diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc index f51db9dfd..f4b7bb699 100644 --- a/docs/fields/field-details.asciidoc +++ b/docs/fields/field-details.asciidoc @@ -865,6 +865,24 @@ example: `true` // =============================================================== +| +[[field-code-signature-flags]] +<> + +a| beta:[ This field is beta and subject to change. ] + +The flags used to sign the process. + +type: string + + + +example: `570522385` + +| extended + +// =============================================================== + | [[field-code-signature-signing-id]] <> @@ -1610,7 +1628,7 @@ example: `co.uk` [[ecs-device]] === Device Fields -Fields that describe a device instance and its characteristics. Data collected for applications and processes running on a (mobile) device can be enriched with these fields to describe the identity, type and other characteristics of the device. +Fields that describe a device instance and its characteristics. Data collected for applications and processes running on a (mobile) device can be enriched with these fields to describe the identity, type and other characteristics of the device. This field group definition is based on the Device namespace of the OpenTelemetry Semantic Conventions (https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/device/). @@ -1629,7 +1647,7 @@ beta::[ These fields are in beta and are subject to change.] [[field-device-id]] <> -a| The unique identifier of a device. The identifier must not change across application sessions but stay fixed for an instance of a (mobile) device. +a| The unique identifier of a device. The identifier must not change across application sessions but stay fixed for an instance of a (mobile) device. On iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor). On Android, this value must be equal to the Firebase Installation ID or a globally unique UUID which is persisted across sessions in your application. @@ -1693,6 +1711,24 @@ example: `Samsung Galaxy S6` // =============================================================== +| +[[field-device-serial-number]] +<> + +a| beta:[ This field is beta and subject to change. ] + +The unique serial number serves as a distinct identifier for each device, aiding in inventory management and device authentication. + +type: keyword + + + +example: `DJGAQS4CW5` + +| core + +// =============================================================== + |===== @@ -4843,6 +4879,24 @@ Note that this fieldset is used for common hashes that may be computed over a ra // =============================================================== +| +[[field-hash-cdhash]] +<> + +a| beta:[ This field is beta and subject to change. ] + +Code directory hash, utilized to uniquely identify and authenticate the integrity of the executable code. + +type: keyword + + + +example: `3783b4052fd474dbe30676b45c329e7a6d44acd9` + +| extended + +// =============================================================== + | [[field-hash-md5]] <> @@ -8717,6 +8771,8 @@ The `process` fields are expected to be nested at: * `process.previous` +* `process.responsible` + * `process.session_leader` * `process.session_leader.parent` @@ -8871,6 +8927,14 @@ Note: this reuse should contain an array of process field set objects. // =============================================================== +| `process.responsible.*` +| <>| beta:[ This field is beta and subject to change.] + +Responsible process in macOS tracks the originating process of an app, key for understanding permissions and hierarchy. + +// =============================================================== + + | `process.saved_group.*` | <> | The saved group (sgid). @@ -9174,7 +9238,7 @@ Note: this field should contain an array of values. [[ecs-risk]] === Risk information Fields -Fields for describing risk score and risk level of entities such as hosts and users. These fields are not allowed to be nested under `event.*`. Please continue to use `event.risk_score` and `event.risk_score_norm` for event risk. +Fields for describing risk score and risk level of entities such as hosts and users. These fields are not allowed to be nested under `event.*`. Please continue to use `event.risk_score` and `event.risk_score_norm` for event risk. beta::[ These fields are in beta and are subject to change.] diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index b53aa7dcd..1f3f1ad79 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -1183,9 +1183,9 @@ - name: device title: Device group: 2 - description: 'Fields that describe a device instance and its characteristics. Data - collected for applications and processes running on a (mobile) device can be - enriched with these fields to describe the identity, type and other characteristics + description: 'Fields that describe a device instance and its characteristics. + Data collected for applications and processes running on a (mobile) device can + be enriched with these fields to describe the identity, type and other characteristics of the device. This field group definition is based on the Device namespace of the OpenTelemetry @@ -1197,13 +1197,15 @@ level: extended type: keyword ignore_above: 1024 - description: "The unique identifier of a device. The identifier must not change\ - \ across application sessions but stay fixed for an instance of a (mobile)\ - \ device. \nOn iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor).\ - \ On Android, this value must be equal to the Firebase Installation ID or\ - \ a globally unique UUID which is persisted across sessions in your application.\n\ - For GDPR and data protection law reasons this identifier should not carry\ - \ information that would allow to identify a user." + description: 'The unique identifier of a device. The identifier must not change + across application sessions but stay fixed for an instance of a (mobile) device. + + On iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor). + On Android, this value must be equal to the Firebase Installation ID or a + globally unique UUID which is persisted across sessions in your application. + + For GDPR and data protection law reasons this identifier should not carry + information that would allow to identify a user.' example: 00000000-54b3-e7c7-0000-000046bffd97 default_field: false - name: manufacturer @@ -1227,6 +1229,14 @@ description: The human readable marketing name of the device model. example: Samsung Galaxy S6 default_field: false + - name: serial_number + level: core + type: keyword + ignore_above: 1024 + description: The unique serial number serves as a distinct identifier for each + device, aiding in inventory management and device authentication. + example: DJGAQS4CW5 + default_field: false - name: dll title: DLL group: 2 @@ -1261,6 +1271,12 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: code_signature.flags + level: extended + type: string + description: The flags used to sign the process. + example: 570522385 + default_field: false - name: code_signature.signing_id level: extended type: keyword @@ -1323,6 +1339,14 @@ Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false + - name: hash.cdhash + level: extended + type: keyword + ignore_above: 1024 + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + default_field: false - name: hash.md5 level: extended type: keyword @@ -1760,6 +1784,14 @@ description: Attachment file extension, excluding the leading dot. example: txt default_field: false + - name: attachments.file.hash.cdhash + level: extended + type: keyword + ignore_above: 1024 + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + default_field: false - name: attachments.file.hash.md5 level: extended type: keyword @@ -2405,6 +2437,12 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: code_signature.flags + level: extended + type: string + description: The flags used to sign the process. + example: 570522385 + default_field: false - name: code_signature.signing_id level: extended type: keyword @@ -2789,6 +2827,14 @@ ignore_above: 1024 description: Primary group name of the file. example: alice + - name: hash.cdhash + level: extended + type: keyword + ignore_above: 1024 + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + default_field: false - name: hash.md5 level: extended type: keyword @@ -4759,6 +4805,12 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: code_signature.flags + level: extended + type: string + description: The flags used to sign the process. + example: 570522385 + default_field: false - name: code_signature.signing_id level: extended type: keyword @@ -5788,6 +5840,14 @@ description: The working directory of the process. example: /home/alice default_field: false + - name: hash.cdhash + level: extended + type: keyword + ignore_above: 1024 + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + default_field: false - name: hash.md5 level: extended type: keyword @@ -6069,6 +6129,12 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: parent.code_signature.flags + level: extended + type: string + description: The flags used to sign the process. + example: 570522385 + default_field: false - name: parent.code_signature.signing_id level: extended type: keyword @@ -6480,6 +6546,14 @@ the process exists within.' example: 4242 default_field: false + - name: parent.hash.cdhash + level: extended + type: keyword + ignore_above: 1024 + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + default_field: false - name: parent.hash.md5 level: extended type: keyword @@ -9115,6 +9189,12 