File
Fields describing files.
Fields
Field Summary
| Field | Type | Level | Description |
|---|---|---|---|
file.accessed | date | Extended | Last time the file was accessed. |
file.attributes | keyword | Extended | Array of file attributes. |
file.code_signature.digest_algorithm | keyword | Extended | Hashing algorithm used to sign the process. |
file.code_signature.exists | boolean | Core | Boolean to capture if a signature is present. |
file.code_signature.flags | keyword | Extended | Code signing flags of the process |
file.code_signature.signing_id | keyword | Extended | The identifier used to sign the process. |
file.code_signature.status | keyword | Extended | Additional information about the certificate status. |
file.code_signature.subject_name | keyword | Core | Subject name of the code signer |
file.code_signature.team_id | keyword | Extended | The team identifier used to sign the process. |
file.code_signature.timestamp | date | Extended | When the signature was generated and signed. |
file.code_signature.trusted | boolean | Extended | Stores the trust status of the certificate chain. |
file.code_signature.valid | boolean | Extended | Boolean to capture if the digital signature is verified against the binary content. |
file.created | date | Extended | File creation time. |
file.ctime | date | Extended | Last time the file attributes or metadata changed. |
file.device | keyword | Extended | Device that is the source of the file. |
file.directory | keyword | Extended | Directory where the file is located. |
file.drive_letter | keyword | Extended | Drive letter where the file is located. |
file.elf.architecture | keyword | Extended | Machine architecture of the ELF file. |
file.elf.byte_order | keyword | Extended | Byte sequence of ELF file. |
file.elf.cpu_type | keyword | Extended | CPU type of the ELF file. |
file.elf.creation_date | date | Extended | Build or compile date. |
file.elf.exports | flattened | Extended | List of exported element names and types. |
file.elf.go_import_hash | keyword | Extended | A hash of the Go language imports in an ELF file. |
file.elf.go_imports | flattened | Extended | List of imported Go language element names and types. |
file.elf.go_imports_names_entropy | long | Extended | Shannon entropy calculation from the list of Go imports. |
file.elf.go_imports_names_var_entropy | long | Extended | Variance for Shannon entropy calculation from the list of Go imports. |
file.elf.go_stripped | boolean | Extended | Whether the file is a stripped or obfuscated Go executable. |
file.elf.header.abi_version | keyword | Extended | Version of the ELF Application Binary Interface (ABI). |
file.elf.header.class | keyword | Extended | Header class of the ELF file. |
file.elf.header.data | keyword | Extended | Data table of the ELF header. |
file.elf.header.entrypoint | long | Extended | Header entrypoint of the ELF file. |
file.elf.header.object_version | keyword | Extended | "0x1" for original ELF files. |
file.elf.header.os_abi | keyword | Extended | Application Binary Interface (ABI) of the Linux OS. |
file.elf.header.type | keyword | Extended | Header type of the ELF file. |
file.elf.header.version | keyword | Extended | Version of the ELF header. |
file.elf.import_hash | keyword | Extended | A hash of the imports in an ELF file. |
file.elf.imports | flattened | Extended | List of imported element names and types. |
file.elf.imports_names_entropy | long | Extended | Shannon entropy calculation from the list of imported element names and types. |
file.elf.imports_names_var_entropy | long | Extended | Variance for Shannon entropy calculation from the list of imported element names and types. |
file.elf.sections | nested | Extended | Section information of the ELF file. |
file.elf.sections.chi2 | long | Extended | Chi-square probability distribution of the section. |
file.elf.sections.entropy | long | Extended | Shannon entropy calculation from the section. |
file.elf.sections.flags | keyword | Extended | ELF Section List flags. |
file.elf.sections.name | keyword | Extended | ELF Section List name. |
file.elf.sections.physical_offset | keyword | Extended | ELF Section List offset. |
file.elf.sections.physical_size | long | Extended | ELF Section List physical size. |
file.elf.sections.type | keyword | Extended | ELF Section List type. |
file.elf.sections.var_entropy | long | Extended | Variance for Shannon entropy calculation from the section. |
