Merge branch 'main' into new_fileevent_fields

elastic · Sep 12, 2024 · 4977a98 · 4977a98
2 parents eba4cc7 + 71d285d
commit 4977a98
Show file tree

Hide file tree

Showing 30 changed files with 1,441 additions and 70 deletions.
diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
@@ -865,6 +865,24 @@ example: `true`
 
 // ===============================================================
 
+|
+[[field-code-signature-flags]]
+<<field-code-signature-flags, code_signature.flags>>
+
+a| beta:[ This field is beta and subject to change. ]
+
+The flags used to sign the process.
+
+type: string
+
+
+
+example: `570522385`
+
+| extended
+
+// ===============================================================
+
 |
 [[field-code-signature-signing-id]]
 <<field-code-signature-signing-id, code_signature.signing_id>>
@@ -1610,7 +1628,7 @@ example: `co.uk`
 [[ecs-device]]
 === Device Fields
 
-Fields that describe a device instance and its characteristics.  Data collected for applications and processes running on a (mobile) device can be enriched with these fields to describe the identity, type and other characteristics of the device.
+Fields that describe a device instance and its characteristics. Data collected for applications and processes running on a (mobile) device can be enriched with these fields to describe the identity, type and other characteristics of the device.
 
 This field group definition is based on the Device namespace of the OpenTelemetry Semantic Conventions (https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/device/).
 
@@ -1629,7 +1647,7 @@ beta::[ These fields are in beta and are subject to change.]
 [[field-device-id]]
 <<field-device-id, device.id>>
 
-a| The unique identifier of a device. The identifier must not change across application sessions but stay fixed for an instance of a (mobile) device. 
+a| The unique identifier of a device. The identifier must not change across application sessions but stay fixed for an instance of a (mobile) device.
 
 On iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor). On Android, this value must be equal to the Firebase Installation ID or a globally unique UUID which is persisted across sessions in your application.
 
@@ -1693,6 +1711,24 @@ example: `Samsung Galaxy S6`
 
 // ===============================================================
 
+|
+[[field-device-serial-number]]
+<<field-device-serial-number, device.serial_number>>
+
+a| beta:[ This field is beta and subject to change. ]
+
+The unique serial number serves as a distinct identifier for each device, aiding in inventory management and device authentication.
+
+type: keyword
+
+
+
+example: `DJGAQS4CW5`
+
+| core
+
+// ===============================================================
+
 |=====
 
 
@@ -4843,6 +4879,24 @@ Note that this fieldset is used for common hashes that may be computed over a ra
 
 // ===============================================================
 
+|
+[[field-hash-cdhash]]
+<<field-hash-cdhash, hash.cdhash>>
+
+a| beta:[ This field is beta and subject to change. ]
+
+Code directory hash, utilized to uniquely identify and authenticate the integrity of the executable code.
+
+type: keyword
+
+
+
+example: `3783b4052fd474dbe30676b45c329e7a6d44acd9`
+
+| extended
+
+// ===============================================================
+
 |
 [[field-hash-md5]]
 <<field-hash-md5, hash.md5>>
@@ -8717,6 +8771,8 @@ The `process` fields are expected to be nested at:
 
 * `process.previous`
 
+* `process.responsible`
+
 * `process.session_leader`
 
 * `process.session_leader.parent`
@@ -8871,6 +8927,14 @@ Note: this reuse should contain an array of process field set objects.
 // ===============================================================
 
 
+| `process.responsible.*`
+| <<ecs-process,process>>| beta:[ This field is beta and subject to change.]
+
+Responsible process in macOS tracks the originating process of an app, key for understanding permissions and hierarchy.
+
+// ===============================================================
+
+
 | `process.saved_group.*`
 | <<ecs-group,group>>
 | The saved group (sgid).
@@ -9174,7 +9238,7 @@ Note: this field should contain an array of values.
 [[ecs-risk]]
 === Risk information Fields
 
-Fields for describing risk score and risk level of entities such as hosts and users.  These fields are not allowed to be nested under `event.*`. Please continue to use  `event.risk_score` and `event.risk_score_norm` for event risk.
+Fields for describing risk score and risk level of entities such as hosts and users. These fields are not allowed to be nested under `event.*`. Please continue to use `event.risk_score` and `event.risk_score_norm` for event risk.
 
 beta::[ These fields are in beta and are subject to change.]
 

diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
@@ -1183,9 +1183,9 @@
   - name: device
     title: Device
     group: 2
-    description: 'Fields that describe a device instance and its characteristics.  Data
-      collected for applications and processes running on a (mobile) device can be
-      enriched with these fields to describe the identity, type and other characteristics
+    description: 'Fields that describe a device instance and its characteristics.
+      Data collected for applications and processes running on a (mobile) device can
+      be enriched with these fields to describe the identity, type and other characteristics
       of the device.
 