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: enrichments.indicator.file.code_signature.flags + level: extended + type: string + description: The flags used to sign the process. + example: 570522385 + default_field: false - name: enrichments.indicator.file.code_signature.signing_id level: extended type: keyword @@ -9506,6 +9586,14 @@ description: Primary group name of the file. example: alice default_field: false + - name: enrichments.indicator.file.hash.cdhash + level: extended + type: keyword + ignore_above: 1024 + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + default_field: false - name: enrichments.indicator.file.hash.md5 level: extended type: keyword @@ -10736,6 +10824,12 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: indicator.file.code_signature.flags + level: extended + type: string + description: The flags used to sign the process. + example: 570522385 + default_field: false - name: indicator.file.code_signature.signing_id level: extended type: keyword @@ -11127,6 +11221,14 @@ description: Primary group name of the file. example: alice default_field: false + - name: indicator.file.hash.cdhash + level: extended + type: keyword + ignore_above: 1024 + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + default_field: false - name: indicator.file.hash.md5 level: extended type: keyword diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index aee9cd276..4996577c0 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -146,8 +146,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer. 8.12.0-dev+exp,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model. 8.12.0-dev+exp,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model. +8.12.0-dev+exp,true,device,device.serial_number,keyword,core,,DJGAQS4CW5,Serial Number of the device 8.12.0-dev+exp,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +8.12.0-dev+exp,true,dll,dll.code_signature.flags,string,extended,,570522385,Code signing flags of the process 8.12.0-dev+exp,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -155,6 +157,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. 8.12.0-dev+exp,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. 8.12.0-dev+exp,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +8.12.0-dev+exp,true,dll,dll.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. 8.12.0-dev+exp,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash. 8.12.0-dev+exp,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash. 8.12.0-dev+exp,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash. @@ -208,6 +211,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to. 8.12.0-dev+exp,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments. 8.12.0-dev+exp,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension. +8.12.0-dev+exp,true,email,email.attachments.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. 8.12.0-dev+exp,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash. 8.12.0-dev+exp,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash. 8.12.0-dev+exp,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash. @@ -276,6 +280,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. 8.12.0-dev+exp,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +8.12.0-dev+exp,true,file,file.code_signature.flags,string,extended,,570522385,Code signing flags of the process 8.12.0-dev+exp,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -330,6 +335,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. 8.12.0-dev+exp,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. 8.12.0-dev+exp,true,file,file.group,keyword,extended,,alice,Primary group name of the file. +8.12.0-dev+exp,true,file,file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. 8.12.0-dev+exp,true,file,file.hash.md5,keyword,extended,,,MD5 hash. 8.12.0-dev+exp,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash. 8.12.0-dev+exp,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash. @@ -589,6 +595,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array. 8.12.0-dev+exp,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +8.12.0-dev+exp,true,process,process.code_signature.flags,string,extended,,570522385,Code signing flags of the process 8.12.0-dev+exp,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -730,6 +737,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,process,process.group_leader.vpid,long,core,,4242,Virtual process id. 8.12.0-dev+exp,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process. 8.12.0-dev+exp,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process. +8.12.0-dev+exp,true,process,process.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. 8.12.0-dev+exp,true,process,process.hash.md5,keyword,extended,,,MD5 hash. 8.12.0-dev+exp,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash. 8.12.0-dev+exp,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash. @@ -769,6 +777,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. 8.12.0-dev+exp,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +8.12.0-dev+exp,true,process,process.parent.code_signature.flags,string,extended,,570522385,Code signing flags of the process 8.12.0-dev+exp,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -827,6 +836,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,process,process.parent.group_leader.pid,long,core,,4242,Process id. 8.12.0-dev+exp,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. 8.12.0-dev+exp,true,process,process.parent.group_leader.vpid,long,core,,4242,Virtual process id. +8.12.0-dev+exp,true,process,process.parent.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. 8.12.0-dev+exp,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash. 8.12.0-dev+exp,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash. 8.12.0-dev+exp,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash. @@ -1154,6 +1164,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.flags,string,extended,,570522385,Code signing flags of the process 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -1208,6 +1219,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file. +8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash. 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash. 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash. @@ -1373,6 +1385,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. 8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.flags,string,extended,,570522385,Code signing flags of the process 8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -1427,6 +1440,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. 8.12.0-dev+exp,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. 8.12.0-dev+exp,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file. +8.12.0-dev+exp,true,threat,threat.indicator.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. 8.12.0-dev+exp,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash. 8.12.0-dev+exp,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash. 8.12.0-dev+exp,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index d4efb6e8a..e0190aa4e 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -1711,13 +1711,15 @@ destination.user.roles: type: keyword device.id: dashed_name: device-id - description: "The unique identifier of a device. The identifier must not change\ - \ across application sessions but stay fixed for an instance of a (mobile) device.\ - \ \nOn iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor).\ - \ On Android, this value must be equal to the Firebase Installation ID or a globally\ - \ unique UUID which is persisted across sessions in your application.\nFor GDPR\ - \ and data protection law reasons this identifier should not carry information\ - \ that would allow to identify a user." + description: 'The unique identifier of a device. The identifier must not change + across application sessions but stay fixed for an instance of a (mobile) device. + + On iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor). + On Android, this value must be equal to the Firebase Installation ID or a globally + unique UUID which is persisted across sessions in your application. + + For GDPR and data protection law reasons this identifier should not carry information + that would allow to identify a user.' example: 00000000-54b3-e7c7-0000-000046bffd97 flat_name: device.id ignore_above: 1024 @@ -1759,6 +1761,19 @@ device.model.name: normalize: [] short: The human readable marketing name of the device model. type: keyword +device.serial_number: + beta: This field is beta and subject to change. + dashed_name: device-serial-number + description: The unique serial number serves as a distinct identifier for each device, + aiding in inventory management and device authentication. + example: DJGAQS4CW5 + flat_name: device.serial_number + ignore_above: 1024 + level: core + name: serial_number + normalize: [] + short: Serial Number of the device + type: keyword dll.code_signature.digest_algorithm: dashed_name: dll-code-signature-digest-algorithm description: 'The hashing algorithm used to sign the process. @@ -1785,6 +1800,18 @@ dll.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +dll.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: dll-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: dll.code_signature.flags + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: string dll.code_signature.signing_id: dashed_name: dll-code-signature-signing-id description: 'The identifier used to sign the process. @@ -1883,6 +1910,20 @@ dll.code_signature.valid: short: Boolean to capture if the digital signature is verified against the binary content. type: boolean +dll.