file.elf.sections.virtual_address | long | Extended | ELF Section List virtual address. |
file.elf.sections.virtual_size | long | Extended | ELF Section List virtual size. |
file.elf.segments | nested | Extended | ELF object segment list. |
file.elf.segments.sections | keyword | Extended | ELF object segment sections. |
file.elf.segments.type | keyword | Extended | ELF object segment type. |
file.elf.shared_libraries | keyword | Extended | List of shared libraries used by this ELF object. |
file.elf.telfhash | keyword | Extended | telfhash hash for ELF file. |
file.extension | keyword | Extended | File extension, excluding the leading dot. |
file.fork_name | keyword | Extended | A fork is additional data associated with a filesystem object. |
file.gid | keyword | Extended | Primary group ID (GID) of the file. |
file.group | keyword | Extended | Primary group name of the file. |
file.hash.cdhash | keyword | Extended | The Code Directory (CD) hash of an executable. |
file.hash.md5 | keyword | Extended | MD5 hash. |
file.hash.sha1 | keyword | Extended | SHA1 hash. |
file.hash.sha256 | keyword | Extended | SHA256 hash. |
file.hash.sha384 | keyword | Extended | SHA384 hash. |
file.hash.sha512 | keyword | Extended | SHA512 hash. |
file.hash.ssdeep | keyword | Extended | SSDEEP hash. |
file.hash.tlsh | keyword | Extended | TLSH hash. |
file.inode | keyword | Extended | Inode representing the file in the filesystem. |
file.macho.go_import_hash | keyword | Extended | A hash of the Go language imports in a Mach-O file. |
file.macho.go_imports | flattened | Extended | List of imported Go language element names and types. |
file.macho.go_imports_names_entropy | long | Extended | Shannon entropy calculation from the list of Go imports. |
file.macho.go_imports_names_var_entropy | long | Extended | Variance for Shannon entropy calculation from the list of Go imports. |
file.macho.go_stripped | boolean | Extended | Whether the file is a stripped or obfuscated Go executable. |
file.macho.import_hash | keyword | Extended | A hash of the imports in a Mach-O file. |
file.macho.imports | flattened | Extended | List of imported element names and types. |
file.macho.imports_names_entropy | long | Extended | Shannon entropy calculation from the list of imported element names and types. |
file.macho.imports_names_var_entropy | long | Extended | Variance for Shannon entropy calculation from the list of imported element names and types. |
file.macho.sections | nested | Extended | Section information of the Mach-O file. |
file.macho.sections.entropy | long | Extended | Shannon entropy calculation from the section. |
file.macho.sections.name | keyword | Extended | Mach-O Section List name. |
file.macho.sections.physical_size | long | Extended | Mach-O Section List physical size. |
file.macho.sections.var_entropy | long | Extended | Variance for Shannon entropy calculation from the section. |
file.macho.sections.virtual_size | long | Extended | Mach-O Section List virtual size. This is always the same as physical_size. |
file.macho.symhash | keyword | Extended | A hash of the imports in a Mach-O file. |
file.mime_type | keyword | Extended | Media type of file, document, or arrangement of bytes. |
file.mode | keyword | Extended | Mode of the file in octal representation. |
file.mtime | date | Extended | Last time the file content was modified. |
file.name | keyword | Extended | Name of the file including the extension, without the directory. |
file.owner | keyword | Extended | File owner's username. |
file.path | keyword | Extended | Full path to the file, including the file name. |
file.path.text | match_only_text | Extended | Full path to the file, including the file name. |
file.pe.architecture | keyword | Extended | CPU architecture target for the file. |
file.pe.company | keyword | Extended | Internal company name of the file, provided at compile-time. |
file.pe.description | keyword | Extended | Internal description of the file, provided at compile-time. |
file.pe.file_version | keyword | Extended | Process name. |
file.pe.go_import_hash | keyword | Extended | A hash of the Go language imports in a PE file. |
file.pe.go_imports | flattened | Extended | List of imported Go language element names and types. |
file.pe.go_imports_names_entropy | long | Extended | Shannon entropy calculation from the list of Go imports. |
file.pe.go_imports_names_var_entropy | long | Extended | Variance for Shannon entropy calculation from the list of Go imports. |
