ecs
ELF Header fields
Elastic Stack Serverless
These fields contain Linux Executable Linkable Format (ELF) metadata.
| Field | Description | Level |
|---|---|---|
| elf.architecture | Machine architecture of the ELF file. type: keyword example: x86-64 |
extended |
| elf.byte_order | Byte sequence of ELF file. type: keyword example: Little Endian |
extended |
| elf.cpu_type | CPU type of the ELF file. type: keyword example: Intel |
extended |
| elf.creation_date | Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. type: date |
extended |
| elf.exports | List of exported element names and types. type: flattened Note: This field should contain an array of values. |
extended |
| elf.go_import_hash | A hash of the Go language imports in an ELF file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. The algorithm used to calculate the Go symbol hash and a reference implementation are available here: https://github.com/elastic/toutoumomoma type: keyword example: 10bddcb4cee42080f76c88d9ff964491 |
extended |
| elf.go_imports | List of imported Go language element names and types. type: flattened |
extended |
| elf.go_imports_names_entropy | Shannon entropy calculation from the list of Go imports. type: long |
extended |
| elf.go_imports_names_var_entropy | Variance for Shannon entropy calculation from the list of Go imports. type: long |
extended |
| elf.go_stripped | Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. type: boolean |
extended |
| elf.header.abi_version | Version of the ELF Application Binary Interface (ABI). type: keyword |
extended |
| elf.header.class | Header class of the ELF file. type: keyword |
extended |
| elf.header.data | Data table of the ELF header. type: keyword |
extended |
| elf.header.entrypoint | Header entrypoint of the ELF file. type: long |
extended |
| elf.header.object_version | "0x1" for original ELF files. type: keyword |
extended |
| elf.header.os_abi | Application Binary Interface (ABI) of the Linux OS. type: keyword |
extended |
| elf.header.type | Header type of the ELF file. type: keyword |
extended |
| elf.header.version | Version of the ELF header. type: keyword |
extended |
| elf.import_hash | A hash of the imports in an ELF file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is an ELF implementation of the Windows PE imphash. type: keyword example: d41d8cd98f00b204e9800998ecf8427e |
extended |
| elf.imports | List of imported element names and types. type: flattened Note: This field should contain an array of values. |
extended |
| elf.imports_names_entropy | Shannon entropy calculation from the list of imported element names and types. type: long |
extended |
| elf.imports_names_var_entropy | Variance for Shannon entropy calculation from the list of imported element names and types. type: long |
extended |
| elf.sections | An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath elf.sections.*.type: nested Note: This field should contain an array of values. |
extended |
| elf.sections.chi2 | Chi-square probability distribution of the section. type: long |
extended |
| elf.sections.entropy | Shannon entropy calculation from the section. type: long |
extended |
| elf.sections.flags | ELF Section List flags. type: keyword |
extended |
| elf.sections.name | ELF Section List name. type: keyword |
extended |
| elf.sections.physical_offset | ELF Section List offset. type: keyword |
extended |
| elf.sections.physical_size | ELF Section List physical size. type: long |
extended |
| elf.sections.type | ELF Section List type. type: keyword |
extended |
| elf.sections.var_entropy | Variance for Shannon entropy calculation from the section. type: long |
extended |
| elf.sections.virtual_address | ELF Section List virtual address. type: long |
extended |
| elf.sections.virtual_size | ELF Section List virtual size. type: long |
extended |
| elf.segments | An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath elf.segments.*.type: nested Note: This field should contain an array of values. |
extended |
| elf.segments.sections | ELF object segment sections. type: keyword |
extended |
| elf.segments.type | ELF object segment type. type: keyword |
extended |
| elf.shared_libraries | List of shared libraries used by this ELF object. type: keyword Note: This field should contain an array of values. |
extended |
| elf.telfhash | telfhash symbol hash for ELF file. type: keyword |
extended |
The elf fields are expected to be nested at:
file.elfprocess.elf
Note also that the elf fields are not expected to be used directly at the root of the events.