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: dll-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: dll.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword dll.hash.md5: dashed_name: dll-hash-md5 description: MD5 hash. @@ -2566,6 +2607,20 @@ email.attachments.file.extension: normalize: [] short: Attachment file extension. type: keyword +email.attachments.file.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: email-attachments-file-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: email.attachments.file.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword email.attachments.file.hash.md5: dashed_name: email-attachments-file-hash-md5 description: MD5 hash. @@ -3896,6 +3951,18 @@ file.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +file.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: file-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: file.code_signature.flags + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: string file.code_signature.signing_id: dashed_name: file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -4555,6 +4622,20 @@ file.group: normalize: [] short: Primary group name of the file. type: keyword +file.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: file-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: file.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword file.hash.md5: dashed_name: file-hash-md5 description: MD5 hash. @@ -7722,6 +7803,18 @@ process.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +process.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: process-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: process.code_signature.flags + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: string process.code_signature.signing_id: dashed_name: process-code-signature-signing-id description: 'The identifier used to sign the process. @@ -9394,6 +9487,20 @@ process.group_leader.working_directory: original_fieldset: process short: The working directory of the process. type: keyword +process.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: process-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: process.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword process.hash.md5: dashed_name: process-hash-md5 description: MD5 hash. @@ -9865,6 +9972,18 @@ process.parent.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +process.parent.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: process-parent-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: process.parent.code_signature.flags + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: string process.parent.code_signature.signing_id: dashed_name: process-parent-code-signature-signing-id description: 'The identifier used to sign the process. @@ -10565,6 +10684,20 @@ process.parent.group_leader.vpid: original_fieldset: process short: Virtual process id. type: long +process.parent.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: process-parent-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: process.parent.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword process.parent.hash.md5: dashed_name: process-parent-hash-md5 description: MD5 hash. @@ -14665,6 +14798,18 @@ threat.enrichments.indicator.file.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +threat.enrichments.indicator.file.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-file-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: threat.enrichments.indicator.file.code_signature.flags + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: string threat.enrichments.indicator.file.code_signature.signing_id: dashed_name: threat-enrichments-indicator-file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -15333,6 +15478,20 @@ threat.enrichments.indicator.file.group: original_fieldset: file short: Primary group name of the file. type: keyword +threat.enrichments.indicator.file.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-file-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: threat.enrichments.indicator.file.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword threat.enrichments.indicator.file.hash.md5: dashed_name: threat-enrichments-indicator-file-hash-md5 description: MD5 hash. @@ -17399,6 +17558,18 @@ threat.indicator.file.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +threat.indicator.file.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-file-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: threat.indicator.file.code_signature.flags + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: string threat.indicator.file.code_signature.signing_id: dashed_name: threat-indicator-file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -18067,6 +18238,20 @@ threat.indicator.file.group: original_fieldset: file short: Primary group name of the file. type: keyword +threat.indicator.file.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-file-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: threat.indicator.file.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword threat.indicator.file.hash.md5: dashed_name: threat-indicator-file-hash-md5 description: MD5 hash. diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 032f2f7b5..3cc9c8b0f 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -1320,6 +1320,17 @@ code_signature: normalize: [] short: Boolean to capture if a signature is present. type: boolean + code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: code_signature.flags + level: extended + name: flags + normalize: [] + short: Code signing flags of the process + type: string code_signature.signing_id: dashed_name: code-signature-signing-id description: 'The identifier used to sign the process. @@ -2153,7 +2164,7 @@ destination: type: group device: beta: These fields are in beta and are subject to change. - description: 'Fields that describe a device instance and its characteristics. Data + description: 'Fields that describe a device instance and its characteristics. Data collected for applications and processes running on a (mobile) device can be enriched with these fields to describe the identity, type and other characteristics of the device. @@ -2163,13 +2174,15 @@ device: fields: device.id: dashed_name: device-id - description: "The unique identifier of a device. The identifier must not change\ - \ across application sessions but stay fixed for an instance of a (mobile)\ - \ device. \nOn iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor).\ - \ On Android, this value must be equal to the Firebase Installation ID or\ - \ a globally unique UUID which is persisted across sessions in your application.\n\ - For GDPR and data protection law reasons this identifier should not carry\ - \ information that would allow to identify a user." + description: 'The unique identifier of a device. The identifier must not change + across application sessions but stay fixed for an instance of a (mobile) device. + + On iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor). + On Android, this value must be equal to the Firebase Installation ID or a + globally unique UUID which is persisted across sessions in your application. + + For GDPR and data protection law reasons this identifier should not carry + information that would allow to identify a user.' example: 00000000-54b3-e7c7-0000-000046bffd97 flat_name: device.id ignore_above: 1024 @@ -2211,6 +2224,19 @@ device: normalize: [] short: The human readable marketing name of the device model. type: keyword + device.serial_number: + beta: This field is beta and subject to change. + dashed_name: device-serial-number + description: The unique serial number serves as a distinct identifier for each + device, aiding in inventory management and device authentication. + example: DJGAQS4CW5 + flat_name: device.serial_number + ignore_above: 1024 + level: core + name: serial_number + normalize: [] + short: Serial Number of the device + type: keyword group: 2 name: device prefix: device. @@ -2258,6 +2284,18 @@ dll: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + dll.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: dll-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: dll.code_signature.flags + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: string dll.code_signature.signing_id: dashed_name: dll-code-signature-signing-id description: 'The identifier used to sign the process. @@ -2356,6 +2394,20 @@ dll: short: Boolean to capture if the digital signature is verified against the binary content. type: boolean + dll.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: dll-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: dll.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword dll.hash.md5: dashed_name: dll-hash-md5 description: MD5 hash. @@ -3518,6 +3570,20 @@ email: normalize: [] short: Attachment file extension. type: keyword + email.attachments.file.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: email-attachments-file-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: email.attachments.file.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword email.attachments.file.hash.md5: dashed_name: email-attachments-file-hash-md5 description: MD5 hash. @@ -4929,6 +4995,18 @@ file: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + file.