested fields | Description
+
+// ===============================================================
+
+
+| <<ecs-hash,dll.hash.*>>
+| Hashes, usually file hashes.
+
+// ===============================================================
+
+
 |=====
 
 [[ecs-dns]]
@@ -2245,7 +2321,7 @@ type: keyword
 
 ==== Field Reuse
 
-The `hash` fields are expected to be nested at: `file.hash`, `process.hash`, `process.parent.hash`.
+The `hash` fields are expected to be nested at: `dll.hash`, `file.hash`, `process.hash`, `process.parent.hash`.
 
 Note also that the `hash` fields are not expected to be used directly at the top level.
 

diff --git a/docs/fields.asciidoc b/docs/fields.asciidoc
@@ -32,6 +32,8 @@ all fields are defined.
 
 | <<ecs-destination,Destination>> | Fields about the destination side of a network connection, used with source.
 
+| <<ecs-dll,DLL>> | These fields contain information about code libraries dynamically loaded into processes.
+
 | <<ecs-dns,DNS>> | Fields describing DNS queries and answers.
 
 | <<ecs-ecs,ECS>> | Meta-information specific to ECS.

diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
@@ -692,6 +692,63 @@
         default_field: false
       description: Short name or login of the user.
       example: albert
+  - name: dll
+    title: DLL
+    group: 2
+    description: 'These fields contain information about code libraries dynamically
+      loaded into processes.
+
+
+      Many operating systems refer to "shared code libraries" with different names,
+      but this field set refers to all of the following:
+
+      * Dynamic-link library (`.dll`) commonly used on Windows
+
+      * Shared Object (`.so`) commonly used on Unix-like operating systems
+
+      * Dynamic library (`.dylib`) commonly used on macOS'
+    type: group
+    fields:
+    - name: hash.md5
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: MD5 hash.
+      default_field: false
+    - name: hash.sha1
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA1 hash.
+      default_field: false
+    - name: hash.sha256
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA256 hash.
+      default_field: false
+    - name: hash.sha512
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: SHA512 hash.
+      default_field: false
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the library.
+
+        This generally maps to the name of the file on disk.'
+      example: kernel32.dll
+      default_field: false
+    - name: path
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Full file path of the library.
+      example: C:\Windows\System32\kernel32.dll
+      default_field: false
   - name: dns
     title: DNS
     group: 2

diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
@@ -90,6 +90,12 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.5.0-dev,true,destination,destination.user.id,keyword,core,,,Unique identifiers of the user.
 1.5.0-dev,true,destination,destination.user.name,keyword,core,,albert,Short name or login of the user.
 1.5.0-dev,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user.
+1.5.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
+1.5.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash.
+1.5.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash.
+1.5.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash.
+1.5.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
+1.5.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
 1.5.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
 1.5.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
 1.5.0-dev,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.

diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
@@ -1110,6 +1110,80 @@ destination.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+dll.hash.md5:
+  dashed_name: dll-hash-md5
+  description: MD5 hash.
+  flat_name: dll.hash.md5
+  ignore_above: 1024
+  level: extended
+  name: md5
+  normalize: []
+  order: 0
+  original_fieldset: hash
+  short: MD5 hash.
+  type: keyword
+dll.hash.sha1:
+  dashed_name: dll-hash-sha1
+  description: SHA1 hash.
+  flat_name: dll.hash.sha1
+  ignore_above: 1024
+  level: extended
+  name: sha1
+  normalize: []
+  order: 1
+  original_fieldset: hash
+  short: SHA1 hash.
+  type: keyword
+dll.hash.sha256:
+  dashed_name: dll-hash-sha256
+  description: SHA256 hash.
+  flat_name: dll.hash.sha256
+  ignore_above: 1024
+  level: extended
+  name: sha256
+  normalize: []
+  order: 2
+  original_fieldset: hash
+  short: SHA256 hash.
+  type: keyword
+dll.hash.sha512:
+  dashed_name: dll-hash-sha512
+  description: SHA512 hash.
+  flat_name: dll.hash.sha512
+  ignore_above: 1024
+  level: extended
+  name: sha512
+  normalize: []
+  order: 3
+  original_fieldset: hash
+  short: SHA512 hash.
+  type: keyword
+dll.name:
+  dashed_name: dll-name
+  description: 'Name of the library.
+
+    This generally maps to the name of the file on disk.'
+  example: kernel32.dll
+  flat_name: dll.name
+  ignore_above: 1024
+  level: core
+  name: name
+  normalize: []
+  order: 0
+  short: Name of the library.
+  type: keyword
+dll.path:
+  dashed_name: dll-path
+  description: Full file path of the library.
+  example: C:\Windows\System32\kernel32.dll
+  flat_name: dll.path
+  ignore_above: 1024
+  level: extended
+  name: path
+  normalize: []
+  order: 1
+  short: Full file path of the library.
+  type: keyword
 dns.answers:
   dashed_name: dns-answers
   description: 'An array containing an object for each answer section returned by