PE Header Fields
editPE Header Fields
editThese fields contain Windows Portable Executable (PE) metadata.
PE Header Field Details
editField | Description | Level |
---|---|---|
pe.architecture |
CPU architecture target for the file. type: keyword example: |
extended |
pe.company |
Internal company name of the file, provided at compile-time. type: keyword example: |
extended |
pe.description |
Internal description of the file, provided at compile-time. type: keyword example: |
extended |
pe.file_version |
Internal version of the file, provided at compile-time. type: keyword example: |
extended |
pe.imphash |
A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword example: |
extended |
pe.original_file_name |
Internal name of the file, provided at compile-time. type: keyword example: |
extended |
pe.product |
Internal product name of the file, provided at compile-time. type: keyword example: |
extended |
Field Reuse
editThe pe
fields are expected to be nested at: dll.pe
, file.pe
, process.pe
.
Note also that the pe
fields are not expected to be used directly at the root of the events.