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: file-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: file.code_signature.flags + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: string file.code_signature.signing_id: dashed_name: file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -5589,6 +5667,20 @@ file: normalize: [] short: Primary group name of the file. type: keyword + file.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: file-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: file.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword file.hash.md5: dashed_name: file-hash-md5 description: MD5 hash. @@ -6908,6 +7000,19 @@ hash: range of generic bytes. Entity-specific hashes such as ja3 or imphash are placed in the fieldsets to which they relate (tls and pe, respectively).' fields: + hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + short: The Code Directory (CD) hash of an executable. + type: keyword hash.md5: dashed_name: hash-md5 description: MD5 hash. @@ -9931,6 +10036,18 @@ process: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + process.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: process-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: process.code_signature.flags + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: string process.code_signature.signing_id: dashed_name: process-code-signature-signing-id description: 'The identifier used to sign the process. @@ -11604,6 +11721,20 @@ process: original_fieldset: process short: The working directory of the process. type: keyword + process.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: process-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: process.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword process.hash.md5: dashed_name: process-hash-md5 description: MD5 hash. @@ -12079,6 +12210,18 @@ process: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + process.parent.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: process-parent-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: process.parent.code_signature.flags + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: string process.parent.code_signature.signing_id: dashed_name: process-parent-code-signature-signing-id description: 'The identifier used to sign the process. @@ -12780,6 +12923,20 @@ process: original_fieldset: process short: Virtual process id. type: long + process.parent.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: process-parent-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: process.parent.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword process.parent.hash.md5: dashed_name: process-parent-hash-md5 description: MD5 hash. @@ -14969,6 +15126,7 @@ process: - process.previous - process.real_group - process.real_user + - process.responsible - process.saved_group - process.saved_user - process.session_leader @@ -15030,6 +15188,12 @@ process: - array short_override: An array of previous executions for the process, including the initial fork. Only executable and args are set. + - as: responsible + at: process + beta: This field is beta and subject to change. + full: process.responsible + short_override: Responsible process in macOS tracks the originating process + of an app, key for understanding permissions and hierarchy. top_level: true reused_here: - full: process.group @@ -15127,6 +15291,11 @@ process: schema_name: process short: An array of previous executions for the process, including the initial fork. Only executable and args are set. + - beta: This field is beta and subject to change. + full: process.responsible + schema_name: process + short: Responsible process in macOS tracks the originating process of an app, + key for understanding permissions and hierarchy. short: These fields contain information about a process. title: Process type: group @@ -15303,8 +15472,8 @@ related: risk: beta: These fields are in beta and are subject to change. description: Fields for describing risk score and risk level of entities such as - hosts and users. These fields are not allowed to be nested under `event.*`. Please - continue to use `event.risk_score` and `event.risk_score_norm` for event risk. + hosts and users. These fields are not allowed to be nested under `event.*`. Please + continue to use `event.risk_score` and `event.risk_score_norm` for event risk. fields: risk.calculated_level: dashed_name: risk-calculated-level @@ -17329,6 +17498,18 @@ threat: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + threat.enrichments.indicator.file.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-file-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: threat.enrichments.indicator.file.code_signature.flags + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: string threat.enrichments.indicator.file.code_signature.signing_id: dashed_name: threat-enrichments-indicator-file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -17998,6 +18179,20 @@ threat: original_fieldset: file short: Primary group name of the file. type: keyword + threat.enrichments.indicator.file.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-file-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: threat.enrichments.indicator.file.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword threat.enrichments.indicator.file.hash.md5: dashed_name: threat-enrichments-indicator-file-hash-md5 description: MD5 hash. @@ -20069,6 +20264,18 @@ threat: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + threat.indicator.file.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-file-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: threat.indicator.file.code_signature.flags + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: string threat.indicator.file.code_signature.signing_id: dashed_name: threat-indicator-file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -20738,6 +20945,20 @@ threat: original_fieldset: file short: Primary group name of the file. type: keyword + threat.indicator.file.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-file-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: threat.indicator.file.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword threat.indicator.file.hash.md5: dashed_name: threat-indicator-file-hash-md5 description: MD5 hash. diff --git a/experimental/generated/elasticsearch/composable/component/device.json b/experimental/generated/elasticsearch/composable/component/device.json index cf66d72b0..215d04617 100644 --- a/experimental/generated/elasticsearch/composable/component/device.json +++ b/experimental/generated/elasticsearch/composable/component/device.json @@ -27,6 +27,10 @@ "type": "keyword" } } + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" } } } diff --git a/experimental/generated/elasticsearch/composable/component/dll.json b/experimental/generated/elasticsearch/composable/component/dll.json index 2de113a6e..55e224626 100644 --- a/experimental/generated/elasticsearch/composable/component/dll.json +++ b/experimental/generated/elasticsearch/composable/component/dll.json @@ -17,6 +17,9 @@ "exists": { "type": "boolean" }, + "flags": { + "type": "string" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -46,6 +49,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" diff --git a/experimental/generated/elasticsearch/composable/component/email.json b/experimental/generated/elasticsearch/composable/component/email.json index 83863c9c0..5de733e5f 100644 --- a/experimental/generated/elasticsearch/composable/component/email.json +++ b/experimental/generated/elasticsearch/composable/component/email.json @@ -18,6 +18,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" diff --git a/experimental/generated/elasticsearch/composable/component/file.json b/experimental/generated/elasticsearch/composable/component/file.json index ed3e785c0..8ebb30bc5 100644 --- a/experimental/generated/elasticsearch/composable/component/file.json +++ b/experimental/generated/elasticsearch/composable/component/file.json @@ -24,6 +24,9 @@ "exists": { "type": "boolean" }, + "flags": { + "type": "string" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -233,6 +236,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" diff --git a/experimental/generated/elasticsearch/composable/component/process.json b/experimental/generated/elasticsearch/composable/component/process.json index f4dd52c1c..de0be5f24 100644 --- a/experimental/generated/elasticsearch/composable/component/process.json +++ b/experimental/generated/elasticsearch/composable/component/process.json @@ -24,6 +24,9 @@ "exists": { "type": "boolean" }, + "flags": { + "type": "string" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -674,6 +677,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -824,6 +831,9 @@ "exists": { "type": "boolean" }, + "flags": { + "type": "string" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -1055,6 +1065,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" diff --git a/experimental/generated/elasticsearch/composable/component/threat.json b/experimental/generated/elasticsearch/composable/component/threat.json index 71a444b6a..c27f97ed5 100644 --- a/experimental/generated/elasticsearch/composable/component/threat.json +++ b/experimental/generated/elasticsearch/composable/component/threat.json @@ -66,6 +66,9 @@ "exists": { "type": "boolean" }, + "flags": { + "type": "string" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -275,6 +278,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -995,6 +1002,9 @@ "exists": { "type": "boolean" }, + "flags": { + "type": "string" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -1204,6 +1214,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json index 4dc9cd400..0baf80b58 100644 --- a/experimental/generated/elasticsearch/legacy/template.json +++ b/experimental/generated/elasticsearch/legacy/template.json @@ -782,6 +782,10 @@ "type": "keyword" } } + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -796,6 +800,9 @@ "exists": { "type": "boolean" }, + "flags": { + "type": "string" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -825,6 +832,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -1050,6 +1061,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -1360,6 +1375,9 @@ "exists": { "type": "boolean" }, + "flags": { + "type": "string" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -1569,6 +1587,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -2753,6 +2775,9 @@ "exists": { "type": "boolean" }, + "flags": { + "type": "string" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -3403,6 +3428,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -3553,6 +3582,9 @@ "exists": { "type": "boolean" }, + "flags": { + "type": "string" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -3784,6 +3816,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -5291,6 +5327,9 @@ "exists": { "type": "boolean" }, + "flags": { + "type": "string" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -5500,6 +5539,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -6220,6 +6263,9 @@ "exists": { "type": "boolean" }, + "flags": { + "type": "string" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -6429,6 +6475,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 8e38623a6..24108292c 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -1133,9 +1133,9 @@ - name: device title: Device group: 2 - description: 'Fields that describe a device instance and its characteristics. Data - collected for applications and processes running on a (mobile) device can be - enriched with these fields to describe the identity, type and other characteristics + description: 'Fields that describe a device instance and its characteristics. + Data collected for applications and processes running on a (mobile) device can + be enriched with these fields to describe the identity, type and other characteristics of the device. This field group definition is based on the Device namespace of the OpenTelemetry @@ -1147,13 +1147,15 @@ level: extended type: keyword ignore_above: 1024 - description: "The unique identifier of a device. The identifier must not change\ - \ across application sessions but stay fixed for an instance of a (mobile)\ - \ device. \nOn iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor).\ - \ On Android, this value must be equal to the Firebase Installation ID or\ - \ a globally unique UUID which is persisted across sessions in your application.\n\ - For GDPR and data protection law reasons this identifier should not carry\ - \ information that would allow to identify a user." + description: 'The unique identifier of a device. The identifier must not change + across application sessions but stay fixed for an instance of a (mobile) device. + + On iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor). + On Android, this value must be equal to the Firebase Installation ID or a + globally unique UUID which is persisted across sessions in your application. + + For GDPR and data protection law reasons this identifier should not carry + information that would allow to identify a user.' example: 00000000-54b3-e7c7-0000-000046bffd97 default_field: false - name: manufacturer @@ -1177,6 +1179,14 @@ description: The human readable marketing name of the device model. example: Samsung Galaxy S6 default_field: false + - name: serial_number + level: core + type: keyword + ignore_above: 1024 + description: The unique serial number serves as a distinct identifier for each + device, aiding in inventory management and device authentication. + example: DJGAQS4CW5 + default_field: false - name: dll title: DLL group: 2 @@ -1211,6 +1221,12 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: code_signature.flags + level: extended + type: string + description: The flags used to sign the process. + example: 570522385 + default_field: false - name: code_signature.signing_id level: extended type: keyword @@ -1273,6 +1289,14 @@ Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false + - name: hash.cdhash + level: extended + type: keyword + ignore_above: 1024 + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + default_field: false - name: hash.md5 level: extended type: keyword @@ -1710,6 +1734,14 @@ description: Attachment file extension, excluding the leading dot. example: txt default_field: false + - name: attachments.file.hash.cdhash + level: extended + type: keyword + ignore_above: 1024 + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + default_field: false - name: attachments.file.hash.md5 level: extended type: keyword @@ -2355,6 +2387,12 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: code_signature.flags + level: extended + type: string + description: The flags used to sign the process. + example: 570522385 + default_field: false - name: code_signature.signing_id level: extended type: keyword @@ -2739,6 +2777,14 @@ ignore_above: 1024 description: Primary group name of the file. example: alice + - name: hash.cdhash + level: extended + type: keyword + ignore_above: 1024 + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + default_field: false - name: hash.md5 level: extended type: keyword @@ -4709,6 +4755,12 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: code_signature.flags + level: extended + type: string + description: The flags used to sign the process. + example: 570522385 + default_field: false - name: code_signature.signing_id level: extended type: keyword @@ -5738,6 +5790,14 @@ description: The working directory of the process. example: /home/alice default_field: false + - name: hash.cdhash + level: extended + type: keyword + ignore_above: 1024 + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + default_field: false - name: hash.md5 level: extended type: keyword @@ -6019,6 +6079,12 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: parent.code_signature.flags + level: extended + type: string + description: The flags used to sign the process. + example: 570522385 + default_field: false - name: parent.code_signature.signing_id level: extended type: keyword @@ -6430,6 +6496,14 @@ the process exists within.' example: 4242 default_field: false + - name: parent.hash.cdhash + level: extended + type: keyword + ignore_above: 1024 + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + default_field: false - name: parent.hash.md5 level: extended type: keyword @@ -9065,6 +9139,12 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: enrichments.indicator.file.code_signature.flags + level: extended + type: string + description: The flags used to sign the process. + example: 570522385 + default_field: false - name: enrichments.indicator.file.code_signature.signing_id level: extended type: keyword @@ -9456,6 +9536,14 @@ description: Primary group name of the file. example: alice default_field: false + - name: enrichments.indicator.file.hash.cdhash + level: extended + type: keyword + ignore_above: 1024 + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + default_field: false - name: enrichments.indicator.file.hash.md5 level: extended type: keyword @@ -10686,6 +10774,12 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: indicator.file.code_signature.flags + level: extended + type: string + description: The flags used to sign the process. + example: 570522385 + default_field: false - name: indicator.file.code_signature.signing_id level: extended type: keyword @@ -11077,6 +11171,14 @@ description: Primary group name of the file. example: alice default_field: false + - name: indicator.file.hash.cdhash + level: extended + type: keyword + ignore_above: 1024 + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + default_field: false - name: indicator.file.hash.md5 level: extended type: keyword diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index cbfddda8c..3e7781deb 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -139,8 +139,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer. 8.12.0-dev,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model. 8.12.0-dev,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model. +8.12.0-dev,true,device,device.serial_number,keyword,core,,DJGAQS4CW5,Serial Number of the device 8.12.0-dev,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +8.12.0-dev,true,dll,dll.code_signature.flags,string,extended,,570522385,Code signing flags of the process 8.12.0-dev,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -148,6 +150,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. 8.12.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. 8.12.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +8.12.0-dev,true,dll,dll.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. 8.12.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash. 8.12.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash. 8.12.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash. @@ -201,6 +204,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to. 8.12.0-dev,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments. 