Add file.fork_name to ECS (#1288)

* Add file.fork_name

* Add generated code

* Add comma

Co-authored-by: Eric Beahan <[email protected]>

* Add note to NTFS

Co-authored-by: Eric Beahan <[email protected]>

* Update CHANGELOG.next.md

* Fix comma

* Re-run make generate

* make experimental

* Rearrange changelog entry

Co-authored-by: Eric Beahan <[email protected]>

CHANGELOG.next.md

@@ -22,6 +22,8 @@ Thanks, you're awesome :-) -->
 
 #### Added
 
+* Added `file.fork_name` field #1288
+
 #### Improvements
 
 #### Deprecated

docs/field-details.asciidoc

@@ -3195,6 +3195,26 @@ example: `png`
 
 // ===============================================================
 
+|
+[[field-file-fork-name]]
+<<field-file-fork-name, file.fork_name>>
+
+| A fork is additional data associated with a filesystem object.
+
+On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist.
+
+On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name.
+
+type: keyword
+
+
+
+example: `Zone.Identifer`
+
+| extended
+
+// ===============================================================
+
 |
 [[field-file-gid]]
 <<field-file-gid, file.gid>>

experimental/generated/beats/fields.ecs.yml

@@ -2383,6 +2383,25 @@
  Note that when the file name has multiple extensions (example.tar.gz), only
  the last one should be captured ("gz", not "tar.gz").'
  example: png
+ - name: fork_name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'A fork is additional data associated with a filesystem object.
+
+ On Linux, a resource fork is used to store additional data with a filesystem
+ object. A file always has at least one fork for the data portion, and additional
+ forks may exist.
+
+ On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default
+ data stream for a file is just called $DATA. Zone.Identifier is commonly used
+ by Windows to track contents downloaded from the Internet. An ADS is typically
+ of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name`
+ is the value that should populate `fork_name`. `filename.extension` should
+ populate `file.name`, and `extension` should populate `file.extension`. The
+ full path, `file.path`, will include the fork name.'
+ example: Zone.Identifer
+ default_field: false
  - name: gid
  level: extended
  type: keyword
@@ -8538,6 +8557,25 @@
  the last one should be captured ("gz", not "tar.gz").'
  example: png
  default_field: false
+ - name: enrichments.indicator.file.fork_name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'A fork is additional data associated with a filesystem object.
+
+ On Linux, a resource fork is used to store additional data with a filesystem
+ object. A file always has at least one fork for the data portion, and additional
+ forks may exist.
+
+ On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default
+ data stream for a file is just called $DATA. Zone.Identifier is commonly used
+ by Windows to track contents downloaded from the Internet. An ADS is typically
+ of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name`
+ is the value that should populate `fork_name`. `filename.extension` should
+ populate `file.name`, and `extension` should populate `file.extension`. The
+ full path, `file.path`, will include the fork name.'
+ example: Zone.Identifer
+ default_field: false
  - name: enrichments.indicator.file.gid
  level: extended
  type: keyword
@@ -10220,6 +10258,25 @@
  the last one should be captured ("gz", not "tar.gz").'
  example: png
  default_field: false
+ - name: indicator.file.fork_name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'A fork is additional data associated with a filesystem object.
+
+ On Linux, a resource fork is used to store additional data with a filesystem
+ object. A file always has at least one fork for the data portion, and additional
+ forks may exist.
+
+ On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default
+ data stream for a file is just called $DATA. Zone.Identifier is commonly used
+ by Windows to track contents downloaded from the Internet. An ADS is typically
+ of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name`
+ is the value that should populate `fork_name`. `filename.extension` should
+ populate `file.name`, and `extension` should populate `file.extension`. The
+ full path, `file.path`, will include the fork name.'
+ example: Zone.Identifer
+ default_field: false
  - name: indicator.file.gid
  level: extended
  type: keyword

experimental/generated/csv/fields.csv

@@ -252,6 +252,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.0.0-dev+exp,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
 8.0.0-dev+exp,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
 8.0.0-dev+exp,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.0.0-dev+exp,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
 8.0.0-dev+exp,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
 8.0.0-dev+exp,true,file,file.group,keyword,extended,,alice,Primary group name of the file.
 8.0.0-dev+exp,true,file,file.hash.md5,keyword,extended,,,MD5 hash.
@@ -1042,6 +1043,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
 8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
 8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
 8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
 8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
 8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.
@@ -1274,6 +1276,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.0.0-dev+exp,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object.
 8.0.0-dev+exp,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file.
 8.0.0-dev+exp,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot."
+8.0.0-dev+exp,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object.
 8.0.0-dev+exp,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file.
 8.0.0-dev+exp,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file.
 8.0.0-dev+exp,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem.

