- Elastic Common Schema (ECS) Reference: other versions:
- Overview
- Using ECS
- ECS Field Reference
- Base Fields
- Agent Fields
- Autonomous System Fields
- Client Fields
- Cloud Fields
- Code Signature Fields
- Container Fields
- Data Stream Fields
- Destination Fields
- Device Fields
- DLL Fields
- DNS Fields
- ECS Fields
- ELF Header Fields
- Email Fields
- Error Fields
- Event Fields
- FaaS Fields
- File Fields
- Geo Fields
- Group Fields
- Hash Fields
- Host Fields
- HTTP Fields
- Interface Fields
- Log Fields
- Network Fields
- Observer Fields
- Orchestrator Fields
- Organization Fields
- Operating System Fields
- Package Fields
- PE Header Fields
- Process Fields
- Registry Fields
- Related Fields
- Risk information Fields
- Rule Fields
- Server Fields
- Service Fields
- Source Fields
- Threat Fields
- TLS Fields
- Tracing Fields
- URL Fields
- User Fields
- User agent Fields
- VLAN Fields
- Vulnerability Fields
- x509 Certificate Fields
- ECS Categorization Fields
- Migrating to ECS
- Additional Information
- Release Notes
ELF Header Fields
editELF Header Fields
editThese fields contain Linux Executable Linkable Format (ELF) metadata.
These fields are in beta and are subject to change.
ELF Header Field Details
edit| Field | Description | Level |
|---|---|---|
|
Machine architecture of the ELF file. type: keyword example: |
extended |
|
|
Byte sequence of ELF file. type: keyword example: |
extended |
|
|
CPU type of the ELF file. type: keyword example: |
extended |
|
|
Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators. type: date |
extended |
|
|
List of exported element names and types. type: flattened Note: this field should contain an array of values. |
extended |
|
|
Version of the ELF Application Binary Interface (ABI). type: keyword |
extended |
|
|
Header class of the ELF file. type: keyword |
extended |
|
|
Data table of the ELF header. type: keyword |
extended |
|
|
Header entrypoint of the ELF file. type: long |
extended |
|
|
"0x1" for original ELF files. type: keyword |
extended |
|
|
Application Binary Interface (ABI) of the Linux OS. type: keyword |
extended |
|
|
Header type of the ELF file. type: keyword |
extended |
|
|
Version of the ELF header. type: keyword |
extended |
|
|
List of imported element names and types. type: flattened Note: this field should contain an array of values. |
extended |
|
|
An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath type: nested Note: this field should contain an array of values. |
extended |
|
|
Chi-square probability distribution of the section. type: long |
extended |
|
|
Shannon entropy calculation from the section. type: long |
extended |
|
|
ELF Section List flags. type: keyword |
extended |
|
|
ELF Section List name. type: keyword |
extended |
|
|
ELF Section List offset. type: keyword |
extended |
|
|
ELF Section List physical size. type: long |
extended |
|
|
ELF Section List type. type: keyword |
extended |
|
|
ELF Section List virtual address. type: long |
extended |
|
|
ELF Section List virtual size. type: long |
extended |
|
|
An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath type: nested Note: this field should contain an array of values. |
extended |
|
|
ELF object segment sections. type: keyword |
extended |
|
|
ELF object segment type. type: keyword |
extended |
|
|
List of shared libraries used by this ELF object. type: keyword Note: this field should contain an array of values. |
extended |
|
|
telfhash symbol hash for ELF file. type: keyword |
extended |
Field Reuse
editThe elf fields are expected to be nested at:
-
file.elf -
process.elf
Note also that the elf fields are not expected to be used directly at the root of the events.
On this page