Skip to content

Commit

Permalink
add FileExtension field
Browse files Browse the repository at this point in the history
  • Loading branch information
@rabbitstack
rabbitstack committed Dec 8, 2020
1 parent acd2bc5 commit 4218af6
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions pkg/filter/fields/fields.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -170,6 +170,8 @@ const (
FileObject Field = "file.object"
// FileName represents the fie name
FileName Field = "file.name"
// FileExtension represents the file extension (e.g. .exe or .dll)
FileExtension Field = "file.extension"
// FileOperation represents the file operation (e.g. create)
FileOperation Field = "file.operation"
// FileShareMask represents the file share mask
Expand Down Expand Up @@ -314,6 +316,7 @@ var fields = map[Field]FieldInfo{
FileIOSize: {FileIOSize, "file I/O size", kparams.Uint32, []string{"file.io.size > 512"}},
FileOffset: {FileOffset, "file offset", kparams.Uint64, []string{"file.offset = 1024"}},
FileType: {FileType, "file type", kparams.AnsiString, []string{"file.type = 'directory'"}},
FileExtension: {FileExtension, "file extension", kparams.AnsiString, []string{"file.extension = '.dll'"}},

RegistryKeyName: {RegistryKeyName, "fully qualified key name", kparams.UnicodeString, []string{"registry.key.name contains 'HKEY_LOCAL_MACHINE'"}},
RegistryKeyHandle: {RegistryKeyHandle, "registry key object address", kparams.HexInt64, []string{"registry.key.handle = 'FFFFB905D60C2268'"}},
Expand Down

0 comments on commit 4218af6

Please sign in to comment.