experimental/generated/ecs/ecs_flat.yml

@@ -3509,6 +3509,29 @@ file.extension:
  normalize: []
  short: File extension, excluding the leading dot.
  type: keyword
+file.fork_name:
+ dashed_name: file-fork-name
+ description: 'A fork is additional data associated with a filesystem object.
+
+ On Linux, a resource fork is used to store additional data with a filesystem object.
+ A file always has at least one fork for the data portion, and additional forks
+ may exist.
+
+ On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default
+ data stream for a file is just called $DATA. Zone.Identifier is commonly used
+ by Windows to track contents downloaded from the Internet. An ADS is typically
+ of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name`
+ is the value that should populate `fork_name`. `filename.extension` should populate
+ `file.name`, and `extension` should populate `file.extension`. The full path,
+ `file.path`, will include the fork name.'
+ example: Zone.Identifer
+ flat_name: file.fork_name
+ ignore_above: 1024
+ level: extended
+ name: fork_name
+ normalize: []
+ short: A fork is additional data associated with a filesystem object.
+ type: keyword
 file.gid:
  dashed_name: file-gid
  description: Primary group ID (GID) of the file.
@@ -12911,6 +12934,30 @@ threat.enrichments.indicator.file.extension:
  original_fieldset: file
  short: File extension, excluding the leading dot.
  type: keyword
+threat.enrichments.indicator.file.fork_name:
+ dashed_name: threat-enrichments-indicator-file-fork-name
+ description: 'A fork is additional data associated with a filesystem object.
+
+ On Linux, a resource fork is used to store additional data with a filesystem object.
+ A file always has at least one fork for the data portion, and additional forks
+ may exist.
+
+ On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default
+ data stream for a file is just called $DATA. Zone.Identifier is commonly used
+ by Windows to track contents downloaded from the Internet. An ADS is typically
+ of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name`
+ is the value that should populate `fork_name`. `filename.extension` should populate
+ `file.name`, and `extension` should populate `file.extension`. The full path,
+ `file.path`, will include the fork name.'
+ example: Zone.Identifer
+ flat_name: threat.enrichments.indicator.file.fork_name
+ ignore_above: 1024
+ level: extended
+ name: fork_name
+ normalize: []
+ original_fieldset: file
+ short: A fork is additional data associated with a filesystem object.
+ type: keyword
 threat.enrichments.indicator.file.gid:
  dashed_name: threat-enrichments-indicator-file-gid
  description: Primary group ID (GID) of the file.
@@ -15765,6 +15812,30 @@ threat.indicator.file.extension:
  original_fieldset: file
  short: File extension, excluding the leading dot.
  type: keyword
+threat.indicator.file.fork_name:
+ dashed_name: threat-indicator-file-fork-name
+ description: 'A fork is additional data associated with a filesystem object.
+
+ On Linux, a resource fork is used to store additional data with a filesystem object.
+ A file always has at least one fork for the data portion, and additional forks
+ may exist.
+
+ On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default
+ data stream for a file is just called $DATA. Zone.Identifier is commonly used
+ by Windows to track contents downloaded from the Internet. An ADS is typically
+ of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name`
+ is the value that should populate `fork_name`. `filename.extension` should populate
+ `file.name`, and `extension` should populate `file.extension`. The full path,
+ `file.path`, will include the fork name.'
+ example: Zone.Identifer
+ flat_name: threat.indicator.file.fork_name
+ ignore_above: 1024
+ level: extended
+ name: fork_name
+ normalize: []
+ original_fieldset: file
+ short: A fork is additional data associated with a filesystem object.
+ type: keyword
 threat.indicator.file.gid:
  dashed_name: threat-indicator-file-gid
  description: Primary group ID (GID) of the file.

