Add origin_url and origin_referrer_url field to Process/DLL events (#610)

AsuNa-jp · web-flow · commit 612dded32f75 · 2025-04-25T10:10:48.000+09:00
* add origin_url and origin_referrer_url fields

* add generated files
diff --git a/custom_documentation/doc/endpoint/library/windows/windows_library_load.md b/custom_documentation/doc/endpoint/library/windows/windows_library_load.md
@@ -34,6 +34,8 @@ This event is generated when a DLL or driver is loaded.
 | dll.hash.sha1 |
 | dll.hash.sha256 |
 | dll.name |
+| dll.origin_referrer_url |
+| dll.origin_url |
 | dll.path |
 | dll.pe.file_version |
 | dll.pe.imphash |
diff --git a/custom_documentation/doc/endpoint/process/windows/windows_process_already_running.md b/custom_documentation/doc/endpoint/process/windows/windows_process_already_running.md
@@ -77,6 +77,8 @@ This event is generated for a process that was already running before Endpoint's
 | process.hash.sha1 |
 | process.hash.sha256 |
 | process.name |
+| process.origin_referrer_url |
+| process.origin_url |
 | process.parent.Ext.code_signature.exists |
 | process.parent.Ext.code_signature.status |
 | process.parent.Ext.code_signature.subject_name |
diff --git a/custom_documentation/doc/endpoint/process/windows/windows_process_create_and_exit.md b/custom_documentation/doc/endpoint/process/windows/windows_process_create_and_exit.md
@@ -94,6 +94,8 @@ This event is generated when a process is created or exits.
 | process.hash.sha1 |
 | process.hash.sha256 |
 | process.name |
+| process.origin_referrer_url |
+| process.origin_url |
 | process.parent.Ext.code_signature.exists |
 | process.parent.Ext.code_signature.status |
 | process.parent.Ext.code_signature.subject_name |
diff --git a/custom_documentation/src/endpoint/data_stream/library/windows/windows_library_load.yaml b/custom_documentation/src/endpoint/data_stream/library/windows/windows_library_load.yaml
@@ -39,6 +39,8 @@ fields:
   - dll.hash.sha1
   - dll.hash.sha256
   - dll.name
+  - dll.origin_referrer_url
+  - dll.origin_url
   - dll.path
   - dll.pe.file_version
   - dll.pe.imphash
diff --git a/custom_documentation/src/endpoint/data_stream/process/windows/windows_process_already_running.yaml b/custom_documentation/src/endpoint/data_stream/process/windows/windows_process_already_running.yaml
@@ -83,6 +83,8 @@ fields:
   - process.hash.sha1
   - process.hash.sha256
   - process.name
+  - process.origin_referrer_url
+  - process.origin_url
   - process.parent.Ext.code_signature.exists
   - process.parent.Ext.code_signature.status
   - process.parent.Ext.code_signature.subject_name
diff --git a/custom_documentation/src/endpoint/data_stream/process/windows/windows_process_create_and_exit.yaml b/custom_documentation/src/endpoint/data_stream/process/windows/windows_process_create_and_exit.yaml
@@ -101,6 +101,8 @@ fields:
   - process.hash.sha1
   - process.hash.sha256
   - process.name
+  - process.origin_referrer_url
+  - process.origin_url 
   - process.parent.Ext.code_signature.exists
   - process.parent.Ext.code_signature.status
   - process.parent.Ext.code_signature.subject_name
diff --git a/custom_schemas/custom_dll.yml b/custom_schemas/custom_dll.yml
@@ -277,3 +277,19 @@
         This is used to identify the team or vendor of a software product. The field is
         relevant to Apple *OS only.'
       example: EQHXZ8M8AV
+
+    - name: origin_referrer_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: >
+        The URL of the webpage that linked to the dll file.
+      example: http://example.com/article1.html
+
+    - name: origin_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: >
+        The URL where the dll file is hosted.
+      example: http://example.com/files/example.dll
diff --git a/custom_schemas/custom_process.yml b/custom_schemas/custom_process.yml
@@ -55,6 +55,22 @@
       description: Parent process' pid.
       example: 4241
 