file.pe.go_stripped | boolean | Extended | Whether the file is a stripped or obfuscated Go executable. |
file.pe.imphash | keyword | Extended | A hash of the imports in a PE file. |
file.pe.import_hash | keyword | Extended | A hash of the imports in a PE file. |
file.pe.imports | flattened | Extended | List of imported element names and types. |
file.pe.imports_names_entropy | long | Extended | Shannon entropy calculation from the list of imported element names and types. |
file.pe.imports_names_var_entropy | long | Extended | Variance for Shannon entropy calculation from the list of imported element names and types. |
file.pe.original_file_name | keyword | Extended | Internal name of the file, provided at compile-time. |
file.pe.pehash | keyword | Extended | A hash of the PE header and data from one or more PE sections. |
file.pe.product | keyword | Extended | Internal product name of the file, provided at compile-time. |
file.pe.sections | nested | Extended | Section information of the PE file. |
file.pe.sections.entropy | long | Extended | Shannon entropy calculation from the section. |
file.pe.sections.name | keyword | Extended | PE Section List name. |
file.pe.sections.physical_size | long | Extended | PE Section List physical size. |
file.pe.sections.var_entropy | long | Extended | Variance for Shannon entropy calculation from the section. |
file.pe.sections.virtual_size | long | Extended | PE Section List virtual size. This is always the same as physical_size. |
file.size | long | Extended | File size in bytes. |
file.target_path | keyword | Extended | Target path for symlinks. |
file.target_path.text | match_only_text | Extended | Target path for symlinks. |
file.type | keyword | Extended | File type (file, dir, or symlink). |
file.uid | keyword | Extended | The user ID (UID) or security identifier (SID) of the file owner. |
file.x509.alternative_names | keyword | Extended | List of subject alternative names (SAN). |
file.x509.issuer.common_name | keyword | Extended | List of common name (CN) of issuing certificate authority. |
file.x509.issuer.country | keyword | Extended | List of country (C) codes |
file.x509.issuer.distinguished_name | keyword | Extended | Distinguished name (DN) of issuing certificate authority. |
file.x509.issuer.locality | keyword | Extended | List of locality names (L) |
file.x509.issuer.organization | keyword | Extended | List of organizations (O) of issuing certificate authority. |
file.x509.issuer.organizational_unit | keyword | Extended | List of organizational units (OU) of issuing certificate authority. |
file.x509.issuer.state_or_province | keyword | Extended | List of state or province names (ST, S, or P) |
file.x509.not_after | date | Extended | Time at which the certificate is no longer considered valid. |
file.x509.not_before | date | Extended | Time at which the certificate is first considered valid. |
file.x509.public_key_algorithm | keyword | Extended | Algorithm used to generate the public key. |
file.x509.public_key_curve | keyword | Extended | The curve used by the elliptic curve public key algorithm. This is algorithm specific. |
file.x509.public_key_exponent | long | Extended | Exponent used to derive the public key. This is algorithm specific. |
file.x509.public_key_size | long | Extended | The size of the public key space in bits. |
file.x509.serial_number | keyword | Extended | Unique serial number issued by the certificate authority. |
file.x509.signature_algorithm | keyword | Extended | Identifier for certificate signature algorithm. |
file.x509.subject.common_name | keyword | Extended | List of common names (CN) of subject. |
file.x509.subject.country | keyword | Extended | List of country (C) code |
file.x509.subject.distinguished_name | keyword | Extended | Distinguished name (DN) of the certificate subject entity. |
file.x509.subject.locality | keyword | Extended | List of locality names (L) |
file.x509.subject.organization | keyword | Extended | List of organizations (O) of subject. |
file.x509.subject.organizational_unit | keyword | Extended | List of organizational units (OU) of subject. |
file.x509.subject.state_or_province | keyword | Extended | List of state or province names (ST, S, or P) |
file.x509.version_number | keyword | Extended | Version of x509 format. |
Field Details
file.accessed
Type: date
Level: Extended
Description: Last time the file was accessed.