experimental/generated/ecs/ecs_nested.yml

@@ -4316,6 +4316,29 @@ file:
  normalize: []
  short: File extension, excluding the leading dot.
  type: keyword
+ file.fork_name:
+ dashed_name: file-fork-name
+ description: 'A fork is additional data associated with a filesystem object.
+
+ On Linux, a resource fork is used to store additional data with a filesystem
+ object. A file always has at least one fork for the data portion, and additional
+ forks may exist.
+
+ On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default
+ data stream for a file is just called $DATA. Zone.Identifier is commonly used
+ by Windows to track contents downloaded from the Internet. An ADS is typically
+ of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name`
+ is the value that should populate `fork_name`. `filename.extension` should
+ populate `file.name`, and `extension` should populate `file.extension`. The
+ full path, `file.path`, will include the fork name.'
+ example: Zone.Identifer
+ flat_name: file.fork_name
+ ignore_above: 1024
+ level: extended
+ name: fork_name
+ normalize: []
+ short: A fork is additional data associated with a filesystem object.
+ type: keyword
  file.gid:
  dashed_name: file-gid
  description: Primary group ID (GID) of the file.
@@ -14982,6 +15005,30 @@ threat:
  original_fieldset: file
  short: File extension, excluding the leading dot.
  type: keyword
+ threat.enrichments.indicator.file.fork_name:
+ dashed_name: threat-enrichments-indicator-file-fork-name
+ description: 'A fork is additional data associated with a filesystem object.
+
+ On Linux, a resource fork is used to store additional data with a filesystem
+ object. A file always has at least one fork for the data portion, and additional
+ forks may exist.
+
+ On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default
+ data stream for a file is just called $DATA. Zone.Identifier is commonly used
+ by Windows to track contents downloaded from the Internet. An ADS is typically
+ of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name`
+ is the value that should populate `fork_name`. `filename.extension` should
+ populate `file.name`, and `extension` should populate `file.extension`. The
+ full path, `file.path`, will include the fork name.'
+ example: Zone.Identifer
+ flat_name: threat.enrichments.indicator.file.fork_name
+ ignore_above: 1024
+ level: extended
+ name: fork_name
+ normalize: []
+ original_fieldset: file
+ short: A fork is additional data associated with a filesystem object.
+ type: keyword
  threat.enrichments.indicator.file.gid:
  dashed_name: threat-enrichments-indicator-file-gid
  description: Primary group ID (GID) of the file.
@@ -17842,6 +17889,30 @@ threat:
  original_fieldset: file
  short: File extension, excluding the leading dot.
  type: keyword
+ threat.indicator.file.fork_name:
+ dashed_name: threat-indicator-file-fork-name
+ description: 'A fork is additional data associated with a filesystem object.
+
+ On Linux, a resource fork is used to store additional data with a filesystem
+ object. A file always has at least one fork for the data portion, and additional
+ forks may exist.
+
+ On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default
+ data stream for a file is just called $DATA. Zone.Identifier is commonly used
+ by Windows to track contents downloaded from the Internet. An ADS is typically
+ of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name`
+ is the value that should populate `fork_name`. `filename.extension` should
+ populate `file.name`, and `extension` should populate `file.extension`. The
+ full path, `file.path`, will include the fork name.'
+ example: Zone.Identifer
+ flat_name: threat.indicator.file.fork_name
+ ignore_above: 1024
+ level: extended
+ name: fork_name
+ normalize: []
+ original_fieldset: file
+ short: A fork is additional data associated with a filesystem object.
+ type: keyword
  threat.indicator.file.gid:
  dashed_name: threat-indicator-file-gid
  description: Primary group ID (GID) of the file.

experimental/generated/elasticsearch/7/template.json

@@ -1128,6 +1128,10 @@
  "ignore_above": 1024,
  "type": "keyword"
  },
+ "fork_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
  "gid": {
  "ignore_above": 1024,
  "type": "keyword"
@@ -4629,6 +4633,10 @@
  "ignore_above": 1024,
  "type": "keyword"
  },
+ "fork_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
  "gid": {
  "ignore_above": 1024,
  "type": "keyword"
@@ -5640,6 +5648,10 @@
  "ignore_above": 1024,
  "type": "keyword"
  },
+ "fork_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
  "gid": {
  "ignore_above": 1024,
  "type": "keyword"

experimental/generated/elasticsearch/component/file.json

@@ -182,6 +182,10 @@
  "ignore_above": 1024,
  "type": "keyword"
  },
+ "fork_name": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
  "gid": {
  "ignore_above": 1024,
  "type": "keyword"