diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index f61cee21ad..f4a98d88ef 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -22,6 +22,8 @@ Thanks, you're awesome :-) --> #### Added +* Added `file.fork_name` field #1288 + #### Improvements #### Deprecated diff --git a/code/go/ecs/file.go b/code/go/ecs/file.go index 09713b7bf4..3159585582 100644 --- a/code/go/ecs/file.go +++ b/code/go/ecs/file.go @@ -111,4 +111,18 @@ type File struct { // official types], where possible. When more than one type is applicable, // the most specific type should be used. MimeType string `ecs:"mime_type"` + + // A fork is additional data associated with a filesystem object. + // On Linux, a resource fork is used to store additional data with a + // filesystem object. A file always has at least one fork for the data + // portion, and additional forks may exist. + // On NTFS, this is analogous to an Alternate Data Stream (ADS), and the + // default data stream for a file is just called $DATA. Zone.Identifier is + // commonly used by Windows to track contents downloaded from the Internet. + // An ADS is typically of the form: + // `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is + // the value that should populate `fork_name`. `filename.extension` should + // populate `file.name`, and `extension` should populate `file.extension`. + // The full path, `file.path`, will include the fork name. + ForkName string `ecs:"fork_name"` } diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 617e0f1cc2..903b13d20e 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -3195,6 +3195,26 @@ example: `png` // =============================================================== +| +[[field-file-fork-name]] +<> + +| A fork is additional data associated with a filesystem object. + +On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. + +On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. The full path, `file.path`, will include the fork name. + +type: keyword + + + +example: `Zone.Identifer` + +| extended + +// =============================================================== + | [[field-file-gid]] <> diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 653c3eb45d..bc79b3b240 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -2383,6 +2383,25 @@ Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").' example: png + - name: fork_name + level: extended + type: keyword + ignore_above: 1024 + description: 'A fork is additional data associated with a filesystem object. + + On Linux, a resource fork is used to store additional data with a filesystem + object. A file always has at least one fork for the data portion, and additional + forks may exist. + + On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default + data stream for a file is just called $DATA. Zone.Identifier is commonly used + by Windows to track contents downloaded from the Internet. An ADS is typically + of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` + is the value that should populate `fork_name`. `filename.extension` should + populate `file.name`, and `extension` should populate `file.extension`. The + full path, `file.path`, will include the fork name.' + example: Zone.Identifer + default_field: false - name: gid level: extended type: keyword @@ -8538,6 +8557,25 @@ the last one should be captured ("gz", not "tar.gz").' example: png default_field: false + - name: enrichments.indicator.file.fork_name + level: extended + type: keyword + ignore_above: 1024 + description: 'A fork is additional data associated with a filesystem object. + + On Linux, a resource fork is used to store additional data with a filesystem + object. A file always has at least one fork for the data portion, and additional + forks may exist. + + On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default + data stream for a file is just called $DATA. Zone.Identifier is commonly used + by Windows to track contents downloaded from the Internet. An ADS is typically + of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` + is the value that should populate `fork_name`. `filename.extension` should + populate `file.name`, and `extension` should populate `file.extension`. The + full path, `file.path`, will include the fork name.' + example: Zone.Identifer + default_field: false - name: enrichments.indicator.file.gid level: extended type: keyword @@ -10220,6 +10258,25 @@ the last one should be captured ("gz", not "tar.gz").' example: png default_field: false + - name: indicator.file.fork_name + level: extended + type: keyword + ignore_above: 1024 + description: 'A fork is additional data associated with a filesystem object. + + On Linux, a resource fork is used to store additional data with a filesystem + object. A file always has at least one fork for the data portion, and additional + forks may exist. + + On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default + data stream for a file is just called $DATA. Zone.Identifier is commonly used + by Windows to track contents downloaded from the Internet. An ADS is typically + of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` + is the value that should populate `fork_name`. `filename.extension` should + populate `file.name`, and `extension` should populate `file.extension`. The + full path, `file.path`, will include the fork name.' + example: Zone.Identifer + default_field: false - name: indicator.file.gid level: extended type: keyword diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 1abc97f52a..92c7ab4cab 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -252,6 +252,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.0.0-dev+exp,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. 