       This field group definition is based on the Device namespace of the OpenTelemetry
@@ -1197,13 +1197,15 @@
       level: extended
       type: keyword
       ignore_above: 1024
-      description: "The unique identifier of a device. The identifier must not change\
-        \ across application sessions but stay fixed for an instance of a (mobile)\
-        \ device. \nOn iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor).\
-        \ On Android, this value must be equal to the Firebase Installation ID or\
-        \ a globally unique UUID which is persisted across sessions in your application.\n\
-        For GDPR and data protection law reasons this identifier should not carry\
-        \ information that would allow to identify a user."
+      description: 'The unique identifier of a device. The identifier must not change
+        across application sessions but stay fixed for an instance of a (mobile) device.
+
+        On iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor).
+        On Android, this value must be equal to the Firebase Installation ID or a
+        globally unique UUID which is persisted across sessions in your application.
+
+        For GDPR and data protection law reasons this identifier should not carry
+        information that would allow to identify a user.'
       example: 00000000-54b3-e7c7-0000-000046bffd97
       default_field: false
     - name: manufacturer
@@ -1227,6 +1229,14 @@
       description: The human readable marketing name of the device model.
       example: Samsung Galaxy S6
       default_field: false
+    - name: serial_number
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: The unique serial number serves as a distinct identifier for each
+        device, aiding in inventory management and device authentication.
+      example: DJGAQS4CW5
+      default_field: false
   - name: dll
     title: DLL
     group: 2
@@ -1261,6 +1271,12 @@
       description: Boolean to capture if a signature is present.
       example: 'true'
       default_field: false
+    - name: code_signature.flags
+      level: extended
+      type: string
+      description: The flags used to sign the process.
+      example: 570522385
+      default_field: false
     - name: code_signature.signing_id
       level: extended
       type: keyword
@@ -1323,6 +1339,14 @@
         Leave unpopulated if a certificate was unchecked.'
       example: 'true'
       default_field: false
+    - name: hash.cdhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      default_field: false
     - name: hash.md5
       level: extended
       type: keyword
@@ -1760,6 +1784,14 @@
       description: Attachment file extension, excluding the leading dot.
       example: txt
       default_field: false
+    - name: attachments.file.hash.cdhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      default_field: false
     - name: attachments.file.hash.md5
       level: extended
       type: keyword
@@ -2405,6 +2437,12 @@
       description: Boolean to capture if a signature is present.
       example: 'true'
       default_field: false
+    - name: code_signature.flags
+      level: extended
+      type: string
+      description: The flags used to sign the process.
+      example: 570522385
+      default_field: false
     - name: code_signature.signing_id
       level: extended
       type: keyword
@@ -2789,6 +2827,14 @@
       ignore_above: 1024
       description: Primary group name of the file.
       example: alice
+    - name: hash.cdhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      default_field: false
     - name: hash.md5
       level: extended
       type: keyword
@@ -4759,6 +4805,12 @@
       description: Boolean to capture if a signature is present.
       example: 'true'
       default_field: false
+    - name: code_signature.flags
+      level: extended
+      type: string
+      description: The flags used to sign the process.
+      example: 570522385
+      default_field: false
     - name: code_signature.signing_id
       level: extended
       type: keyword
@@ -5788,6 +5840,14 @@
       description: The working directory of the process.
       example: /home/alice
       default_field: false
+    - name: hash.cdhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      default_field: false
     - name: hash.md5
       level: extended
       type: keyword
@@ -6069,6 +6129,12 @@
       description: Boolean to capture if a signature is present.
       example: 'true'
       default_field: false
+    - name: parent.code_signature.flags
+      level: extended
+      type: string
+      description: The flags used to sign the process.
+      example: 570522385
+      default_field: false
     - name: parent.code_signature.signing_id
       level: extended
       type: keyword
@@ -6480,6 +6546,14 @@
         the process exists within.'
       example: 4242
       default_field: false
+    - name: parent.hash.cdhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      default_field: false
     - name: parent.hash.md5
       level: extended
       type: keyword
@@ -9115,6 +9189,12 @@
       description: Boolean to capture if a signature is present.
       example: 'true'
       default_field: false
+    - name: enrichments.indicator.file.code_signature.flags
+      level: extended
+      type: string
+      description: The flags used to sign the process.
+      example: 570522385
+      default_field: false
     - name: enrichments.indicator.file.code_signature.signing_id
       level: extended
       type: keyword
@@ -9506,6 +9586,14 @@
       description: Primary group name of the file.
       example: alice
       default_field: false
+    - name: enrichments.indicator.file.hash.cdhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      default_field: false
     - name: enrichments.indicator.file.hash.md5
       level: extended
       type: keyword
@@ -10736,6 +10824,12 @@
       description: Boolean to capture if a signature is present.
       example: 'true'
       default_field: false
+    - name: indicator.file.code_signature.flags
+      level: extended
+      type: string
+      description: The flags used to sign the process.
+      example: 570522385
+      default_field: false
     - name: indicator.file.code_signature.signing_id
       level: extended
       type: keyword
@@ -11127,6 +11221,14 @@
       description: Primary group name of the file.
       example: alice
       default_field: false
+    - name: indicator.file.hash.cdhash
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Code directory hash, utilized to uniquely identify and authenticate
+        the integrity of the executable code.
+      example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
+      default_field: false
     - name: indicator.file.hash.md5
       level: extended
       type: keyword