The Search AI Company

Build tailored experiences with Elastic.

Elastic Search AI Platform overview

Scale your business with Elastic Partners

Partner overview

ELK Stack

Search and analytics, data ingestion, and visualization – all at your fingertips.

ELK Stack overview

By developers, for developers

Elastic Cloud

Unlock the power of real-time insights with Elastic on your preferred cloud provider.

Elastic Cloud overview

Generative AI

Prototype and integrate with LLMs faster using search AI.

Generative AI overview

Search

Discover a world of AI possibilities — built with the power of search.

Search Labs

Search overview

Security

Protect, investigate, and respond to cyber threats with AI-driven security analytics.

Security Labs

Security overview

Observability

Unify app and infrastructure visibility to proactively resolve issues.

Observability Labs

Observability overview

By solution

See how customers search, solve, and succeed — all on one Search AI Platform.

All customer stories

Industries

Exceed customer expectations and go to market faster.

Industries overview

Customer spotlight

Cisco saves 5,000 support engineer hours per month

Sitecore automates 96 percent of security workflows with Elastic

Comcast transforms customer experiences with Elastic Observability

Research

Stay at the forefront of innovation with technical tips from the experts.

Build

Code with other developers to create a better Elastic, together.

Learn

Unleash the possibilities of your data and grow your skill set.

Connect

Keep informed about the latest tech and news from Elastic.

Have questions?

New

The executive guide to generative AI

About us Partners Support|Login

PE Header fields

Elastic Stack Serverless

These fields contain Windows Portable Executable (PE) metadata.

PE Header field details

Field	Description	Level
pe.architecture	CPU architecture target for the file. type: keyword example: `x64`	extended
pe.company	Internal company name of the file, provided at compile-time. type: keyword example: `Microsoft Corporation`	extended
pe.description	Internal description of the file, provided at compile-time. type: keyword example: `Paint`	extended
pe.file_version	Internal version of the file, provided at compile-time. type: keyword example: `6.3.9600.17415`	extended
pe.go_import_hash	A hash of the Go language imports in a PE file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. The algorithm used to calculate the Go symbol hash and a reference implementation are available here: https://github.com/elastic/toutoumomoma type: keyword example: `10bddcb4cee42080f76c88d9ff964491`	extended
pe.go_imports	List of imported Go language element names and types. type: flattened	extended
pe.go_imports_names_entropy	Shannon entropy calculation from the list of Go imports. type: long	extended
pe.go_imports_names_var_entropy	Variance for Shannon entropy calculation from the list of Go imports. type: long	extended
pe.go_stripped	Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. type: boolean	extended
pe.imphash	A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword example: `0c6803c4e922103c4dca5963aad36ddf`	extended
pe.import_hash	A hash of the imports in a PE file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is a synonym for imphash. type: keyword example: `d41d8cd98f00b204e9800998ecf8427e`	extended
pe.imports	List of imported element names and types. type: flattened Note: This field should contain an array of values.	extended
pe.imports_names_entropy	Shannon entropy calculation from the list of imported element names and types. type: long	extended
pe.imports_names_var_entropy	Variance for Shannon entropy calculation from the list of imported element names and types. type: long	extended
pe.original_file_name	Internal name of the file, provided at compile-time. type: keyword example: `MSPAINT.EXE`	extended
pe.pehash	A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value. Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html. type: keyword example: `73ff189b63cd6be375a7ff25179a38d347651975`	extended
pe.product	Internal product name of the file, provided at compile-time. type: keyword example: `Microsoft® Windows® Operating System`	extended
pe.sections	An array containing an object for each section of the PE file. The keys that should be present in these objects are defined by sub-fields underneath `pe.sections.*`. type: nested Note: This field should contain an array of values.	extended
pe.sections.entropy	Shannon entropy calculation from the section. type: long	extended
pe.sections.name	PE Section List name. type: keyword	extended
pe.sections.physical_size	PE Section List physical size. type: long	extended
pe.sections.var_entropy	Variance for Shannon entropy calculation from the section. type: long	extended
pe.sections.virtual_size	PE Section List virtual size. This is always the same as `physical_size`. type: long	extended

Field reuse

The pe fields are expected to be nested at:

dll.pe
file.pe
process.pe

Note also that the pe fields are not expected to be used directly at the root of the events.