8.0.0-dev+exp,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. 8.0.0-dev+exp,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot." +8.0.0-dev+exp,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. 8.0.0-dev+exp,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. 8.0.0-dev+exp,true,file,file.group,keyword,extended,,alice,Primary group name of the file. 8.0.0-dev+exp,true,file,file.hash.md5,keyword,extended,,,MD5 hash. @@ -1042,6 +1043,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. 8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. 8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot." +8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. 8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. 8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file. 8.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. @@ -1274,6 +1276,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.0.0-dev+exp,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. 8.0.0-dev+exp,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. 8.0.0-dev+exp,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot." +8.0.0-dev+exp,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. 8.0.0-dev+exp,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. 8.0.0-dev+exp,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file. 8.0.0-dev+exp,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 077f47c2a0..6345796d36 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -3509,6 +3509,29 @@ file.extension: normalize: [] short: File extension, excluding the leading dot. type: keyword +file.fork_name: + dashed_name: file-fork-name + description: 'A fork is additional data associated with a filesystem object. + + On Linux, a resource fork is used to store additional data with a filesystem object. + A file always has at least one fork for the data portion, and additional forks + may exist. + + On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default + data stream for a file is just called $DATA. Zone.Identifier is commonly used + by Windows to track contents downloaded from the Internet. An ADS is typically + of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` + is the value that should populate `fork_name`. `filename.extension` should populate + `file.name`, and `extension` should populate `file.extension`. The full path, + `file.path`, will include the fork name.' + example: Zone.Identifer + flat_name: file.fork_name + ignore_above: 1024 + level: extended + name: fork_name + normalize: [] + short: A fork is additional data associated with a filesystem object. + type: keyword file.gid: dashed_name: file-gid description: Primary group ID (GID) of the file. @@ -12911,6 +12934,30 @@ threat.enrichments.indicator.file.extension: original_fieldset: file short: File extension, excluding the leading dot. type: keyword +threat.enrichments.indicator.file.fork_name: + dashed_name: threat-enrichments-indicator-file-fork-name + description: 'A fork is additional data associated with a filesystem object. + + On Linux, a resource fork is used to store additional data with a filesystem object. + A file always has at least one fork for the data portion, and additional forks + may exist. + + On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default + data stream for a file is just called $DATA. Zone.Identifier is commonly used + by Windows to track contents downloaded from the Internet. An ADS is typically + of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` + is the value that should populate `fork_name`. `filename.extension` should populate + `file.name`, and `extension` should populate `file.extension`. The full path, + `file.path`, will include the fork name.' + example: Zone.Identifer + flat_name: threat.enrichments.indicator.file.fork_name + ignore_above: 1024 + level: extended + name: fork_name + normalize: [] + original_fieldset: file + short: A fork is additional data associated with a filesystem object. + type: keyword threat.enrichments.indicator.file.gid: dashed_name: threat-enrichments-indicator-file-gid description: Primary group ID (GID) of the file. @@ -15765,6 +15812,30 @@ threat.indicator.file.extension: original_fieldset: file short: File extension, excluding the leading dot. type: keyword +threat.indicator.file.fork_name: + dashed_name: threat-indicator-file-fork-name + description: 'A fork is additional data associated with a filesystem object. + + On Linux, a resource fork is used to store additional data with a filesystem object. + A file always has at least one fork for the data portion, and additional forks + may exist. + + On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default + data stream for a file is just called $DATA. Zone.Identifier is commonly used + by Windows to track contents downloaded from the Internet. An ADS is typically + of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` + is the value that should populate `fork_name`. `filename.extension` should populate + `file.name`, and `extension` should populate `file.extension`. The full path, + `file.path`, will include the fork name.' + example: Zone.Identifer + flat_name: threat.indicator.file.fork_name + ignore_above: 1024 + level: extended + name: fork_name + normalize: [] + original_fieldset: file + short: A fork is additional data associated with a filesystem object. + type: keyword threat.indicator.file.gid: