From b58d63b61d52f427cf539dae2b26dba439d6f835 Mon Sep 17 00:00:00 2001 From: Yamin Tian Date: Tue, 16 Feb 2021 17:18:16 -0800 Subject: [PATCH 1/8] add 2 fields to code_signature --- schemas/code_signature.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/schemas/code_signature.yml b/schemas/code_signature.yml index 1b22434eb1..d3e497164b 100644 --- a/schemas/code_signature.yml +++ b/schemas/code_signature.yml @@ -57,3 +57,25 @@ This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. example: ERROR_UNTRUSTED_ROOT + + - name: team_id + level: extended + type: keyword + short: The team identifier used to sign the process. + description: > + The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. + Leave unpopulated if unavailable. + example: EQHXZ8M8AV + + - name: signing_id + level: extended + type: keyword + short: The identifier used to sign the process. + description: > + The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + Leave unpopulated if unavailable. + example: com.apple.xpc.proxy From 0be1dc5920dcefc02935b6b703b1f599d8bf6243 Mon Sep 17 00:00:00 2001 From: Yamin Tian Date: Tue, 16 Feb 2021 18:29:51 -0800 Subject: [PATCH 2/8] make generated changes --- code/go/ecs/code_signature.go | 10 ++ docs/field-details.asciidoc | 36 +++++ experimental/generated/beats/fields.ecs.yml | 100 ++++++++++++ experimental/generated/csv/fields.csv | 8 + experimental/generated/ecs/ecs_flat.yml | 120 ++++++++++++++ experimental/generated/ecs/ecs_nested.yml | 148 ++++++++++++++++++ .../generated/elasticsearch/7/template.json | 32 ++++ .../elasticsearch/component/dll.json | 8 + .../elasticsearch/component/file.json | 8 + .../elasticsearch/component/process.json | 16 ++ generated/beats/fields.ecs.yml | 100 ++++++++++++ generated/csv/fields.csv | 8 + generated/ecs/ecs_flat.yml | 120 ++++++++++++++ generated/ecs/ecs_nested.yml | 148 ++++++++++++++++++ generated/elasticsearch/6/template.json | 32 ++++ generated/elasticsearch/7/template.json | 32 ++++ generated/elasticsearch/component/dll.json | 8 + generated/elasticsearch/component/file.json | 8 + .../elasticsearch/component/process.json | 16 ++ 19 files changed, 958 insertions(+) diff --git a/code/go/ecs/code_signature.go b/code/go/ecs/code_signature.go index df61c3b935..3a6007c04c 100644 --- a/code/go/ecs/code_signature.go +++ b/code/go/ecs/code_signature.go @@ -43,4 +43,14 @@ type CodeSignature struct { // validity or trust status. Leave unpopulated if the validity or trust of // the certificate was unchecked. Status string `ecs:"status"` + + // The team identifier used to sign the process. + // This is used to identify the team or vendor of a software product. Leave + // unpopulated if unavailable. + TeamID string `ecs:"team_id"` + + // The identifier used to sign the process. + // This is used to identify the application manufactured by a software + // vendor. Leave unpopulated if unavailable. + SigningID string `ecs:"signing_id"` } diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 12cfbc5870..fe2b43f4a5 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -782,6 +782,24 @@ example: `true` // =============================================================== +| +[[field-code-signature-signing-id]] +<> + +| The identifier used to sign the process. + +This is used to identify the application manufactured by a software vendor. Leave unpopulated if unavailable. + +type: keyword + + + +example: `com.apple.xpc.proxy` + +| extended + +// =============================================================== + | [[field-code-signature-status]] <> @@ -816,6 +834,24 @@ example: `Microsoft Corporation` // =============================================================== +| +[[field-code-signature-team-id]] +<> + +| The team identifier used to sign the process. + +This is used to identify the team or vendor of a software product. Leave unpopulated if unavailable. + +type: keyword + + + +example: `EQHXZ8M8AV` + +| extended + +// =============================================================== + | [[field-code-signature-trusted]] <> diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 40563448ef..e6622a21e9 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -529,6 +529,16 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: signing_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + Leave unpopulated if unavailable.' + example: com.apple.xpc.proxy + default_field: false - name: status level: extended type: keyword @@ -547,6 +557,16 @@ description: Subject name of the code signer example: Microsoft Corporation default_field: false + - name: team_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. Leave unpopulated + if unavailable.' + example: EQHXZ8M8AV + default_field: false - name: trusted level: extended type: boolean @@ -951,6 +971,16 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: code_signature.signing_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + Leave unpopulated if unavailable.' + example: com.apple.xpc.proxy + default_field: false - name: code_signature.status level: extended type: keyword @@ -969,6 +999,16 @@ description: Subject name of the code signer example: Microsoft Corporation default_field: false + - name: code_signature.team_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. Leave unpopulated + if unavailable.' + example: EQHXZ8M8AV + default_field: false - name: code_signature.trusted level: extended type: boolean @@ -1636,6 +1676,16 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: code_signature.signing_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + Leave unpopulated if unavailable.' + example: com.apple.xpc.proxy + default_field: false - name: code_signature.status level: extended type: keyword @@ -1654,6 +1704,16 @@ description: Subject name of the code signer example: Microsoft Corporation default_field: false + - name: code_signature.team_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. Leave unpopulated + if unavailable.' + example: EQHXZ8M8AV + default_field: false - name: code_signature.trusted level: extended type: boolean @@ -3564,6 +3624,16 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: code_signature.signing_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + Leave unpopulated if unavailable.' + example: com.apple.xpc.proxy + default_field: false - name: code_signature.status level: extended type: keyword @@ -3582,6 +3652,16 @@ description: Subject name of the code signer example: Microsoft Corporation default_field: false + - name: code_signature.team_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. Leave unpopulated + if unavailable.' + example: EQHXZ8M8AV + default_field: false - name: code_signature.trusted level: extended type: boolean @@ -3711,6 +3791,16 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: parent.code_signature.signing_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + Leave unpopulated if unavailable.' + example: com.apple.xpc.proxy + default_field: false - name: parent.code_signature.status level: extended type: keyword @@ -3729,6 +3819,16 @@ description: Subject name of the code signer example: Microsoft Corporation default_field: false + - name: parent.code_signature.team_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. Leave unpopulated + if unavailable.' + example: EQHXZ8M8AV + default_field: false - name: parent.code_signature.trusted level: extended type: boolean diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 6c9e5db81c..cebb520581 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -106,8 +106,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev+exp,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user. 2.0.0-dev+exp,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. 