- Elastic Common Schema (ECS) Reference: other versions:
- Overview
- Using ECS
- ECS Field Reference
- Base Fields
- Agent Fields
- Autonomous System Fields
- Client Fields
- Cloud Fields
- Code Signature Fields
- Container Fields
- Data Stream Fields
- Destination Fields
- Device Fields
- DLL Fields
- DNS Fields
- ECS Fields
- ELF Header Fields
- Email Fields
- Error Fields
- Event Fields
- FaaS Fields
- File Fields
- Geo Fields
- Group Fields
- Hash Fields
- Host Fields
- HTTP Fields
- Interface Fields
- Log Fields
- Mach-O Header Fields
- Network Fields
- Observer Fields
- Orchestrator Fields
- Organization Fields
- Operating System Fields
- Package Fields
- PE Header Fields
- Process Fields
- Registry Fields
- Related Fields
- Risk information Fields
- Rule Fields
- Server Fields
- Service Fields
- Source Fields
- Threat Fields
- TLS Fields
- Tracing Fields
- URL Fields
- User Fields
- User agent Fields
- VLAN Fields
- Volume Fields
- Vulnerability Fields
- x509 Certificate Fields
- ECS Categorization Fields
- Migrating to ECS
- Additional Information
- Release Notes
ELF Header Fields
editELF Header Fields
editThese fields contain Linux Executable Linkable Format (ELF) metadata.
These fields are in beta and are subject to change.
ELF Header Field Details
editField | Description | Level |
---|---|---|
Machine architecture of the ELF file. type: keyword example: |
extended |
|
Byte sequence of ELF file. type: keyword example: |
extended |
|
CPU type of the ELF file. type: keyword example: |
extended |
|
Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators. type: date |
extended |
|
List of exported element names and types. type: flattened Note: this field should contain an array of values. |
extended |
|
A hash of the Go language imports in an ELF file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. The algorithm used to calculate the Go symbol hash and a reference implementation are available here: https://github.com/elastic/toutoumomoma type: keyword example: |
extended |
|
List of imported Go language element names and types. type: flattened |
extended |
|
Shannon entropy calculation from the list of Go imports. type: long |
extended |
|
Variance for Shannon entropy calculation from the list of Go imports. type: long |
extended |
|
Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. type: boolean |
extended |
|
Version of the ELF Application Binary Interface (ABI). type: keyword |
extended |
|
Header class of the ELF file. type: keyword |
extended |
|
Data table of the ELF header. type: keyword |
extended |
|
Header entrypoint of the ELF file. type: long |
extended |
|
"0x1" for original ELF files. type: keyword |
extended |
|
Application Binary Interface (ABI) of the Linux OS. type: keyword |
extended |
|
Header type of the ELF file. type: keyword |
extended |
|
Version of the ELF header. type: keyword |
extended |
|
A hash of the imports in an ELF file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is an ELF implementation of the Windows PE imphash. type: keyword example: |
extended |
|
List of imported element names and types. type: flattened Note: this field should contain an array of values. |
extended |
|
Shannon entropy calculation from the list of imported element names and types. type: long |
extended |
|
Variance for Shannon entropy calculation from the list of imported element names and types. type: long |
extended |
|
An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath type: nested Note: this field should contain an array of values. |
extended |
|
Chi-square probability distribution of the section. type: long |
extended |
|
Shannon entropy calculation from the section. type: long |
extended |
|
ELF Section List flags. type: keyword |
extended |
|
ELF Section List name. type: keyword |
extended |
|
ELF Section List offset. type: keyword |
extended |
|
ELF Section List physical size. type: long |
extended |
|
ELF Section List type. type: keyword |
extended |
|
Variance for Shannon entropy calculation from the section. type: long |
extended |
|
ELF Section List virtual address. type: long |
extended |
|
ELF Section List virtual size. type: long |
extended |
|
An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath type: nested Note: this field should contain an array of values. |
extended |
|
ELF object segment sections. type: keyword |
extended |
|
ELF object segment type. type: keyword |
extended |
|
List of shared libraries used by this ELF object. type: keyword Note: this field should contain an array of values. |
extended |
|
telfhash symbol hash for ELF file. type: keyword |
extended |
Field Reuse
editThe elf
fields are expected to be nested at:
-
file.elf
-
process.elf
Note also that the elf
fields are not expected to be used directly at the root of the events.
On this page