Indexed: true
file.attributes
Type: keyword
Level: Extended
Description: Array of file attributes.
Example: ["readonly", "system"]
Normalization: array
Indexed: true
file.code_signature.digest_algorithm
Type: keyword
Level: Extended
Description: Hashing algorithm used to sign the process.
Example: sha256
Indexed: true
file.code_signature.exists
Type: boolean
Level: Core
Description: Boolean to capture if a signature is present.
Example: true
Indexed: true
file.code_signature.flags
Type: keyword
Level: Extended
Description: Code signing flags of the process
Example: 570522385
Indexed: true
file.code_signature.signing_id
Type: keyword
Level: Extended
Description: The identifier used to sign the process.
Example: com.apple.xpc.proxy
Indexed: true
file.code_signature.status
Type: keyword
Level: Extended
Description: Additional information about the certificate status.
Example: ERROR_UNTRUSTED_ROOT
Indexed: true
file.code_signature.subject_name
Type: keyword
Level: Core
Description: Subject name of the code signer
Example: Microsoft Corporation
Indexed: true
file.code_signature.team_id
Type: keyword
Level: Extended
Description: The team identifier used to sign the process.
Example: EQHXZ8M8AV
Indexed: true
file.code_signature.timestamp
Type: date
Level: Extended
Description: When the signature was generated and signed.
Example: 2021-01-01T12:10:30Z
Indexed: true
file.code_signature.trusted
Type: boolean
Level: Extended
Description: Stores the trust status of the certificate chain.
Example: true
Indexed: true
file.code_signature.valid
Type: boolean
Level: Extended
Description: Boolean to capture if the digital signature is verified against the binary content.
Example: true
Indexed: true
file.created
Type: date
Level: Extended
Description: File creation time.
Indexed: true
file.ctime
Type: date
Level: Extended
Description: Last time the file attributes or metadata changed.
Indexed: true
file.device
Type: keyword
Level: Extended
Description: Device that is the source of the file.
Example: sda
Indexed: true
file.directory
Type: keyword
Level: Extended
Description: Directory where the file is located.
Example: /home/alice
Indexed: true
file.drive_letter
Type: keyword
Level: Extended
Description: Drive letter where the file is located.
Example: C
Indexed: true
file.elf.architecture
Type: keyword
Level: Extended
Description: Machine architecture of the ELF file.
Example: x86-64
Indexed: true
file.elf.byte_order
Type: keyword
Level: Extended
Description: Byte sequence of ELF file.
Example: Little Endian
Indexed: true
file.elf.cpu_type
Type: keyword
Level: Extended
Description: CPU type of the ELF file.
Example: Intel
Indexed: true
file.elf.creation_date
Type: date
Level: Extended
Description: Build or compile date.
Indexed: true
file.elf.exports
Type: flattened
Level: Extended
Description: List of exported element names and types.
Normalization: array
Indexed: true
file.elf.go_import_hash
Type: keyword
Level: Extended
Description: A hash of the Go language imports in an ELF file.
Example: 10bddcb4cee42080f76c88d9ff964491
Indexed: true
file.elf.go_imports
Type: flattened
Level: Extended
Description: List of imported Go language element names and types.
Indexed: true
file.elf.go_imports_names_entropy
Type: long
Level: Extended
Description: Shannon entropy calculation from the list of Go imports.
Indexed: true
file.elf.go_imports_names_var_entropy
Type: long
Level: Extended
Description: Variance for Shannon entropy calculation from the list of Go imports.
Indexed: true
file.elf.go_stripped
Type: boolean
Level: Extended
Description: Whether the file is a stripped or obfuscated Go executable.
Indexed: true
file.elf.header.abi_version
Type: keyword
Level: Extended
Description: Version of the ELF Application Binary Interface (ABI).
