- Elastic Common Schema (ECS) Reference: other versions:
- Overview
- Using ECS
- ECS Field Reference
- Base Fields
- Agent Fields
- Autonomous System Fields
- Client Fields
- Cloud Fields
- Code Signature Fields
- Container Fields
- Destination Fields
- DLL Fields
- DNS Fields
- ECS Fields
- Error Fields
- Event Fields
- File Fields
- Geo Fields
- Group Fields
- Hash Fields
- Host Fields
- HTTP Fields
- Interface Fields
- Log Fields
- Network Fields
- Observer Fields
- Organization Fields
- Operating System Fields
- Package Fields
- PE Header Fields
- Process Fields
- Registry Fields
- Related Fields
- Rule Fields
- Server Fields
- Service Fields
- Source Fields
- Threat Fields
- TLS Fields
- Tracing Fields
- URL Fields
- User Fields
- User agent Fields
- VLAN Fields
- Vulnerability Fields
- x509 Certificate Fields
- ECS Categorization Fields
- Migrating to ECS
- Additional Information
PE Header Fields
editPE Header Fields
editThese fields contain Windows Portable Executable (PE) metadata.
PE Header Field Details
editField | Description | Level |
---|---|---|
CPU architecture target for the file. type: keyword example: |
extended |
|
Internal company name of the file, provided at compile-time. type: keyword example: |
extended |
|
Internal description of the file, provided at compile-time. type: keyword example: |
extended |
|
Internal version of the file, provided at compile-time. type: keyword example: |
extended |
|
A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword example: |
extended |
|
Internal name of the file, provided at compile-time. type: keyword example: |
extended |
|
Internal product name of the file, provided at compile-time. type: keyword example: |
extended |
Field Reuse
editThe pe
fields are expected to be nested at: dll.pe
, file.pe
, process.pe
.
Note also that the pe
fields are not expected to be used directly at the root of the events.
On this page