VirusTotal RFC

[peasead]

• Have you signed the contributor license agreement? yes
• Have you followed the contributor guidelines? yes
• For proposing substantial changes or additions to the schema, have you reviewed the RFC process? Yes
• If submitting code/script changes, have you verified all tests pass locally using make test? N/A
• If submitting schema/fields updates, have you generated new artifacts by running make and committed those changes? N/A
• Is your pull request against master? Unless there is a good reason otherwise, we prefer pull requests against master and will backport as needed. N/A
• Have you added an entry to the CHANGELOG.next.md? N/A

[webmat]

Hey @peasead, I'll remove the 1.7.0 label, as feature freeze for this version was a few weeks ago.

In ECS we try to focus on concepts, so that the schema can stand the test of time, work across equivalent sources, as well as survive the whims of marketing teams renaming products ;-)

Is there any way we could name this other than VirusTotal?

[peasead]

Hey @webmat. Thanks for removing the 1.7.0 label.

I'd hesitated with naming it after a vendor, but similar to Zeek and Suricata being the standard in network metadata; they're the standard in malware analysis, so I thought it made sense.

That said, would something like file.virustotal. make more sense - extend the file fieldset instead of making a new one? Similar to your comment here: https://github.com/elastic/security-team/issues/177#issuecomment-712942235

This is used for the VT Filebeat module elastic/beats#21815

[peasead]

Actually, in talking with @dcode I think that we can have the virustotal fields life in the Beat module and extend file.pe. and create file.elf. where needed. 👍

cc @devonakerr