---
- name: pe

  fields:

    - name: icon.hash.dhash
      level: extended
      type: keyword
      description: >
        Difference Hash (dhash) to find files with a visually similar icon or thumbnail.

      example: b806e17c8e330d82

    - name: debug
      level: extended
      type: nested
      description: >
        Debug information, if present

    - name: debug.offset
      level: extended
      type: keyword
      description: Debug offset information.
      example: 1296336

    - name: debug.size
      level: extended
      type: long
      format: bytes
      description: Size of the debug information.
      example: 816

    - name: debug.type
      level: extended
      type: keyword
      description: Information type generated by the debug options.
      example: IMAGE_DEBUG_TYPE_POGO

    - name: debug.timestamp
      level: extended
      type: date
      description: Timestamp of the debug information.
      example: "2020-11-05T17:25:47.000Z"

    - name: imports
      level: extended
      type: flattened
      description: List of all imported functions
      example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" }'

    - name: sections
      level: extended
      description: >
        Data about sections of compiled binary PE
      type: nested

    - name: sections.chi2
      level: extended
      description: Chi-square probability distribution.
      type: long
      example: 3027194

    - name: sections.virtual_address
      level: extended
      description: Virtual address available to the file.
      type: long
      format: bytes
      example: 8192

    - name: sections.entropy
      level: extended
      description: Measurement of entropy randomness in the file.
      type: float
      example: 6.24

    - name: sections.flags
      level: extended
      description: Section flags of the file.
      type: keyword
      example: rx

    - name: sections.name
      level: extended
      description: Section names of the file.
      type: keyword
      example: .text, .data

    - name: sections.raw_size
      level: extended
      description: Size of the section or the dize of the initialized data on disk.
      type: long
      format: bytes
      example: 198144

    - name: resources
      level: extended
      type: nested
      description: >
        If the PE contains resources, some info about them

    - name: resources.chi2
      level: extended
      description: Chi-square probability distribution.
      type: long
      example: -1

    - name: resources.filetype
      level: extended
      description: File type of the resources section.
      type: keyword
      example: Data

    - name: resources.entropy
      level: extended
      description: Measurement of entropy randomness in the resources section.
      type: long
      example: 0, 1

    - name: resources.sha256
      level: extended
      description: SHA256 hash of resources section.
      type: keyword
      example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    - name: resources.language
      level: extended
      description: Language identification.
      type: keyword
      example: "CHINESE SIMPLIFIED"

    - name: resources.type
      level: extended
      type: keyword
      short: List of resource types.
      description: >
        Digest of resource types.
      example: '["RT_VERSION", "RT_MANIFEST"]'
      normalize:
        - array

    - name: exports
      level: extended
      type: keyword
      description: >
        List of symbols exported by PE
      example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]'
      normalize:
        - array

    - name: creation_date
      level: extended
      short: Build or compile date.
      description: >
        Extracted when possible from the file's metadata. Indicates when it was
        built or compiled. It can also be faked by malware creators.
      type: date
      example: "2020-11-05T17:25:47.000Z"

    - name: authentihash
      level: extended
      description: >
        Authentihash of the PE file.
      type: keyword
      example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78

    - name: compile_timestamp
      level: extended
      description: >
        Compile timestamp of the PE file.
      type: date
      example: "2020-11-05T17:25:47.000Z"

    - name: compiler.name
      level: extended
      type: keyword
      description: >
        Name of the compiler
      example: Clang

    - name: compiler.version
      level: extended
      type: keyword
      description: >
        Version of the compiler.
      example: 11.0.0

    - name: rich_header.hash.md5
      level: extended
      type: keyword
      description: >
        MD5 hash of the header for the PE file.

      example: 5aa1aa0f2b4be70397a1e9e2b87627cd

    - name: entry_point
      level: extended
      description: >
        Relative byte offset to the base of the PE file.
      type: keyword
      example: 25856

    - name: machine_type
      level: extended
      description: >
        Machine type of the PE file.
      type: keyword
      example: "Intel 386 or later, and compatibles"

    - name: packers
      level: extended
      description: >
        List of packers and tools used.
      type: keyword
      example: '["ASPack v2.12", ".NET executable"]'
      normalize:
        - array