Indexed: true
file.elf.header.class
Type: keyword
Level: Extended
Description: Header class of the ELF file.
Indexed: true
file.elf.header.data
Type: keyword
Level: Extended
Description: Data table of the ELF header.
Indexed: true
file.elf.header.entrypoint
Type: long
Level: Extended
Description: Header entrypoint of the ELF file.
Indexed: true
file.elf.header.object_version
Type: keyword
Level: Extended
Description: "0x1" for original ELF files.
Indexed: true
file.elf.header.os_abi
Type: keyword
Level: Extended
Description: Application Binary Interface (ABI) of the Linux OS.
Indexed: true
file.elf.header.type
Type: keyword
Level: Extended
Description: Header type of the ELF file.
Indexed: true
file.elf.header.version
Type: keyword
Level: Extended
Description: Version of the ELF header.
Indexed: true
file.elf.import_hash
Type: keyword
Level: Extended
Description: A hash of the imports in an ELF file.
Example: d41d8cd98f00b204e9800998ecf8427e
Indexed: true
file.elf.imports
Type: flattened
Level: Extended
Description: List of imported element names and types.
Normalization: array
Indexed: true
file.elf.imports_names_entropy
Type: long
Level: Extended
Description: Shannon entropy calculation from the list of imported element names and types.
Indexed: true
file.elf.imports_names_var_entropy
Type: long
Level: Extended
Description: Variance for Shannon entropy calculation from the list of imported element names and types.
Indexed: true
file.elf.sections
Type: nested
Level: Extended
Description: Section information of the ELF file.
Normalization: array
Indexed: true
file.elf.sections.chi2
Type: long
Level: Extended
Description: Chi-square probability distribution of the section.
Indexed: true
file.elf.sections.entropy
Type: long
Level: Extended
Description: Shannon entropy calculation from the section.
Indexed: true
file.elf.sections.flags
Type: keyword
Level: Extended
Description: ELF Section List flags.
Indexed: true
file.elf.sections.name
Type: keyword
Level: Extended
Description: ELF Section List name.
Indexed: true
file.elf.sections.physical_offset
Type: keyword
Level: Extended
Description: ELF Section List offset.
Indexed: true
file.elf.sections.physical_size
Type: long
Level: Extended
Description: ELF Section List physical size.
Indexed: true
file.elf.sections.type
Type: keyword
Level: Extended
Description: ELF Section List type.
Indexed: true
file.elf.sections.var_entropy
Type: long
Level: Extended
Description: Variance for Shannon entropy calculation from the section.
Indexed: true
file.elf.sections.virtual_address
Type: long
Level: Extended
Description: ELF Section List virtual address.
Indexed: true
file.elf.sections.virtual_size
Type: long
Level: Extended
Description: ELF Section List virtual size.
Indexed: true
file.elf.segments
Type: nested
Level: Extended
Description: ELF object segment list.
Normalization: array
Indexed: true
file.elf.segments.sections
Type: keyword
Level: Extended
Description: ELF object segment sections.
Indexed: true
file.elf.segments.type
Type: keyword
Level: Extended
Description: ELF object segment type.
Indexed: true
file.elf.shared_libraries
Type: keyword
Level: Extended
Description: List of shared libraries used by this ELF object.
Normalization: array
Indexed: true
file.elf.telfhash
Type: keyword
Level: Extended
Description: telfhash hash for ELF file.
Indexed: true
file.extension
Type: keyword
Level: Extended
Description: File extension, excluding the leading dot.
Example: png
Indexed: true
file.fork_name
Type: keyword
Level: Extended
Description: A fork is additional data associated with a filesystem object.
Example: Zone.Identifer
Indexed: true
file.gid
Type: keyword
Level: Extended
Description: Primary group ID (GID) of the file.
Example: 1001
Indexed: true
file.group
Type: keyword
Level: Extended
Description: Primary group name of the file.
Example: alice
Indexed: true
file.hash.cdhash
Type: keyword
Level: Extended
Description: The Code Directory (CD) hash of an executable.