dashed_name: threat-indicator-file-gid description: Primary group ID (GID) of the file. diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 8d7217b803..20a9c10814 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -4316,6 +4316,29 @@ file: normalize: [] short: File extension, excluding the leading dot. type: keyword + file.fork_name: + dashed_name: file-fork-name + description: 'A fork is additional data associated with a filesystem object. + + On Linux, a resource fork is used to store additional data with a filesystem + object. A file always has at least one fork for the data portion, and additional + forks may exist. + + On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default + data stream for a file is just called $DATA. Zone.Identifier is commonly used + by Windows to track contents downloaded from the Internet. An ADS is typically + of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` + is the value that should populate `fork_name`. `filename.extension` should + populate `file.name`, and `extension` should populate `file.extension`. The + full path, `file.path`, will include the fork name.' + example: Zone.Identifer + flat_name: file.fork_name + ignore_above: 1024 + level: extended + name: fork_name + normalize: [] + short: A fork is additional data associated with a filesystem object. + type: keyword file.gid: dashed_name: file-gid description: Primary group ID (GID) of the file. @@ -14982,6 +15005,30 @@ threat: original_fieldset: file short: File extension, excluding the leading dot. type: keyword + threat.enrichments.indicator.file.fork_name: + dashed_name: threat-enrichments-indicator-file-fork-name + description: 'A fork is additional data associated with a filesystem object. + + On Linux, a resource fork is used to store additional data with a filesystem + object. A file always has at least one fork for the data portion, and additional + forks may exist. + + On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default + data stream for a file is just called $DATA. Zone.Identifier is commonly used + by Windows to track contents downloaded from the Internet. An ADS is typically + of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` + is the value that should populate `fork_name`. `filename.extension` should + populate `file.name`, and `extension` should populate `file.extension`. The + full path, `file.path`, will include the fork name.' + example: Zone.Identifer + flat_name: threat.enrichments.indicator.file.fork_name + ignore_above: 1024 + level: extended + name: fork_name + normalize: [] + original_fieldset: file + short: A fork is additional data associated with a filesystem object. + type: keyword threat.enrichments.indicator.file.gid: dashed_name: threat-enrichments-indicator-file-gid description: Primary group ID (GID) of the file. @@ -17842,6 +17889,30 @@ threat: original_fieldset: file short: File extension, excluding the leading dot. type: keyword + threat.indicator.file.fork_name: + dashed_name: threat-indicator-file-fork-name + description: 'A fork is additional data associated with a filesystem object. + + On Linux, a resource fork is used to store additional data with a filesystem + object. A file always has at least one fork for the data portion, and additional + forks may exist. + + On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default + data stream for a file is just called $DATA. Zone.Identifier is commonly used + by Windows to track contents downloaded from the Internet. An ADS is typically + of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` + is the value that should populate `fork_name`. `filename.extension` should + populate `file.name`, and `extension` should populate `file.extension`. The + full path, `file.path`, will include the fork name.' + example: Zone.Identifer + flat_name: threat.indicator.file.fork_name + ignore_above: 1024 + level: extended + name: fork_name + normalize: [] + original_fieldset: file + short: A fork is additional data associated with a filesystem object. + type: keyword threat.indicator.file.gid: dashed_name: threat-indicator-file-gid description: Primary group ID (GID) of the file. diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json index 66fe66cb06..87f4c02a5c 100644 --- a/experimental/generated/elasticsearch/7/template.json +++ b/experimental/generated/elasticsearch/7/template.json @@ -1128,6 +1128,10 @@ "ignore_above": 1024, "type": "keyword" }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, "gid": { "ignore_above": 1024, "type": "keyword" @@ -4629,6 +4633,10 @@ "ignore_above": 1024, "type": "keyword" }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, "gid": { "ignore_above": 1024, "type": "keyword" @@ -5640,6 +5648,10 @@ "ignore_above": 1024, "type": "keyword" }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, "gid": { "ignore_above": 1024, "type": "keyword" diff --git a/experimental/generated/elasticsearch/component/file.json b/experimental/generated/elasticsearch/component/file.json index c73f69073c..b90a807fa3 100644 --- a/experimental/generated/elasticsearch/component/file.json +++ b/experimental/generated/elasticsearch/component/file.json @@ -182,6 +182,10 @@ "ignore_above": 1024, "type": "keyword" }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, "gid": { "ignore_above": 1024, "type": "keyword" diff --git a/experimental/generated/elasticsearch/component/threat.json b/experimental/generated/elasticsearch/component/threat.json index f3e0bb7af9..ad6b748c49 100644 --- a/experimental/generated/elasticsearch/component/threat.json +++ b/experimental/generated/elasticsearch/component/threat.json @@ -224,6 +224,10 @@ "ignore_above": 1024, "type": "keyword" }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, "gid": { "ignore_above": 1024, "type": "keyword" @@ -1235,6 +1239,10 @@ "ignore_above": 1024, "type": "keyword" }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, "gid": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 893d1d5577..3096d6d49e 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -2196,6 +2196,25 @@ Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").' example: png + - name: fork_name + level: extended + type: keyword + ignore_above: 1024 + description: 'A fork is additional data associated with a filesystem object. + + On Linux, a resource fork is used to store additional data with a filesystem + object. A file always has at least one fork for the data portion, and additional + forks may exist. + + On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default + data stream for a file is just called $DATA. Zone.Identifier is commonly used + by Windows to track contents downloaded from the Internet. An ADS is typically + of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` + is the value that should populate `fork_name`. `filename.extension` should + populate `file.name`, and `extension` should populate `file.extension`. The + full path, `file.path`, will include the fork name.' + example: Zone.Identifer + default_field: false - name: gid level: extended type: keyword @@ -6208,6 +6227,25 @@ the last one should be captured ("gz", not "tar.gz").' example: png default_field: false + - name: enrichments.indicator.file.fork_name + level: extended + type: keyword + ignore_above: 1024 + description: 'A fork is additional data associated with a filesystem object. + + On Linux, a resource fork is used to store additional data with a filesystem + object. A file always has at least one fork for the data portion, and additional + forks may exist. + + On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default + data stream for a file is just called $DATA. Zone.Identifier is commonly used + by Windows to track contents downloaded from the Internet. An ADS is typically + of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` + is the value that should populate `fork_name`. `filename.extension` should + populate `file.name`, and `extension` should populate `file.extension`. The + full path, `file.path`, will include the fork name.' + example: Zone.Identifer + default_field: false - name: enrichments.indicator.file.gid level: extended type: keyword @@ -7377,6 +7415,25 @@ the last one should be captured ("gz", not "tar.gz").' example: png default_field: false + - name: indicator.file.fork_name + level: extended + type: keyword + ignore_above: 1024 + description: 'A fork is additional data associated with a filesystem object. + + On Linux, a resource fork is used to store additional data with a filesystem + object. A file always has at least one fork for the data portion, and additional + forks may exist. + + On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default + data stream for a file is just called $DATA. Zone.Identifier is commonly used + by Windows to track contents downloaded from the Internet. An ADS is typically + of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` + is the value that should populate `fork_name`. `filename.extension` should + populate `file.name`, and `extension` should populate `file.extension`. The + full path, `file.path`, will include the fork name.' + example: Zone.Identifer + default_field: false - name: indicator.file.gid level: extended type: keyword diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index e2063fc268..b1003adce5 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -221,6 +221,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.0.0-dev,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. 8.0.0-dev,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. 8.0.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot." +8.0.0-dev,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. 8.0.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. 8.0.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file. 8.0.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash. @@ -718,6 +719,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. 8.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. 8.0.0-dev,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot." +8.0.0-dev,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. 8.0.0-dev,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. 8.0.0-dev,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file. 8.0.0-dev,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. @@ -874,6 +876,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.0.0-dev,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. 8.0.0-dev,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. 8.0.0-dev,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot." +8.0.0-dev,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. 8.0.0-dev,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. 