Add file.origin_referrer_url and file.origin_url to FileEvent (#514)

AsuNa-jp · web-flow · commit faa42e5e01ec · 2024-06-28T22:46:49.000+09:00
* add file.fields.yml

* add fields.yml

* add custom_file.yml

* add generated files

* change the fields value

* add newline

* change the fields value

* ignore

* change ingore_above to 8192

* add event example
diff --git a/custom_documentation/doc/endpoint/file/windows/windows_file_open.md b/custom_documentation/doc/endpoint/file/windows/windows_file_open.md
@@ -63,6 +63,7 @@ This event is generated when a file is opened.
 | process.code_signature.status |
 | process.code_signature.subject_name |
 | process.code_signature.trusted |
+| process.command_line |
 | process.entity_id |
 | process.executable |
 | process.name |
diff --git a/custom_schemas/custom_file.yml b/custom_schemas/custom_file.yml
@@ -426,6 +426,20 @@
         relevant to Apple *OS only.'
       example: EQHXZ8M8AV
 
+    - name: origin_referrer_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: >
+        The url of the webpage that linked to the file.
+
+    - name: origin_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: >
+        The url where the file is hosted.
+
     - name: pe
       level: custom
       type: object
diff --git a/custom_subsets/elastic_endpoint/file/file.yaml b/custom_subsets/elastic_endpoint/file/file.yaml
@@ -200,6 +200,8 @@ fields:
       name: {}
       owner: {}
       path: {}
+      origin_referrer_url: {}
+      origin_url: {}
       pe:
         fields:
           company: {}
diff --git a/package/endpoint/data_stream/file/fields/fields.yml b/package/endpoint/data_stream/file/fields/fields.yml
@@ -753,6 +753,18 @@
       ignore_above: 1024
       description: Name of the file including the extension, without the directory.
       example: example.png
+    - name: origin_referrer_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The url of the webpage that linked to the file.
+      default_field: false
+    - name: origin_url
+      level: extended
+      type: keyword
+      ignore_above: 8192
+      description: The url where the file is hosted.
+      default_field: false
     - name: owner
       level: extended
       type: keyword
diff --git a/package/endpoint/data_stream/file/sample_event.json b/package/endpoint/data_stream/file/sample_event.json
@@ -90,7 +90,9 @@
         "path": "C:\\ProgramData\\winlogbeat\\.winlogbeat.yml.new",
         "extension": "new",
         "size": 1406,
-        "name": ".winlogbeat.yml.new"
+        "name": ".winlogbeat.yml.new",
+        "origin_referrer_url": "https://example.com",
+        "origin_url": "https://example.com/file.zip"
     },
     "ecs": {
         "version": "1.11.0"
diff --git a/package/endpoint/docs/README.md b/package/endpoint/docs/README.md
@@ -1599,6 +1599,8 @@ sent by the endpoint.
 | file.mode | Mode of the file in octal representation. | keyword |
 | file.mtime | Last time the file content was modified. | date |
 | file.name | Name of the file including the extension, without the directory. | keyword |
+| file.origin_referrer_url | The url of the webpage that linked to the file. | keyword |
+| file.origin_url | The url where the file is hosted. | keyword |
 | file.owner | File owner's username. | keyword |
 | file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword |
 | file.pe.company | Internal company name of the file, provided at compile-time. | keyword |
diff --git a/schemas/v1/file/file.yaml b/schemas/v1/file/file.yaml
