Add DLL fieldset

[rw-access]

Closes #675

Added a field set for code libraries/modules, which could be used for DLL loads into a process, but also for driver loads into the kernel if we go that route. I think those should go in a separate field set.

• dll.* chosen as the name, but I'm willing to change it for anything better we have in mind
• dll.name
• dll.process

PE fields (#676) can also be nested here, as well as hash.*. That'll likely happen in a PR that solves PE, or in this one, depending on which is done first.

[andrewstucki]

At least changes on removing the comment accidentally copied from schemas/process.yml into the new definition. The other stuff is more for discussion.

No more bad copy :)

[webmat]

I think APM should chime in on this as well. @simitt or @graphaelli do you think there would be a need for library.* as well in APM? Would the semantics proposed here be ok?

Note that we can keep building on this, missing fields wouldn't be a problem.

[webmat]

Another thing to point out here is that typically we break down the file paths that may be suspicious to help with detections, and we have a single field with the full file path whenever the path is more informational and not necessarily suspicious.

With that in mind, do you think we should instead nest file at library.file.*? We can also consider this later. Adding library.file.* besides library.path is not a breaking change. We could deprecate the former and take it out in ECS 2.0

[rw-access]

I renamed to DLL to maintain clarity and avoid scope creep.

[webmat]

Overall I'm good with the approach here, I have a few things I'd like to address first, though. See the comments.

Thanks Ross!

[webmat]

Thanks for these adjustments. I have one further tweak I'd like to discuss, in the phrasing of the field set description, as well as one nitpick.

Don't forget to run make to re-generate everything, on the last commit.

We can merge after this. It's looking good :-)

[webmat]

LGTM, thanks for the adjustments!