2.0.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +2.0.0-dev+exp,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 2.0.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 2.0.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +2.0.0-dev+exp,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. 2.0.0-dev+exp,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. 2.0.0-dev+exp,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. 2.0.0-dev+exp,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash. @@ -177,8 +179,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev+exp,true,file,file.accessed,date,extended,,,Last time the file was accessed. 2.0.0-dev+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. 2.0.0-dev+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +2.0.0-dev+exp,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 2.0.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 2.0.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +2.0.0-dev+exp,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. 2.0.0-dev+exp,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. 2.0.0-dev+exp,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. 2.0.0-dev+exp,true,file,file.created,date,extended,,,File creation time. @@ -395,8 +399,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev+exp,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. 2.0.0-dev+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array. 2.0.0-dev+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +2.0.0-dev+exp,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 2.0.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 2.0.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +2.0.0-dev+exp,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. 2.0.0-dev+exp,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. 2.0.0-dev+exp,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. 2.0.0-dev+exp,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. @@ -415,8 +421,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. 2.0.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. 2.0.0-dev+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +2.0.0-dev+exp,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 2.0.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 2.0.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +2.0.0-dev+exp,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. 2.0.0-dev+exp,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. 2.0.0-dev+exp,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. 2.0.0-dev+exp,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index ba35594e18..090a8f2545 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -1255,6 +1255,21 @@ dll.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +dll.code_signature.signing_id: + dashed_name: dll-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. Leave + unpopulated if unavailable.' + example: com.apple.xpc.proxy + flat_name: dll.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword dll.code_signature.status: dashed_name: dll-code-signature-status description: 'Additional information about the certificate status. @@ -1283,6 +1298,21 @@ dll.code_signature.subject_name: original_fieldset: code_signature short: Subject name of the code signer type: keyword +dll.code_signature.team_id: + dashed_name: dll-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. Leave unpopulated + if unavailable.' + example: EQHXZ8M8AV + flat_name: dll.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword dll.code_signature.trusted: dashed_name: dll-code-signature-trusted description: 'Stores the trust status of the certificate chain. @@ -2583,6 +2613,21 @@ file.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +file.code_signature.signing_id: + dashed_name: file-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. Leave + unpopulated if unavailable.' + example: com.apple.xpc.proxy + flat_name: file.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword file.code_signature.status: dashed_name: file-code-signature-status description: 'Additional information about the certificate status. @@ -2611,6 +2656,21 @@ file.code_signature.subject_name: original_fieldset: code_signature short: Subject name of the code signer type: keyword +file.code_signature.team_id: + dashed_name: file-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. Leave unpopulated + if unavailable.' + example: EQHXZ8M8AV + flat_name: file.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword file.code_signature.trusted: dashed_name: file-code-signature-trusted description: 'Stores the trust status of the certificate chain. @@ -5226,6 +5286,21 @@ process.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +process.code_signature.signing_id: + dashed_name: process-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. Leave + unpopulated if unavailable.' + example: com.apple.xpc.proxy + flat_name: process.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword process.code_signature.status: dashed_name: process-code-signature-status description: 'Additional information about the certificate status. @@ -5254,6 +5329,21 @@ process.code_signature.subject_name: original_fieldset: code_signature short: Subject name of the code signer type: keyword +process.code_signature.team_id: + dashed_name: process-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. Leave unpopulated + if unavailable.' + example: EQHXZ8M8AV + flat_name: process.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword process.code_signature.trusted: dashed_name: process-code-signature-trusted description: 'Stores the trust status of the certificate chain. @@ -5462,6 +5552,21 @@ process.parent.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +process.parent.code_signature.signing_id: + dashed_name: process-parent-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. Leave + unpopulated if unavailable.' + example: com.apple.xpc.proxy + flat_name: process.parent.