8.12.0-dev,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension. +8.12.0-dev,true,email,email.attachments.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. 8.12.0-dev,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash. 8.12.0-dev,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash. 8.12.0-dev,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash. @@ -269,6 +273,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. 8.12.0-dev,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +8.12.0-dev,true,file,file.code_signature.flags,string,extended,,570522385,Code signing flags of the process 8.12.0-dev,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -323,6 +328,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. 8.12.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. 8.12.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file. +8.12.0-dev,true,file,file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. 8.12.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash. 8.12.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash. 8.12.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash. @@ -582,6 +588,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array. 8.12.0-dev,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +8.12.0-dev,true,process,process.code_signature.flags,string,extended,,570522385,Code signing flags of the process 8.12.0-dev,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -723,6 +730,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,process,process.group_leader.vpid,long,core,,4242,Virtual process id. 8.12.0-dev,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process. 8.12.0-dev,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process. +8.12.0-dev,true,process,process.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. 8.12.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash. 8.12.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash. 8.12.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash. @@ -762,6 +770,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. 8.12.0-dev,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +8.12.0-dev,true,process,process.parent.code_signature.flags,string,extended,,570522385,Code signing flags of the process 8.12.0-dev,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -820,6 +829,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,process,process.parent.group_leader.pid,long,core,,4242,Process id. 8.12.0-dev,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. 8.12.0-dev,true,process,process.parent.group_leader.vpid,long,core,,4242,Virtual process id. +8.12.0-dev,true,process,process.parent.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. 8.12.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash. 8.12.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash. 8.12.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash. @@ -1147,6 +1157,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. 8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.flags,string,extended,,570522385,Code signing flags of the process 8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -1201,6 +1212,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. 8.12.0-dev,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. 8.12.0-dev,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file. +8.12.0-dev,true,threat,threat.enrichments.indicator.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. 8.12.0-dev,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash. 8.12.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash. 8.12.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash. @@ -1366,6 +1378,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. 8.12.0-dev,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +8.12.0-dev,true,threat,threat.indicator.file.code_signature.flags,string,extended,,570522385,Code signing flags of the process 8.12.0-dev,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -1420,6 +1433,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. 8.12.0-dev,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. 8.12.0-dev,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file. +8.12.0-dev,true,threat,threat.indicator.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. 8.12.0-dev,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash. 8.12.0-dev,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash. 8.12.0-dev,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index d39ef96e0..2d85edfd2 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -1642,13 +1642,15 @@ destination.user.roles: type: keyword device.id: dashed_name: device-id - description: "The unique identifier of a device. The identifier must not change\ - \ across application sessions but stay fixed for an instance of a (mobile) device.\ - \ \nOn iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor).\ - \ On Android, this value must be equal to the Firebase Installation ID or a globally\ - \ unique UUID which is persisted across sessions in your application.\nFor GDPR\ - \ and data protection law reasons this identifier should not carry information\ - \ that would allow to identify a user." + description: 'The unique identifier of a device. The identifier must not change + across application sessions but stay fixed for an instance of a (mobile) device. + + On iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor). + On Android, this value must be equal to the Firebase Installation ID or a globally + unique UUID which is persisted across sessions in your application. + + For GDPR and data protection law reasons this identifier should not carry information + that would allow to identify a user.' example: 00000000-54b3-e7c7-0000-000046bffd97 flat_name: device.id ignore_above: 1024 @@ -1690,6 +1692,19 @@ device.model.name: normalize: [] short: The human readable marketing name of the device model. type: keyword +device.serial_number: + beta: This field is beta and subject to change. + dashed_name: device-serial-number + description: The unique serial number serves as a distinct identifier for each device, + aiding in inventory management and device authentication. + example: DJGAQS4CW5 + flat_name: device.serial_number + ignore_above: 1024 + level: core + name: serial_number + normalize: [] + short: Serial Number of the device + type: keyword dll.code_signature.digest_algorithm: dashed_name: dll-code-signature-digest-algorithm description: 'The hashing algorithm used to sign the process. @@ -1716,6 +1731,18 @@ dll.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +dll.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: dll-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: dll.code_signature.flags + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: string dll.code_signature.signing_id: dashed_name: dll-code-signature-signing-id description: 'The identifier used to sign the process. @@ -1814,6 +1841,20 @@ dll.code_signature.valid: short: Boolean to capture if the digital signature is verified against the binary content. type: boolean +dll.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: dll-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: dll.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword dll.hash.md5: dashed_name: dll-hash-md5 description: MD5 hash. @@ -2497,6 +2538,20 @@ email.attachments.file.extension: normalize: [] short: Attachment file extension. type: keyword +email.attachments.file.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: email-attachments-file-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: email.attachments.file.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword email.attachments.file.hash.md5: dashed_name: email-attachments-file-hash-md5 description: MD5 hash. @@ -3827,6 +3882,18 @@ file.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +file.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: file-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: file.code_signature.flags + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: string file.code_signature.signing_id: dashed_name: file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -4486,6 +4553,20 @@ file.group: normalize: [] short: Primary group name of the file. type: keyword +file.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: file-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: file.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword file.hash.md5: dashed_name: file-hash-md5 description: MD5 hash. @@ -7653,6 +7734,18 @@ process.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +process.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: process-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: process.code_signature.flags + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: string process.code_signature.signing_id: dashed_name: process-code-signature-signing-id description: 'The identifier used to sign the process. @@ -9325,6 +9418,20 @@ process.group_leader.working_directory: original_fieldset: process short: The working directory of the process. type: keyword +process.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: process-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: process.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword process.hash.md5: dashed_name: process-hash-md5 description: MD5 hash. @@ -9796,6 +9903,18 @@ process.parent.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +process.parent.