[RFC] Stage 2: Introducing new fields in file/dll/process fields (#2441)

elastic · Feb 7, 2025 · 9347ad0 · 9347ad0
1 parent ede6f40
commit 9347ad0
Show file tree

Hide file tree

Showing 23 changed files with 832 additions and 8 deletions.
diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
@@ -19,6 +19,7 @@ Thanks, you're awesome :-) -->
 * Fix link rendering issues and usage of http in links. #2423
 
 #### Added
+* Add `origin_referrer_url` and `origin_url` fields, which indicate the origin information to the file, process and dll schemas #2441
 
 #### Improvements
 

diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
@@ -1841,6 +1841,42 @@ example: `kernel32.dll`
 
 // ===============================================================
 
+|
+[[field-dll-origin-referrer-url]]
+<<field-dll-origin-referrer-url, dll.origin_referrer_url>>
+
+a| beta:[ This field is beta and subject to change. ]
+
+The URL of the webpage that linked to the dll file.
+
+type: keyword
+
+
+
+example: `http://example.com/article1.html`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-dll-origin-url]]
+<<field-dll-origin-url, dll.origin_url>>
+
+a| beta:[ This field is beta and subject to change. ]
+
+The URL where the dll file is hosted.
+
+type: keyword
+
+
+
+example: `http://example.com/files/example.dll`
+
+| extended
+
+// ===============================================================
+
 |
 [[field-dll-path]]
 <<field-dll-path, dll.path>>
@@ -4447,6 +4483,42 @@ image:https://img.shields.io/badge/OpenTelemetry-4a5ca6?style=flat&logo=opentele
 
 // ===============================================================
 
+|
+[[field-file-origin-referrer-url]]
+<<field-file-origin-referrer-url, file.origin_referrer_url>>
+
+a| beta:[ This field is beta and subject to change. ]
+
+The URL of the webpage that linked to the file.
+
+type: keyword
+
+
+
+example: `http://example.com/article1.html`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-file-origin-url]]
+<<field-file-origin-url, file.origin_url>>
+
+a| beta:[ This field is beta and subject to change. ]
+
+The URL where the file is hosted.
+
+type: keyword
+
+
+
+example: `http://example.com/imgs/article1_img1.jpg`
+
+| extended
+
+// ===============================================================
+
 |
 [[field-file-owner]]
 <<field-file-owner, file.owner>>

diff --git a/docs/opentelemetry/otel-mapping-summary.asciidoc b/docs/opentelemetry/otel-mapping-summary.asciidoc
@@ -311,7 +311,7 @@ h| Namespace
 
 
 | DLL
-^| <<ecs-dll,2>>
+^| <<ecs-dll,4>>
 ^| ·
 ^| ·
 ^| ·
@@ -443,7 +443,7 @@ h| Namespace
 
 
 | File
-^| <<ecs-file,22>>
+^| <<ecs-file,24>>
 ^| https://opentelemetry.io/docs/specs/semconv/attributes-registry/file[18]
 ^| 11
 ^| 7

diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
@@ -1399,6 +1399,20 @@
         This generally maps to the name of the file on disk.'
       example: kernel32.dll
       default_field: false
+    - name: origin_referrer_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL of the webpage that linked to the dll file.
+      example: http://example.com/article1.html
+      default_field: false
+    - name: origin_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL where the dll file is hosted.
+      example: http://example.com/files/example.dll
+      default_field: false
     - name: path
       level: extended
       type: keyword
@@ -3021,6 +3035,20 @@
       ignore_above: 1024
       description: Name of the file including the extension, without the directory.
       example: example.png
+    - name: origin_referrer_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL of the webpage that linked to the file.
+      example: http://example.com/article1.html
+      default_field: false
+    - name: origin_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL where the file is hosted.
+      example: http://example.com/imgs/article1_img1.jpg
+      default_field: false
     - name: owner
       level: extended
       type: keyword
@@ -9645,6 +9673,20 @@
       description: Name of the file including the extension, without the directory.
       example: example.png
       default_field: false
+    - name: enrichments.indicator.file.origin_referrer_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL of the webpage that linked to the file.
+      example: http://example.com/article1.html
+      default_field: false
+    - name: enrichments.indicator.file.origin_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL where the file is hosted.
+      example: http://example.com/imgs/article1_img1.jpg
+      default_field: false
     - name: enrichments.indicator.file.owner
       level: extended
       type: keyword
@@ -11267,6 +11309,20 @@
       description: Name of the file including the extension, without the directory.
       example: example.png
       default_field: false
+    - name: indicator.file.origin_referrer_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL of the webpage that linked to the file.
+      example: http://example.com/article1.html
+      default_field: false
+    - name: indicator.file.origin_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL where the file is hosted.
+      example: http://example.com/imgs/article1_img1.jpg
+      default_field: false
     - name: indicator.file.owner
       level: extended
       type: keyword

diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
@@ -166,6 +166,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.0.0-dev+exp,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash.
 9.0.0-dev+exp,true,dll,dll.hash.tlsh,keyword,extended,,,TLSH hash.
 9.0.0-dev+exp,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library.
+9.0.0-dev+exp,true,dll,dll.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the dll file.
+9.0.0-dev+exp,true,dll,dll.origin_url,keyword,extended,,http://example.com/files/example.dll,The URL where the dll file is hosted.
 9.0.0-dev+exp,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library.
 9.0.0-dev+exp,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
 9.0.0-dev+exp,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
@@ -364,6 +366,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.0.0-dev+exp,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation.
 9.0.0-dev+exp,true,file,file.mtime,date,extended,,,Last time the file content was modified.
 9.0.0-dev+exp,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+9.0.0-dev+exp,true,file,file.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the file.
+9.0.0-dev+exp,true,file,file.origin_url,keyword,extended,,http://example.com/imgs/article1_img1.jpg,The URL where the file is hosted.
 9.0.0-dev+exp,true,file,file.owner,keyword,extended,,alice,File owner's username.
 9.0.0-dev+exp,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
 9.0.0-dev+exp,true,file,file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
@@ -1228,6 +1232,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
 9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified.
 9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the file.
+9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.origin_url,keyword,extended,,http://example.com/imgs/article1_img1.jpg,The URL where the file is hosted.
 9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username.
 9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
 9.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."
@@ -1447,6 +1453,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.0.0-dev+exp,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation.
 9.0.0-dev+exp,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified.
 9.0.0-dev+exp,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory."
+9.0.0-dev+exp,true,threat,threat.indicator.file.origin_referrer_url,keyword,extended,,http://example.com/article1.html,The URL of the webpage that linked to the file.
+9.0.0-dev+exp,true,threat,threat.indicator.file.origin_url,keyword,extended,,http://example.com/imgs/article1_img1.jpg,The URL where the file is hosted.
 9.0.0-dev+exp,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username.
 9.0.0-dev+exp,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name."
 9.0.0-dev+exp,true,threat,threat.indicator.file.path.text,match_only_text,extended,,/home/alice/example.png,"Full path to the file, including the file name."

diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
@@ -2112,6 +2112,30 @@ dll.name:
   normalize: []
   short: Name of the library.
   type: keyword
+dll.origin_referrer_url:
+  beta: This field is beta and subject to change.
+  dashed_name: dll-origin-referrer-url
+  description: The URL of the webpage that linked to the dll file.
+  example: http://example.com/article1.html
+  flat_name: dll.origin_referrer_url
+  ignore_above: 8192
+  level: extended
+  name: origin_referrer_url
+  normalize: []
+  short: The URL of the webpage that linked to the dll file.
+  type: keyword
+dll.origin_url:
+  beta: This field is beta and subject to change.
+  dashed_name: dll-origin-url
+  description: The URL where the dll file is hosted.
+  example: http://example.com/files/example.dll
+  flat_name: dll.origin_url
+  ignore_above: 8192
+  level: extended
+  name: origin_url
+  normalize: []
+  short: The URL where the dll file is hosted.
+  type: keyword
 dll.path:
   dashed_name: dll-path
   description: Full file path of the library.
@@ -5151,6 +5175,30 @@ file.name:
     stability: experimental
   short: Name of the file including the extension, without the directory.
   type: keyword
+file.origin_referrer_url:
+  beta: This field is beta and subject to change.
+  dashed_name: file-origin-referrer-url
+  description: The URL of the webpage that linked to the file.
+  example: http://example.com/article1.html
+  flat_name: file.origin_referrer_url
+  ignore_above: 8192
+  level: extended
+  name: origin_referrer_url
+  normalize: []
+  short: The URL of the webpage that linked to the file.
+  type: keyword
+file.origin_url:
+  beta: This field is beta and subject to change.
+  dashed_name: file-origin-url
+  description: The URL where the file is hosted.
+  example: http://example.com/imgs/article1_img1.jpg
+  flat_name: file.origin_url
+  ignore_above: 8192
+  level: extended
+  name: origin_url
+  normalize: []
+  short: The URL where the file is hosted.
+  type: keyword
 file.owner:
   dashed_name: file-owner
   description: File owner's username.
@@ -16028,6 +16076,32 @@ threat.enrichments.indicator.file.name:
   original_fieldset: file
   short: Name of the file including the extension, without the directory.
   type: keyword
+threat.enrichments.indicator.file.origin_referrer_url:
+  beta: This field is beta and subject to change.
+  dashed_name: threat-enrichments-indicator-file-origin-referrer-url
+  description: The URL of the webpage that linked to the file.
+  example: http://example.com/article1.html
+  flat_name: threat.enrichments.indicator.file.origin_referrer_url
+  ignore_above: 8192
+  level: extended
+  name: origin_referrer_url
+  normalize: []
+  original_fieldset: file
+  short: The URL of the webpage that linked to the file.
+  type: keyword
+threat.enrichments.indicator.file.origin_url:
+  beta: This field is beta and subject to change.
+  dashed_name: threat-enrichments-indicator-file-origin-url
+  description: The URL where the file is hosted.
+  example: http://example.com/imgs/article1_img1.jpg
+  flat_name: threat.enrichments.indicator.file.origin_url
+  ignore_above: 8192
+  level: extended
+  name: origin_url
+  normalize: []
+  original_fieldset: file
+  short: The URL where the file is hosted.
+  type: keyword
 threat.enrichments.indicator.file.owner:
   dashed_name: threat-enrichments-indicator-file-owner
   description: File owner's username.
@@ -18765,6 +18839,32 @@ threat.indicator.file.name:
   original_fieldset: file
   short: Name of the file including the extension, without the directory.
   type: keyword
+threat.indicator.file.origin_referrer_url:
+  beta: This field is beta and subject to change.
+  dashed_name: threat-indicator-file-origin-referrer-url
+  description: The URL of the webpage that linked to the file.
+  example: http://example.com/article1.html
+  flat_name: threat.indicator.file.origin_referrer_url
+  ignore_above: 8192
+  level: extended
+  name: origin_referrer_url
+  normalize: []
+  original_fieldset: file
+  short: The URL of the webpage that linked to the file.
+  type: keyword
+threat.indicator.file.origin_url:
+  beta: This field is beta and subject to change.
+  dashed_name: threat-indicator-file-origin-url
+  description: The URL where the file is hosted.
+  example: http://example.com/imgs/article1_img1.jpg
+  flat_name: threat.indicator.file.origin_url
+  ignore_above: 8192
+  level: extended
+  name: origin_url
+  normalize: []
+  original_fieldset: file
+  short: The URL where the file is hosted.
+  type: keyword
 threat.indicator.file.owner:
   dashed_name: threat-indicator-file-owner
   description: File owner's username.