Example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
Indexed: true
file.hash.md5
Type: keyword
Level: Extended
Description: MD5 hash.
Indexed: true
file.hash.sha1
Type: keyword
Level: Extended
Description: SHA1 hash.
Indexed: true
file.hash.sha256
Type: keyword
Level: Extended
Description: SHA256 hash.
Indexed: true
file.hash.sha384
Type: keyword
Level: Extended
Description: SHA384 hash.
Indexed: true
file.hash.sha512
Type: keyword
Level: Extended
Description: SHA512 hash.
Indexed: true
file.hash.ssdeep
Type: keyword
Level: Extended
Description: SSDEEP hash.
Indexed: true
file.hash.tlsh
Type: keyword
Level: Extended
Description: TLSH hash.
Indexed: true
file.inode
Type: keyword
Level: Extended
Description: Inode representing the file in the filesystem.
Example: 256383
Indexed: true
file.macho.go_import_hash
Type: keyword
Level: Extended
Description: A hash of the Go language imports in a Mach-O file.
Example: 10bddcb4cee42080f76c88d9ff964491
Indexed: true
file.macho.go_imports
Type: flattened
Level: Extended
Description: List of imported Go language element names and types.
Indexed: true
file.macho.go_imports_names_entropy
Type: long
Level: Extended
Description: Shannon entropy calculation from the list of Go imports.
Indexed: true
file.macho.go_imports_names_var_entropy
Type: long
Level: Extended
Description: Variance for Shannon entropy calculation from the list of Go imports.
Indexed: true
file.macho.go_stripped
Type: boolean
Level: Extended
Description: Whether the file is a stripped or obfuscated Go executable.
Indexed: true
file.macho.import_hash
Type: keyword
Level: Extended
Description: A hash of the imports in a Mach-O file.
Example: d41d8cd98f00b204e9800998ecf8427e
Indexed: true
file.macho.imports
Type: flattened
Level: Extended
Description: List of imported element names and types.
Normalization: array
Indexed: true
file.macho.imports_names_entropy
Type: long
Level: Extended
Description: Shannon entropy calculation from the list of imported element names and types.
Indexed: true
file.macho.imports_names_var_entropy
Type: long
Level: Extended
Description: Variance for Shannon entropy calculation from the list of imported element names and types.
Indexed: true
file.macho.sections
Type: nested
Level: Extended
Description: Section information of the Mach-O file.
Normalization: array
Indexed: true
file.macho.sections.entropy
Type: long
Level: Extended
Description: Shannon entropy calculation from the section.
Indexed: true
file.macho.sections.name
Type: keyword
Level: Extended
Description: Mach-O Section List name.
Indexed: true
file.macho.sections.physical_size
Type: long
Level: Extended
Description: Mach-O Section List physical size.
Indexed: true
file.macho.sections.var_entropy
Type: long
Level: Extended
Description: Variance for Shannon entropy calculation from the section.
Indexed: true
file.macho.sections.virtual_size
Type: long
Level: Extended
Description: Mach-O Section List virtual size. This is always the same as physical_size.
Indexed: true
file.macho.symhash
Type: keyword
Level: Extended
Description: A hash of the imports in a Mach-O file.
Example: d3ccf195b62a9279c3c19af1080497ec
Indexed: true
file.mime_type
Type: keyword
Level: Extended
Description: Media type of file, document, or arrangement of bytes.
Indexed: true
file.mode
Type: keyword
Level: Extended
Description: Mode of the file in octal representation.
Example: 0640
Indexed: true
file.mtime
Type: date
Level: Extended
Description: Last time the file content was modified.
Indexed: true
file.name
Type: keyword
Level: Extended
Description: Name of the file including the extension, without the directory.
Example: example.png
Indexed: true
file.owner
Type: keyword
Level: Extended
Description: File owner's username.
Example: alice
Indexed: true
file.path
Type: keyword
Level: Extended
Description: Full path to the file, including the file name.
Example: /home/alice/example.png
Indexed: true
file.path.text
Type: match_only_text
Level: Extended
Description: Full path to the file, including the file name.