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: process-parent-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: process.parent.code_signature.flags + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: string process.parent.code_signature.signing_id: dashed_name: process-parent-code-signature-signing-id description: 'The identifier used to sign the process. @@ -10496,6 +10615,20 @@ process.parent.group_leader.vpid: original_fieldset: process short: Virtual process id. type: long +process.parent.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: process-parent-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: process.parent.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword process.parent.hash.md5: dashed_name: process-parent-hash-md5 description: MD5 hash. @@ -14596,6 +14729,18 @@ threat.enrichments.indicator.file.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +threat.enrichments.indicator.file.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-file-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: threat.enrichments.indicator.file.code_signature.flags + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: string threat.enrichments.indicator.file.code_signature.signing_id: dashed_name: threat-enrichments-indicator-file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -15264,6 +15409,20 @@ threat.enrichments.indicator.file.group: original_fieldset: file short: Primary group name of the file. type: keyword +threat.enrichments.indicator.file.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-file-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: threat.enrichments.indicator.file.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword threat.enrichments.indicator.file.hash.md5: dashed_name: threat-enrichments-indicator-file-hash-md5 description: MD5 hash. @@ -17330,6 +17489,18 @@ threat.indicator.file.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +threat.indicator.file.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-file-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: threat.indicator.file.code_signature.flags + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: string threat.indicator.file.code_signature.signing_id: dashed_name: threat-indicator-file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -17998,6 +18169,20 @@ threat.indicator.file.group: original_fieldset: file short: Primary group name of the file. type: keyword +threat.indicator.file.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-file-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: threat.indicator.file.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword threat.indicator.file.hash.md5: dashed_name: threat-indicator-file-hash-md5 description: MD5 hash. diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 0b1cac771..04badd271 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -1240,6 +1240,17 @@ code_signature: normalize: [] short: Boolean to capture if a signature is present. type: boolean + code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: code_signature.flags + level: extended + name: flags + normalize: [] + short: Code signing flags of the process + type: string code_signature.signing_id: dashed_name: code-signature-signing-id description: 'The identifier used to sign the process. @@ -2073,7 +2084,7 @@ destination: type: group device: beta: These fields are in beta and are subject to change. - description: 'Fields that describe a device instance and its characteristics. Data + description: 'Fields that describe a device instance and its characteristics. Data collected for applications and processes running on a (mobile) device can be enriched with these fields to describe the identity, type and other characteristics of the device. @@ -2083,13 +2094,15 @@ device: fields: device.id: dashed_name: device-id - description: "The unique identifier of a device. The identifier must not change\ - \ across application sessions but stay fixed for an instance of a (mobile)\ - \ device. \nOn iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor).\ - \ On Android, this value must be equal to the Firebase Installation ID or\ - \ a globally unique UUID which is persisted across sessions in your application.\n\ - For GDPR and data protection law reasons this identifier should not carry\ - \ information that would allow to identify a user." + description: 'The unique identifier of a device. The identifier must not change + across application sessions but stay fixed for an instance of a (mobile) device. + + On iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor). + On Android, this value must be equal to the Firebase Installation ID or a + globally unique UUID which is persisted across sessions in your application. + + For GDPR and data protection law reasons this identifier should not carry + information that would allow to identify a user.' example: 00000000-54b3-e7c7-0000-000046bffd97 flat_name: device.id ignore_above: 1024 @@ -2131,6 +2144,19 @@ device: normalize: [] short: The human readable marketing name of the device model. type: keyword + device.serial_number: + beta: This field is beta and subject to change. + dashed_name: device-serial-number + description: The unique serial number serves as a distinct identifier for each + device, aiding in inventory management and device authentication. + example: DJGAQS4CW5 + flat_name: device.serial_number + ignore_above: 1024 + level: core + name: serial_number + normalize: [] + short: Serial Number of the device + type: keyword group: 2 name: device prefix: device. @@ -2178,6 +2204,18 @@ dll: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + dll.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: dll-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: dll.code_signature.flags + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: string dll.code_signature.signing_id: dashed_name: dll-code-signature-signing-id description: 'The identifier used to sign the process. @@ -2276,6 +2314,20 @@ dll: short: Boolean to capture if the digital signature is verified against the binary content. type: boolean + dll.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: dll-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: dll.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword dll.hash.md5: dashed_name: dll-hash-md5 description: MD5 hash. @@ -3438,6 +3490,20 @@ email: normalize: [] short: Attachment file extension. type: keyword + email.attachments.file.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: email-attachments-file-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: email.attachments.file.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword email.attachments.file.hash.md5: dashed_name: email-attachments-file-hash-md5 description: MD5 hash. @@ -4849,6 +4915,18 @@ file: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + file.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: file-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: file.code_signature.flags + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: string file.code_signature.signing_id: dashed_name: file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -5509,6 +5587,20 @@ file: normalize: [] short: Primary group name of the file. type: keyword + file.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: file-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: file.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword file.hash.md5: dashed_name: file-hash-md5 description: MD5 hash. @@ -6828,6 +6920,19 @@ hash: range of generic bytes. Entity-specific hashes such as ja3 or imphash are placed in the fieldsets to which they relate (tls and pe, respectively).' fields: + hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + short: The Code Directory (CD) hash of an executable. + type: keyword hash.md5: dashed_name: hash-md5 description: MD5 hash. @@ -9851,6 +9956,18 @@ process: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + process.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: process-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: process.code_signature.flags + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: string process.code_signature.signing_id: dashed_name: process-code-signature-signing-id description: 'The identifier used to sign the process. @@ -11524,6 +11641,20 @@ process: original_fieldset: process short: The working directory of the process. type: keyword + process.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: process-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: process.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword process.hash.md5: dashed_name: process-hash-md5 description: MD5 hash. @@ -11999,6 +12130,18 @@ process: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + process.parent.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: process-parent-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: process.parent.code_signature.flags + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: string process.parent.code_signature.signing_id: dashed_name: process-parent-code-signature-signing-id description: 'The identifier used to sign the process. @@ -12700,6 +12843,20 @@ process: original_fieldset: process short: Virtual process id. type: long + process.parent.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: process-parent-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: process.parent.