elastic · webmat · Feb 12, 2020 · Dec 5, 2019 · Dec 6, 2019 · Dec 6, 2019
diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
@@ -15,6 +15,7 @@ Thanks, you're awesome :-) -->
 #### Bugfixes
 
 #### Added
+* Added `library.*` fields (#679)
 
 * Add default `text` analyzer to `user_agent.original`. #575
 

diff --git a/code/go/ecs/lib.go b/code/go/ecs/lib.go
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
@@ -2180,6 +2180,45 @@ example: `1.1`
 
 |=====
 
+[[ecs-lib]]
+=== Shared Library Fields
+
+These fields contain information about dynamic or static code libraries, including both kernel-mode modules, and process modules.
+
+==== Shared Library Field Details
+
+[options="header"]
+|=====
+| Field  | Description | Level
+
+// ===============================================================
+
+| lib.name
+| Name of the library.
+
+This generally maps to the name of the file on disk.
+
+type: keyword
+
+example: `kernel32.dll`
+
+| core
+
+// ===============================================================
+
+| lib.path
+| Full file path of the library.
+
+type: keyword
+
+example: `C:\Windows\System32\kernel32.dll`
+
+| extended
+
+// ===============================================================
+
+|=====
+
 [[ecs-log]]
 === Log Fields
 

diff --git a/docs/fields.asciidoc b/docs/fields.asciidoc
@@ -52,6 +52,8 @@ all fields are defined.
 
 | <<ecs-http,HTTP>> | Fields describing an HTTP request.
 
+| <<ecs-lib,Shared Library>> | These fields contain information about dynamic or static code libraries, including both kernel-mode modules, and process modules.
+
 | <<ecs-log,Log>> | Details about the event's logging mechanism.
 
 | <<ecs-network,Network>> | Fields describing the communication path over which the event happened.

diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
@@ -1653,6 +1653,27 @@
       ignore_above: 1024
       description: HTTP version.
       example: 1.1
+  - name: lib
+    title: Shared Library
+    group: 2
+    description: These fields contain information about dynamic or static code libraries,
+      including both kernel-mode modules, and process modules.
+    type: group
+    fields:
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the library.
+
+        This generally maps to the name of the file on disk.'
+      example: kernel32.dll
+    - name: path
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Full file path of the library.
+      example: C:\Windows\System32\kernel32.dll
   - name: log
     title: Log
     group: 2

diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
@@ -208,6 +208,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Example,Description
 1.4.0-dev,true,http,http.response.bytes,long,extended,1437,Total size in bytes of the response (body and headers).
 1.4.0-dev,true,http,http.response.status_code,long,extended,404,HTTP response status code.
 1.4.0-dev,true,http,http.version,keyword,extended,1.1,HTTP version.
+1.4.0-dev,true,lib,lib.name,keyword,core,kernel32.dll,Name of the library.
+1.4.0-dev,true,lib,lib.path,keyword,extended,C:\Windows\System32\kernel32.dll,Full file path of the library.
 1.4.0-dev,true,log,log.level,keyword,core,error,Log level of the log event.
 1.4.0-dev,true,log,log.logger,keyword,core,org.elasticsearch.bootstrap.Bootstrap,Name of the logger.
 1.4.0-dev,true,log,log.origin.file.line,integer,extended,42,The line number of the file which originated the log event.

diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
@@ -2358,6 +2358,28 @@ labels:
   order: 2
   short: Custom key/value pairs.
   type: object
+lib.name:
+  description: 'Name of the library.
+
+    This generally maps to the name of the file on disk.'
+  example: kernel32.dll
+  flat_name: lib.name
+  ignore_above: 1024
+  level: core
+  name: name
+  order: 0
+  short: Name of the library.
+  type: keyword
+lib.path:
+  description: Full file path of the library.
+  example: C:\Windows\System32\kernel32.dll
+  flat_name: lib.path
+  ignore_above: 1024
+  level: extended
+  name: path
+  order: 1
+  short: Full file path of the library.
+  type: keyword
 log.level:
   description: 'Original log level of the log event.
 

diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
@@ -2660,6 +2660,39 @@ http:
   short: Fields describing an HTTP request.
   title: HTTP
   type: group
+lib:
+  description: These fields contain information about dynamic or static code libraries,
+    including both kernel-mode modules, and process modules.
+  fields:
+    name:
+      description: 'Name of the library.
+
+        This generally maps to the name of the file on disk.'
+      example: kernel32.dll
+      flat_name: lib.name
+      ignore_above: 1024
+      level: core
+      name: name
+      order: 0
+      short: Name of the library.
+      type: keyword
+    path:
+      description: Full file path of the library.
+      example: C:\Windows\System32\kernel32.dll
+      flat_name: lib.path
+      ignore_above: 1024
+      level: extended
+      name: path
+      order: 1
+      short: Full file path of the library.
+      type: keyword
+  group: 2
+  name: lib
+  prefix: lib.
+  short: These fields contain information about dynamic or static code libraries,
+    including both kernel-mode modules, and process modules.
+  title: Shared Library
+  type: group
 log:
   description: 'Details about the event''s logging mechanism or logging transport.
 

diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json
@@ -979,6 +979,18 @@
         "labels": {
           "type": "object"
         }, 
+        "lib": {
+          "properties": {
+            "name": {
+              "ignore_above": 1024, 
+              "type": "keyword"
+            }, 
+            "path": {
+              "ignore_above": 1024, 
+              "type": "keyword"
+            }
+          }
+        }, 
         "log": {
           "properties": {
             "level": {

diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json
@@ -978,6 +978,18 @@
       "labels": {
         "type": "object"
       }, 
+      "lib": {
+        "properties": {
+          "name": {
+            "ignore_above": 1024, 
+            "type": "keyword"
+          }, 
+          "path": {
+            "ignore_above": 1024, 
+            "type": "keyword"
+          }
+        }
+      }, 
       "log": {
         "properties": {
           "level": {

diff --git a/schemas/lib.yml b/schemas/lib.yml
@@ -0,0 +1,24 @@
+---
+- name: lib
+  title: Shared Library
+  group: 2
+  description: These fields contain information about dynamic or static code libraries, including both kernel-mode modules, and process modules.
+  type: group
+
+  fields:
+
+    - name: name
+      level: core
+      type: keyword
+      short: Name of the library.
+      description: >
+        Name of the library.
+
+        This generally maps to the name of the file on disk.
+      example: kernel32.dll
+
+    - name: path
+      level: extended
+      type: keyword
+      description: Full file path of the library.
+      example: C:\Windows\System32\kernel32.dll