Example: /home/alice/example.png
Indexed: true
file.pe.architecture
Type: keyword
Level: Extended
Description: CPU architecture target for the file.
Example: x64
Indexed: true
file.pe.company
Type: keyword
Level: Extended
Description: Internal company name of the file, provided at compile-time.
Example: Microsoft Corporation
Indexed: true
file.pe.description
Type: keyword
Level: Extended
Description: Internal description of the file, provided at compile-time.
Example: Paint
Indexed: true
file.pe.file_version
Type: keyword
Level: Extended
Description: Process name.
Example: 6.3.9600.17415
Indexed: true
file.pe.go_import_hash
Type: keyword
Level: Extended
Description: A hash of the Go language imports in a PE file.
Example: 10bddcb4cee42080f76c88d9ff964491
Indexed: true
file.pe.go_imports
Type: flattened
Level: Extended
Description: List of imported Go language element names and types.
Indexed: true
file.pe.go_imports_names_entropy
Type: long
Level: Extended
Description: Shannon entropy calculation from the list of Go imports.
Indexed: true
file.pe.go_imports_names_var_entropy
Type: long
Level: Extended
Description: Variance for Shannon entropy calculation from the list of Go imports.
Indexed: true
file.pe.go_stripped
Type: boolean
Level: Extended
Description: Whether the file is a stripped or obfuscated Go executable.
Indexed: true
file.pe.imphash
Type: keyword
Level: Extended
Description: A hash of the imports in a PE file.
Example: 0c6803c4e922103c4dca5963aad36ddf
Indexed: true
file.pe.import_hash
Type: keyword
Level: Extended
Description: A hash of the imports in a PE file.
Example: d41d8cd98f00b204e9800998ecf8427e
Indexed: true
file.pe.imports
Type: flattened
Level: Extended
Description: List of imported element names and types.
Normalization: array
Indexed: true
file.pe.imports_names_entropy
Type: long
Level: Extended
Description: Shannon entropy calculation from the list of imported element names and types.
Indexed: true
file.pe.imports_names_var_entropy
Type: long
Level: Extended
Description: Variance for Shannon entropy calculation from the list of imported element names and types.
Indexed: true
file.pe.original_file_name
Type: keyword
Level: Extended
Description: Internal name of the file, provided at compile-time.
Example: MSPAINT.EXE
Indexed: true
file.pe.pehash
Type: keyword
Level: Extended
Description: A hash of the PE header and data from one or more PE sections.
Example: 73ff189b63cd6be375a7ff25179a38d347651975
Indexed: true
file.pe.product
Type: keyword
Level: Extended
Description: Internal product name of the file, provided at compile-time.
Example: Microsoft® Windows® Operating System
Indexed: true
file.pe.sections
Type: nested
Level: Extended
Description: Section information of the PE file.
Normalization: array
Indexed: true
file.pe.sections.entropy
Type: long
Level: Extended
Description: Shannon entropy calculation from the section.
Indexed: true
file.pe.sections.name
Type: keyword
Level: Extended
Description: PE Section List name.
Indexed: true
file.pe.sections.physical_size
Type: long
Level: Extended
Description: PE Section List physical size.
Indexed: true
file.pe.sections.var_entropy
Type: long
Level: Extended
Description: Variance for Shannon entropy calculation from the section.
Indexed: true
file.pe.sections.virtual_size
Type: long
Level: Extended
Description: PE Section List virtual size. This is always the same as physical_size.
Indexed: true
file.size
Type: long
Level: Extended
Description: File size in bytes.
Example: 16384
Indexed: true
file.target_path
Type: keyword
Level: Extended
Description: Target path for symlinks.
Indexed: true
file.target_path.text
Type: match_only_text
Level: Extended
Description: Target path for symlinks.
Indexed: true
file.type
Type: keyword
Level: Extended
Description: File type (file, dir, or symlink).
Example: file
Indexed: true
file.uid
Type: keyword
Level: Extended
Description: The user ID (UID) or security identifier (SID) of the file owner.