8.0.0-dev,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file. 8.0.0-dev,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index db3ae9236e..05f8a307e7 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -3160,6 +3160,29 @@ file.extension: normalize: [] short: File extension, excluding the leading dot. type: keyword +file.fork_name: + dashed_name: file-fork-name + description: 'A fork is additional data associated with a filesystem object. + + On Linux, a resource fork is used to store additional data with a filesystem object. + A file always has at least one fork for the data portion, and additional forks + may exist. + + On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default + data stream for a file is just called $DATA. Zone.Identifier is commonly used + by Windows to track contents downloaded from the Internet. An ADS is typically + of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` + is the value that should populate `fork_name`. `filename.extension` should populate + `file.name`, and `extension` should populate `file.extension`. The full path, + `file.path`, will include the fork name.' + example: Zone.Identifer + flat_name: file.fork_name + ignore_above: 1024 + level: extended + name: fork_name + normalize: [] + short: A fork is additional data associated with a filesystem object. + type: keyword file.gid: dashed_name: file-gid description: Primary group ID (GID) of the file. @@ -9156,6 +9179,30 @@ threat.enrichments.indicator.file.extension: original_fieldset: file short: File extension, excluding the leading dot. type: keyword +threat.enrichments.indicator.file.fork_name: + dashed_name: threat-enrichments-indicator-file-fork-name + description: 'A fork is additional data associated with a filesystem object. + + On Linux, a resource fork is used to store additional data with a filesystem object. + A file always has at least one fork for the data portion, and additional forks + may exist. + + On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default + data stream for a file is just called $DATA. Zone.Identifier is commonly used + by Windows to track contents downloaded from the Internet. An ADS is typically + of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` + is the value that should populate `fork_name`. `filename.extension` should populate + `file.name`, and `extension` should populate `file.extension`. The full path, + `file.path`, will include the fork name.' + example: Zone.Identifer + flat_name: threat.enrichments.indicator.file.fork_name + ignore_above: 1024 + level: extended + name: fork_name + normalize: [] + original_fieldset: file + short: A fork is additional data associated with a filesystem object. + type: keyword threat.enrichments.indicator.file.gid: dashed_name: threat-enrichments-indicator-file-gid description: Primary group ID (GID) of the file. @@ -11104,6 +11151,30 @@ threat.indicator.file.extension: original_fieldset: file short: File extension, excluding the leading dot. type: keyword +threat.indicator.file.fork_name: + dashed_name: threat-indicator-file-fork-name + description: 'A fork is additional data associated with a filesystem object. + + On Linux, a resource fork is used to store additional data with a filesystem object. + A file always has at least one fork for the data portion, and additional forks + may exist. + + On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default + data stream for a file is just called $DATA. Zone.Identifier is commonly used + by Windows to track contents downloaded from the Internet. An ADS is typically + of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` + is the value that should populate `fork_name`. `filename.extension` should populate + `file.name`, and `extension` should populate `file.extension`. The full path, + `file.path`, will include the fork name.' + example: Zone.Identifer + flat_name: threat.indicator.file.fork_name + ignore_above: 1024 + level: extended + name: fork_name + normalize: [] + original_fieldset: file + short: A fork is additional data associated with a filesystem object. + type: keyword threat.indicator.file.gid: dashed_name: threat-indicator-file-gid description: Primary group ID (GID) of the file. diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 45d41a7cd5..364f4da92e 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -3967,6 +3967,29 @@ file: normalize: [] short: File extension, excluding the leading dot. type: keyword + file.fork_name: + dashed_name: file-fork-name + description: 'A fork is additional data associated with a filesystem object. + + On Linux, a resource fork is used to store additional data with a filesystem + object. A file always has at least one fork for the data portion, and additional + forks may exist. + + On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default + data stream for a file is just called $DATA. Zone.Identifier is commonly used + by Windows to track contents downloaded from the Internet. An ADS is typically + of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` + is the value that should populate `fork_name`. `filename.extension` should + populate `file.name`, and `extension` should populate `file.extension`. The + full path, `file.path`, will include the fork name.' + example: Zone.Identifer + flat_name: file.fork_name + ignore_above: 1024 + level: extended + name: fork_name + normalize: [] + short: A fork is additional data associated with a filesystem object. + type: keyword file.gid: dashed_name: file-gid description: Primary group ID (GID) of the file. @@ -10865,6 +10888,30 @@ threat: original_fieldset: file short: File extension, excluding the leading dot. type: keyword + threat.enrichments.indicator.file.fork_name: + dashed_name: threat-enrichments-indicator-file-fork-name + description: 'A fork is additional data associated with a filesystem object. + + On Linux, a resource fork is