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword process.parent.hash.md5: dashed_name: process-parent-hash-md5 description: MD5 hash. @@ -14889,6 +15046,7 @@ process: - process.previous - process.real_group - process.real_user + - process.responsible - process.saved_group - process.saved_user - process.session_leader @@ -14950,6 +15108,12 @@ process: - array short_override: An array of previous executions for the process, including the initial fork. Only executable and args are set. + - as: responsible + at: process + beta: This field is beta and subject to change. + full: process.responsible + short_override: Responsible process in macOS tracks the originating process + of an app, key for understanding permissions and hierarchy. top_level: true reused_here: - full: process.group @@ -15047,6 +15211,11 @@ process: schema_name: process short: An array of previous executions for the process, including the initial fork. Only executable and args are set. + - beta: This field is beta and subject to change. + full: process.responsible + schema_name: process + short: Responsible process in macOS tracks the originating process of an app, + key for understanding permissions and hierarchy. short: These fields contain information about a process. title: Process type: group @@ -15223,8 +15392,8 @@ related: risk: beta: These fields are in beta and are subject to change. description: Fields for describing risk score and risk level of entities such as - hosts and users. These fields are not allowed to be nested under `event.*`. Please - continue to use `event.risk_score` and `event.risk_score_norm` for event risk. + hosts and users. These fields are not allowed to be nested under `event.*`. Please + continue to use `event.risk_score` and `event.risk_score_norm` for event risk. fields: risk.calculated_level: dashed_name: risk-calculated-level @@ -17249,6 +17418,18 @@ threat: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + threat.enrichments.indicator.file.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-file-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: threat.enrichments.indicator.file.code_signature.flags + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: string threat.enrichments.indicator.file.code_signature.signing_id: dashed_name: threat-enrichments-indicator-file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -17918,6 +18099,20 @@ threat: original_fieldset: file short: Primary group name of the file. type: keyword + threat.enrichments.indicator.file.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-file-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: threat.enrichments.indicator.file.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword threat.enrichments.indicator.file.hash.md5: dashed_name: threat-enrichments-indicator-file-hash-md5 description: MD5 hash. @@ -19989,6 +20184,18 @@ threat: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + threat.indicator.file.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-file-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: threat.indicator.file.code_signature.flags + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: string threat.indicator.file.code_signature.signing_id: dashed_name: threat-indicator-file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -20658,6 +20865,20 @@ threat: original_fieldset: file short: Primary group name of the file. type: keyword + threat.indicator.file.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-file-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: threat.indicator.file.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword threat.indicator.file.hash.md5: dashed_name: threat-indicator-file-hash-md5 description: MD5 hash. diff --git a/generated/elasticsearch/composable/component/device.json b/generated/elasticsearch/composable/component/device.json index e03f268c8..741cf8232 100644 --- a/generated/elasticsearch/composable/component/device.json +++ b/generated/elasticsearch/composable/component/device.json @@ -27,6 +27,10 @@ "type": "keyword" } } + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" } } } diff --git a/generated/elasticsearch/composable/component/dll.json b/generated/elasticsearch/composable/component/dll.json index d3561dd74..b5f52995c 100644 --- a/generated/elasticsearch/composable/component/dll.json +++ b/generated/elasticsearch/composable/component/dll.json @@ -17,6 +17,9 @@ "exists": { "type": "boolean" }, + "flags": { + "type": "string" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -46,6 +49,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/elasticsearch/composable/component/email.json b/generated/elasticsearch/composable/component/email.json index 94e8c7008..4046e3355 100644 --- a/generated/elasticsearch/composable/component/email.json +++ b/generated/elasticsearch/composable/component/email.json @@ -18,6 +18,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/elasticsearch/composable/component/file.json b/generated/elasticsearch/composable/component/file.json index 12abc67d4..251095c01 100644 --- a/generated/elasticsearch/composable/component/file.json +++ b/generated/elasticsearch/composable/component/file.json @@ -24,6 +24,9 @@ "exists": { "type": "boolean" }, + "flags": { + "type": "string" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -233,6 +236,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/elasticsearch/composable/component/process.json b/generated/elasticsearch/composable/component/process.json index 6cc1382d1..610ff7484 100644 --- a/generated/elasticsearch/composable/component/process.json +++ b/generated/elasticsearch/composable/component/process.json @@ -24,6 +24,9 @@ "exists": { "type": "boolean" }, + "flags": { + "type": "string" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -674,6 +677,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -824,6 +831,9 @@ "exists": { "type": "boolean" }, + "flags": { + "type": "string" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -1055,6 +1065,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/elasticsearch/composable/component/threat.json b/generated/elasticsearch/composable/component/threat.json index 367a251a2..d837e5736 100644 --- a/generated/elasticsearch/composable/component/threat.json +++ b/generated/elasticsearch/composable/component/threat.json @@ -66,6 +66,9 @@ "exists": { "type": "boolean" }, + "flags": { + "type": "string" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -275,6 +278,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -995,6 +1002,9 @@ "exists": { "type": "boolean" }, + "flags": { + "type": "string" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -1204,6 +1214,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json index c4dafc81d..a6c73b58c 100644 --- a/generated/elasticsearch/legacy/template.json +++ b/generated/elasticsearch/legacy/template.json @@ -740,6 +740,10 @@ "type": "keyword" } } + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -754,6 +758,9 @@ "exists": { "type": "boolean" }, + "flags": { + "type": "string" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -783,6 +790,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -1008,6 +1019,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -1318,6 +1333,9 @@ "exists": { "type": "boolean" }, + "flags": { + "type": "string" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -1527,6 +1545,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -2711,6 +2733,9 @@ "exists": { "type": "boolean" }, + "flags": { + "type": "string" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -3361,6 +3386,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -3511,6 +3540,9 @@ "exists": { "type": "boolean" }, + "flags": { + "type": "string" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -3742,6 +3774,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -5249,6 +5285,9 @@ "exists": { "type": "boolean" }, + "flags": { + "type": "string" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -5458,6 +5497,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -6178,6 +6221,9 @@ "exists": { "type": "boolean" }, + "flags": { + "type": "string" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -6387,6 +6433,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" diff --git a/rfcs/text/0044-add-apple-platform-specific-fields.md b/rfcs/text/0044-add-apple-platform-specific-fields.md index 68d0da321..1c58a32b9 100644 --- a/rfcs/text/0044-add-apple-platform-specific-fields.md +++ b/rfcs/text/0044-add-apple-platform-specific-fields.md @@ -1,8 +1,8 @@ # 0044: Apple Platform specific fields -- Stage: **0 (strawperson)** -- Date: **2024-08-13** +- Stage: **2 (Candidate)** +- Date: **2024-09-11** ### Summary @@ -60,7 +60,11 @@ Stage 2: Included a real world example source document. Ideally this example com Stage 3: Add more real world example source documents so we have at least 2 total, but ideally 3. Format as described in stage 2. --> - +https://developer.apple.com/documentation/endpointsecurity/es_process_t/3228978-is_es_client + +https://developer.apple.com/documentation/endpointsecurity/es_process_t/3228979-is_platform_binary + +https://developer.apple.com/documentation/endpointsecurity/es_process_t/3684982-responsible_audit_token + +https://developer.apple.com/documentation/endpointsecurity/es_process_t/3334987-codesigning_flags + +https://developer.apple.com/documentation/endpointsecurity/es_process_t/3228976-cdhash + ### RFC Pull Requests * Stage 0: https://github.com/elastic/ecs/pull/2338 +* Stage 2: https://github.com/elastic/ecs/pull/2370