Add DLL fieldset

CHANGELOG.next.md

@@ -15,6 +15,7 @@ Thanks, you're awesome :-) -->
 #### Bugfixes
 
 #### Added
+* Added `dll.*` fields (#679)
 
 #### Improvements
 

docs/field-details.asciidoc

@@ -855,6 +855,51 @@ example: `co.uk`
 // ===============================================================
 
 
+|=====
+
+[[ecs-dll]]
+=== DLL Fields
+
+These fields contain information about loaded process modules.
+
+Many operating systems call process modules different names, but this field set refers all of the following: * Dynamic-link library (`.dll`) commonly used in Windows * Shared Object (`.so`) commonly used in Unix-like operating systems * Dynamic library (`.dylib`) commonly used in macOS
+
+==== DLL Field Details
+
+[options="header"]
+|=====
+| Field  | Description | Level
+
+// ===============================================================
+
+| dll.name
+| Name of the library.
+
+This generally maps to the name of the file on disk.
+
+type: keyword
+
+
+
+example: `kernel32.dll`
+
+| core
+
+// ===============================================================
+
+| dll.path
+| Full file path of the library.
+
+type: keyword
+
+
+
+example: `C:\Windows\System32\kernel32.dll`
+
+| extended
+
+// ===============================================================
+
 |=====
 
 [[ecs-dns]]

docs/fields.asciidoc

@@ -32,6 +32,8 @@ all fields are defined.
 
 | <<ecs-destination,Destination>> | Fields about the destination side of a network connection, used with source.
 
+| <<ecs-dll,DLL>> | These fields contain information about loaded process modules.
+
 | <<ecs-dns,DNS>> | Fields describing DNS queries and answers.
 
 | <<ecs-ecs,ECS>> | Meta-information specific to ECS.

generated/beats/fields.ecs.yml

@@ -692,6 +692,33 @@
         default_field: false
       description: Short name or login of the user.
       example: albert
+  - name: dll
+    title: DLL
+    group: 2
+    description: 'These fields contain information about loaded process modules.
+
+      Many operating systems call process modules different names, but this field
+      set refers all of the following: * Dynamic-link library (`.dll`) commonly used
+      in Windows * Shared Object (`.so`) commonly used in Unix-like operating systems
+      * Dynamic library (`.dylib`) commonly used in macOS'
+    type: group
+    fields:
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the library.
+
+        This generally maps to the name of the file on disk.'
+      example: kernel32.dll
+      default_field: false
+    - name: path
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Full file path of the library.
+      example: C:\Windows\System32\kernel32.dll
+      default_field: false
   - name: dns
     title: DNS
     group: 2

generated/csv/fields.csv

@@ -90,6 +90,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.5.0-dev,true,destination,destination.user.id,keyword,core,,,Unique identifiers of the user.
 1.5.0-dev,true,destination,destination.user.name,keyword,core,,albert,Short name or login of the user.
 1.5.0-dev,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user.
+1.5.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
+1.5.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
 1.5.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers.
 1.5.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record.
 1.5.0-dev,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource.

generated/ecs/ecs_flat.yml

@@ -1110,6 +1110,32 @@ destination.user.name:
   original_fieldset: user
   short: Short name or login of the user.
   type: keyword
+dll.name:
+  dashed_name: dll-name
+  description: 'Name of the library.
+
+    This generally maps to the name of the file on disk.'
+  example: kernel32.dll
+  flat_name: dll.name
+  ignore_above: 1024
+  level: core
+  name: name
+  normalize: []
+  order: 0
+  short: Name of the library.
+  type: keyword
+dll.path:
+  dashed_name: dll-path
+  description: Full file path of the library.
+  example: C:\Windows\System32\kernel32.dll
+  flat_name: dll.path
+  ignore_above: 1024
+  level: extended
+  name: path
+  normalize: []
+  order: 1
+  short: Full file path of the library.
+  type: keyword
 dns.answers:
   dashed_name: dns-answers
   description: 'An array containing an object for each answer section returned by

generated/ecs/ecs_nested.yml

@@ -1276,6 +1276,46 @@ destination:
   short: Fields about the destination side of a network connection, used with source.
   title: Destination
   type: group
+dll:
+  description: 'These fields contain information about loaded process modules.
+
+    Many operating systems call process modules different names, but this field set
+    refers all of the following: * Dynamic-link library (`.dll`) commonly used in
+    Windows * Shared Object (`.so`) commonly used in Unix-like operating systems *
+    Dynamic library (`.dylib`) commonly used in macOS'
+  fields:
+    name:
+      dashed_name: dll-name
+      description: 'Name of the library.
+
+        This generally maps to the name of the file on disk.'
+      example: kernel32.dll
+      flat_name: dll.name
+      ignore_above: 1024
+      level: core
+      name: name
+      normalize: []
+      order: 0
+      short: Name of the library.
+      type: keyword
+    path:
+      dashed_name: dll-path
+      description: Full file path of the library.
+      example: C:\Windows\System32\kernel32.dll
+      flat_name: dll.path
+      ignore_above: 1024
+      level: extended
+      name: path
+      normalize: []
+      order: 1
+      short: Full file path of the library.
+      type: keyword
+  group: 2
+  name: dll
+  prefix: dll.
+  short: These fields contain information about loaded process modules.
+  title: DLL
+  type: group
 dns:
   description: 'Fields describing DNS queries and answers.
 

generated/elasticsearch/6/template.json

@@ -459,6 +459,18 @@
             }
           }
         },
+        "dll": {
+          "properties": {
+            "name": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "path": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
+        },
         "dns": {
           "properties": {
             "answers": {

generated/elasticsearch/7/template.json

@@ -458,6 +458,18 @@
           }
         }
       },
+      "dll": {
+        "properties": {
+          "name": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
+          "path": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          }
+        }
+      },
       "dns": {
         "properties": {
           "answers": {

schemas/dll.yml

@@ -0,0 +1,31 @@
+---
+- name: dll
+  title: DLL
+  group: 2
+  short: These fields contain information about loaded process modules.
+  description: >
+    These fields contain information about loaded process modules.
+
+    Many operating systems call process modules different names, but this field set refers all of the following:
+    * Dynamic-link library (`.dll`) commonly used in Windows
+    * Shared Object (`.so`) commonly used in Unix-like operating systems
+    * Dynamic library (`.dylib`) commonly used in macOS
+  type: group
+
+  fields:
+
+    - name: name
+      level: core
+      type: keyword
+      short: Name of the library.
+      description: >
+        Name of the library.
+
+        This generally maps to the name of the file on disk.
+      example: kernel32.dll
+
+    - name: path
+      level: extended
+      type: keyword
+      description: Full file path of the library.
+      example: C:\Windows\System32\kernel32.dll