used to store additional data with a filesystem + object. A file always has at least one fork for the data portion, and additional + forks may exist. + + On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default + data stream for a file is just called $DATA. Zone.Identifier is commonly used + by Windows to track contents downloaded from the Internet. An ADS is typically + of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` + is the value that should populate `fork_name`. `filename.extension` should + populate `file.name`, and `extension` should populate `file.extension`. The + full path, `file.path`, will include the fork name.' + example: Zone.Identifer + flat_name: threat.enrichments.indicator.file.fork_name + ignore_above: 1024 + level: extended + name: fork_name + normalize: [] + original_fieldset: file + short: A fork is additional data associated with a filesystem object. + type: keyword threat.enrichments.indicator.file.gid: dashed_name: threat-enrichments-indicator-file-gid description: Primary group ID (GID) of the file. @@ -12817,6 +12864,30 @@ threat: original_fieldset: file short: File extension, excluding the leading dot. type: keyword + threat.indicator.file.fork_name: + dashed_name: threat-indicator-file-fork-name + description: 'A fork is additional data associated with a filesystem object. + + On Linux, a resource fork is used to store additional data with a filesystem + object. A file always has at least one fork for the data portion, and additional + forks may exist. + + On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default + data stream for a file is just called $DATA. Zone.Identifier is commonly used + by Windows to track contents downloaded from the Internet. An ADS is typically + of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` + is the value that should populate `fork_name`. `filename.extension` should + populate `file.name`, and `extension` should populate `file.extension`. The + full path, `file.path`, will include the fork name.' + example: Zone.Identifer + flat_name: threat.indicator.file.fork_name + ignore_above: 1024 + level: extended + name: fork_name + normalize: [] + original_fieldset: file + short: A fork is additional data associated with a filesystem object. + type: keyword threat.indicator.file.gid: dashed_name: threat-indicator-file-gid description: Primary group ID (GID) of the file. diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index 2dfdb41811..2e191f960f 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -1018,6 +1018,10 @@ "ignore_above": 1024, "type": "keyword" }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, "gid": { "ignore_above": 1024, "type": "keyword" @@ -3312,6 +3316,10 @@ "ignore_above": 1024, "type": "keyword" }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, "gid": { "ignore_above": 1024, "type": "keyword" @@ -4003,6 +4011,10 @@ "ignore_above": 1024, "type": "keyword" }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, "gid": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 31b6158ae6..eacf6f865a 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -1014,6 +1014,10 @@ "ignore_above": 1024, "type": "keyword" }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, "gid": { "ignore_above": 1024, "type": "keyword" @@ -3308,6 +3312,10 @@ "ignore_above": 1024, "type": "keyword" }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, "gid": { "ignore_above": 1024, "type": "keyword" @@ -3999,6 +4007,10 @@ "ignore_above": 1024, "type": "keyword" }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, "gid": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/elasticsearch/component/file.json b/generated/elasticsearch/component/file.json index 2894809b1b..8bc8f1df23 100644 --- a/generated/elasticsearch/component/file.json +++ b/generated/elasticsearch/component/file.json @@ -183,6 +183,10 @@ "ignore_above": 1024, "type": "keyword" }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, "gid": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/elasticsearch/component/threat.json b/generated/elasticsearch/component/threat.json index 245eb3b216..69e3556526 100644 --- a/generated/elasticsearch/component/threat.json +++ b/generated/elasticsearch/component/threat.json @@ -226,6 +226,10 @@ "ignore_above": 1024, "type": "keyword" }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, "gid": { "ignore_above": 1024, "type": "keyword" @@ -917,6 +921,10 @@ "ignore_above": 1024, "type": "keyword" }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, "gid": { "ignore_above": 1024, "type": "keyword" diff --git a/schemas/file.yml b/schemas/file.yml index 9b52b2520e..dc45d04613 100644 --- a/schemas/file.yml +++ b/schemas/file.yml @@ -193,3 +193,21 @@ https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. + + - name: fork_name + level: extended + type: keyword + description: > + A fork is additional data associated with a filesystem object. + + On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at + least one fork for the data portion, and additional forks may exist. + + On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. + Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: + `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name` is the value that should populate `fork_name`. + `filename.extension` should populate `file.name`, and `extension` should populate `file.extension`. + The full path, `file.path`, will include the fork name. + + short: A fork is additional data associated with a filesystem object. + example: Zone.Identifer