From d23d3670589c27fb19d13e77c5cbe24c206953e5 Mon Sep 17 00:00:00 2001
From: Wes <wlambertts@gmail.com>
Date: Wed, 24 Jan 2024 15:08:38 +0000
Subject: [PATCH 1/2] Make scan.pe.flags a string

---
 salt/elasticsearch/files/ingest/strelka.file | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/salt/elasticsearch/files/ingest/strelka.file b/salt/elasticsearch/files/ingest/strelka.file
index a74a7c622..d55e19350 100644
--- a/salt/elasticsearch/files/ingest/strelka.file
+++ b/salt/elasticsearch/files/ingest/strelka.file
@@ -67,7 +67,8 @@
     { "set":         { "if": "ctx.scan?.pe?.image_version == '0'",   "field": "scan.pe.image_version", "value": "0.0", "override": true }  },
     { "set":         { "field": "observer.name",        "value": "{{agent.name}}" }},
     { "convert" :    { "field" : "scan.exiftool","type": "string", "ignore_missing":true }},
-    { "remove":         { "field": ["host", "path", "message", "exiftool", "scan.yara.meta"],                                         "ignore_missing": true  } },
-    { "pipeline":       { "name": "common"                                                                                   } }
+    { "convert" :    { "field" : "scan.pe.flags","type": "string", "ignore_missing":true }},
+    { "remove":      { "field": ["host", "path", "message", "exiftool", "scan.yara.meta"],                                         "ignore_missing": true  } },
+    { "pipeline":    { "name": "common"                                                                                   } }
   ]
 }

From 8426aad56de749838a152218ff542c995eca0f77 Mon Sep 17 00:00:00 2001
From: Wes <wlambertts@gmail.com>
Date: Wed, 24 Jan 2024 15:10:42 +0000
Subject: [PATCH 2/2] Text mapping for scan.pe.flags

---
 .../templates/component/so/so-scan-mappings.json    | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/salt/elasticsearch/templates/component/so/so-scan-mappings.json b/salt/elasticsearch/templates/component/so/so-scan-mappings.json
index 008a6ab10..2d11acba0 100644
--- a/salt/elasticsearch/templates/component/so/so-scan-mappings.json
+++ b/salt/elasticsearch/templates/component/so/so-scan-mappings.json
@@ -14,16 +14,19 @@
             },
             "pe": {
               "properties": {
-                "sections": {
+                "flags": {
+                  "type": "text"
+                },
+		"image_version": {
+                  "type": "float"
+                },
+		"sections": {
                   "properties": {
                     "entropy": {
                       "type": "float"
                     }
                   }
-                },
-		"image_version": {
-	          "type": "float"
-		}
+                }
               }
             },
             "elf": {