Example: 1001
Indexed: true
file.x509.alternative_names
Type: keyword
Level: Extended
Description: List of subject alternative names (SAN).
Example: *.elastic.co
Normalization: array
Indexed: true
file.x509.issuer.common_name
Type: keyword
Level: Extended
Description: List of common name (CN) of issuing certificate authority.
Example: Example SHA2 High Assurance Server CA
Normalization: array
Indexed: true
file.x509.issuer.country
Type: keyword
Level: Extended
Description: List of country (C) codes
Example: US
Normalization: array
Indexed: true
file.x509.issuer.distinguished_name
Type: keyword
Level: Extended
Description: Distinguished name (DN) of issuing certificate authority.
Example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
Indexed: true
file.x509.issuer.locality
Type: keyword
Level: Extended
Description: List of locality names (L)
Example: Mountain View
Normalization: array
Indexed: true
file.x509.issuer.organization
Type: keyword
Level: Extended
Description: List of organizations (O) of issuing certificate authority.
Example: Example Inc
Normalization: array
Indexed: true
file.x509.issuer.organizational_unit
Type: keyword
Level: Extended
Description: List of organizational units (OU) of issuing certificate authority.
Example: www.example.com
Normalization: array
Indexed: true
file.x509.issuer.state_or_province
Type: keyword
Level: Extended
Description: List of state or province names (ST, S, or P)
Example: California
Normalization: array
Indexed: true
file.x509.not_after
Type: date
Level: Extended
Description: Time at which the certificate is no longer considered valid.
Example: 2020-07-16T03:15:39Z
Indexed: true
file.x509.not_before
Type: date
Level: Extended
Description: Time at which the certificate is first considered valid.
Example: 2019-08-16T01:40:25Z
Indexed: true
file.x509.public_key_algorithm
Type: keyword
Level: Extended
Description: Algorithm used to generate the public key.
Example: RSA
Indexed: true
file.x509.public_key_curve
Type: keyword
Level: Extended
Description: The curve used by the elliptic curve public key algorithm. This is algorithm specific.
Example: nistp521
Indexed: true
file.x509.public_key_exponent
Type: long
Level: Extended
Description: Exponent used to derive the public key. This is algorithm specific.
Example: 65537
Indexed: false
file.x509.public_key_size
Type: long
Level: Extended
Description: The size of the public key space in bits.
Example: 2048
Indexed: true
file.x509.serial_number
Type: keyword
Level: Extended
Description: Unique serial number issued by the certificate authority.
Example: 55FBB9C7DEBF09809D12CCAA
Indexed: true
file.x509.signature_algorithm
Type: keyword
Level: Extended
Description: Identifier for certificate signature algorithm.
Example: SHA256-RSA
Indexed: true
file.x509.subject.common_name
Type: keyword
Level: Extended
Description: List of common names (CN) of subject.
Example: shared.global.example.net
Normalization: array
Indexed: true
file.x509.subject.country
Type: keyword
Level: Extended
Description: List of country (C) code
Example: US
Normalization: array
Indexed: true
file.x509.subject.distinguished_name
Type: keyword
Level: Extended
Description: Distinguished name (DN) of the certificate subject entity.
Example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
Indexed: true
file.x509.subject.locality
Type: keyword
Level: Extended
Description: List of locality names (L)
Example: San Francisco
Normalization: array
Indexed: true
file.x509.subject.organization
Type: keyword
Level: Extended
Description: List of organizations (O) of subject.
Example: Example, Inc.
Normalization: array
Indexed: true
file.x509.subject.organizational_unit
Type: keyword
Level: Extended
Description: List of organizational units (OU) of subject.
Normalization: array
Indexed: true
file.x509.subject.state_or_province
Type: keyword
Level: Extended
Description: List of state or province names (ST, S, or P)
Example: California
Normalization: array
Indexed: true
file.x509.version_number
Type: keyword
Level: Extended
Description: Version of x509 format.
Example: 3
Indexed: true