Use `software` SCO to represent `pe` attributes in elastic_ecs connector mappings
Harmedox opened this issue · comments
Abdulhamid Adebayo commented
The pe
attributes in the file
SCO object of the elastic_ecs connector mapping files can be better represented using the software SCO object, implemented as a reference from the file
object.
"software_ref.name": "file.pe.original_file_name"
"software_ref.vendor": "file.pe.company"
"software_ref.version": "file.pe.file_version"
The solution should have this format:
{
"0": {
"type": "file",
"x_software_ref": "1",
"name": "svchost.exe",
"hashes": {
"SHA-256": "aaaa1111bbbb2222aaaa1111bbbb2222aaaa1111bbbb2222aaaa1111bbbb2222",
"MD5": "00001111aaaa00001111aaaa00001111"
}
},
"1": {
"type": "software",
"vendor": "Microsoft Corporation",
"version": "10.0.17763.1 (WinBuild.160101.0800)",
"name": "svchost.exe"
}
}