+    - name: origin_referrer_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: >
+        The URL of the webpage that linked to the process's executable file.
+      example: http://example.com/article1.html
+      
+    - name: origin_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: >
+        The URL where the process's executable file is hosted.
+      example: http://example.com/files/example.exe
+
     - name: parent.thread
       level: custom
       type: object
diff --git a/custom_subsets/elastic_endpoint/library/library.yaml b/custom_subsets/elastic_endpoint/library/library.yaml
@@ -204,6 +204,8 @@ fields:
           imphash: {}
           original_file_name: {}
           product: {}
+      origin_referrer_url: {}
+      origin_url: {}
       Ext:
         fields:
           code_signature:
diff --git a/custom_subsets/elastic_endpoint/process/process.yaml b/custom_subsets/elastic_endpoint/process/process.yaml
@@ -151,6 +151,8 @@ fields:
       title: {}
       uptime: {}
       working_directory: {}
+      origin_referrer_url: {}
+      origin_url: {}
       Ext:
         fields:
           ancestry: {}
diff --git a/package/endpoint/data_stream/library/fields/fields.yml b/package/endpoint/data_stream/library/fields/fields.yml
@@ -446,6 +446,20 @@
         This generally maps to the name of the file on disk.'
       example: kernel32.dll
       default_field: false
+    - name: origin_referrer_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL of the webpage that linked to the dll file.
+      example: http://example.com/article1.html
+      default_field: false
+    - name: origin_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL where the dll file is hosted.
+      example: http://example.com/files/example.dll
+      default_field: false
     - name: path
       level: extended
       type: keyword
diff --git a/package/endpoint/data_stream/library/sample_event.json b/package/endpoint/data_stream/library/sample_event.json
@@ -81,6 +81,8 @@
             "original_file_name": "MSXML3.dll"
         },
         "name": "msxml3.dll",
+        "origin_referrer_url": "http://example.com/article1.html",
+        "origin_url": "http://example.com/files/example.dll",
         "hash": {
             "sha1": "02488fb2dbf679a3282338178b451da635b79b54",
             "sha256": "a9698adcf789d9e30f37dd5e6c9be0441bc37662ba7402e85071ccec2135d36c",
diff --git a/package/endpoint/data_stream/process/fields/fields.yml b/package/endpoint/data_stream/process/fields/fields.yml
@@ -1891,6 +1891,20 @@
 
         Sometimes called program name or similar.'
       example: ssh
+    - name: origin_referrer_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL of the webpage that linked to the process's executable file.
+      example: http://example.com/article1.html
+      default_field: false
+    - name: origin_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The URL where the process's executable file is hosted.
+      example: http://example.com/files/example.exe
+      default_field: false
     - name: parent.Ext
       level: custom
       type: object
diff --git a/package/endpoint/data_stream/process/sample_event.json b/package/endpoint/data_stream/process/sample_event.json
@@ -169,6 +169,8 @@
             "original_file_name": "svchost.exe"
         },
         "name": "svchost.exe",
+        "origin_referrer_url": "http://example.com/article1.html",
+        "origin_url": "http://example.com/files/example.exe",
         "args_count": 3,
         "command_line": "C:\\Windows\\System32\\svchost.exe -k WerSvcGroup",
         "hash": {
diff --git a/package/endpoint/docs/README.md b/package/endpoint/docs/README.md
@@ -1793,6 +1793,8 @@ sent by the endpoint.
 | dll.hash.sha256 | SHA256 hash. | keyword |
 | dll.hash.sha512 | SHA512 hash. | keyword |
 | dll.name | Name of the library. This generally maps to the name of the file on disk. | keyword |
+| dll.origin_referrer_url | The URL of the webpage that linked to the dll file. | keyword |
+| dll.origin_url | The URL where the dll file is hosted. | keyword |
 | dll.path | Full file path of the library. | keyword |
 | dll.pe.company | Internal company name of the file, provided at compile-time. | keyword |
 | dll.pe.description | Internal description of the file, provided at compile-time. | keyword |
@@ -2344,6 +2346,8 @@ sent by the endpoint.
 | process.io.total_bytes_captured | The total number of bytes captured in this event. | long |
 | process.io.total_bytes_skipped | The total number of bytes that were not captured due to implementation restrictions such as buffer size limits. Implementors should strive to ensure this value is always zero | long |
 | process.name | Process name. Sometimes called program name or similar. | keyword |
+| process.origin_referrer_url | The URL of the webpage that linked to the process's executable file. | keyword |
+| process.origin_url | The URL where the process's executable file is hosted. | keyword |
 | process.parent.Ext | Object for all custom defined fields to live in. | object |
 | process.parent.Ext.architecture | Process architecture.  It can differ from host architecture. | keyword |
 | process.parent.Ext.code_signature | Nested version of ECS code_signature fieldset. | nested |
diff --git a/schemas/v1/library/library.yaml b/schemas/v1/library/library.yaml
diff --git a/schemas/v1/process/process.yaml b/schemas/v1/process/process.yaml
