IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Package Fields Process Fields »
Elastic Docs Elastic Common Schema (ECS) Reference [1.11] ECS Field Reference

PE Header Fields

edit

PE Header Fields

edit

These fields contain Windows Portable Executable (PE) metadata.

PE Header Field Details

edit
Field Description Level

pe.architecture

CPU architecture target for the file.

type: keyword

example: x64

extended

pe.company

Internal company name of the file, provided at compile-time.

type: keyword

example: Microsoft Corporation

extended

pe.description

Internal description of the file, provided at compile-time.

type: keyword

example: Paint

extended

pe.file_version

Internal version of the file, provided at compile-time.

type: keyword

example: 6.3.9600.17415

extended

pe.imphash

A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.

Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.

type: keyword

example: 0c6803c4e922103c4dca5963aad36ddf

extended

pe.original_file_name

Internal name of the file, provided at compile-time.

type: keyword

example: MSPAINT.EXE

extended

pe.product

Internal product name of the file, provided at compile-time.

type: keyword

example: Microsoft® Windows® Operating System

extended

Field Reuse

edit

The pe fields are expected to be nested at:

  • dll.pe
  • file.pe
  • process.pe
  • threat.enrichments.indicator.pe
  • threat.indicator.pe

Note also that the pe fields are not expected to be used directly at the root of the events.

« Package Fields Process Fields »