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword process.parent.code_signature.status: dashed_name: process-parent-code-signature-status description: 'Additional information about the certificate status. @@ -5490,6 +5595,21 @@ process.parent.code_signature.subject_name: original_fieldset: code_signature short: Subject name of the code signer type: keyword +process.parent.code_signature.team_id: + dashed_name: process-parent-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. Leave unpopulated + if unavailable.' + example: EQHXZ8M8AV + flat_name: process.parent.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword process.parent.code_signature.trusted: dashed_name: process-parent-code-signature-trusted description: 'Stores the trust status of the certificate chain. diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index ff10e027f4..2b65f0dcbc 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -880,6 +880,20 @@ code_signature: normalize: [] short: Boolean to capture if a signature is present. type: boolean + code_signature.signing_id: + dashed_name: code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + Leave unpopulated if unavailable.' + example: com.apple.xpc.proxy + flat_name: code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + short: The identifier used to sign the process. + type: keyword code_signature.status: dashed_name: code-signature-status description: 'Additional information about the certificate status. @@ -906,6 +920,20 @@ code_signature: normalize: [] short: Subject name of the code signer type: keyword + code_signature.team_id: + dashed_name: code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. Leave unpopulated + if unavailable.' + example: EQHXZ8M8AV + flat_name: code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + short: The team identifier used to sign the process. + type: keyword code_signature.trusted: dashed_name: code-signature-trusted description: 'Stores the trust status of the certificate chain. @@ -1601,6 +1629,21 @@ dll: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + dll.code_signature.signing_id: + dashed_name: dll-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + Leave unpopulated if unavailable.' + example: com.apple.xpc.proxy + flat_name: dll.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword dll.code_signature.status: dashed_name: dll-code-signature-status description: 'Additional information about the certificate status. @@ -1629,6 +1672,21 @@ dll: original_fieldset: code_signature short: Subject name of the code signer type: keyword + dll.code_signature.team_id: + dashed_name: dll-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. Leave unpopulated + if unavailable.' + example: EQHXZ8M8AV + flat_name: dll.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword dll.code_signature.trusted: dashed_name: dll-code-signature-trusted description: 'Stores the trust status of the certificate chain. @@ -3031,6 +3089,21 @@ file: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + file.code_signature.signing_id: + dashed_name: file-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + Leave unpopulated if unavailable.' + example: com.apple.xpc.proxy + flat_name: file.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword file.code_signature.status: dashed_name: file-code-signature-status description: 'Additional information about the certificate status. @@ -3059,6 +3132,21 @@ file: original_fieldset: code_signature short: Subject name of the code signer type: keyword + file.code_signature.team_id: + dashed_name: file-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. Leave unpopulated + if unavailable.' + example: EQHXZ8M8AV + flat_name: file.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword file.code_signature.trusted: dashed_name: file-code-signature-trusted description: 'Stores the trust status of the certificate chain. @@ -6368,6 +6456,21 @@ process: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + process.code_signature.signing_id: + dashed_name: process-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + Leave unpopulated if unavailable.' + example: com.apple.xpc.proxy + flat_name: process.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword process.code_signature.status: dashed_name: process-code-signature-status description: 'Additional information about the certificate status. @@ -6396,6 +6499,21 @@ process: original_fieldset: code_signature short: Subject name of the code signer type: keyword + process.code_signature.team_id: + dashed_name: process-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. Leave unpopulated + if unavailable.' + example: EQHXZ8M8AV + flat_name: process.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword process.code_signature.trusted: dashed_name: process-code-signature-trusted description: 'Stores the trust status of the certificate chain. @@ -6604,6 +6722,21 @@ process: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + process.parent.code_signature.signing_id: + dashed_name: process-parent-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + Leave unpopulated if unavailable.' + example: com.apple.xpc.proxy + flat_name: process.parent.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword process.parent.code_signature.status: dashed_name: process-parent-code-signature-status description: 'Additional information about the certificate status. @@ -6632,6 +6765,21 @@ process: original_fieldset: code_signature short: Subject name of the code signer type: keyword + process.parent.code_signature.team_id: + dashed_name: process-parent-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. Leave unpopulated + if unavailable.' + example: EQHXZ8M8AV + flat_name: process.parent.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword process.parent.code_signature.trusted: dashed_name: process-parent-code-signature-trusted description: 'Stores the trust status of the certificate chain. diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json index 0eabce58f9..1ebc2f76c7 100644 --- a/experimental/generated/elasticsearch/7/template.json +++ b/experimental/generated/elasticsearch/7/template.json @@ -514,6 +514,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -522,6 +526,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, @@ -819,6 +827,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -827,6 +839,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, @@ -1841,6 +1857,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -1849,6 +1869,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, @@ -1929,6 +1953,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -1937,6 +1965,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, diff --git a/experimental/generated/elasticsearch/component/dll.json b/experimental/generated/elasticsearch/component/dll.json index d6a6ad6899..f7cc2d9fc1 100644 --- a/experimental/generated/elasticsearch/component/dll.json +++ b/experimental/generated/elasticsearch/component/dll.json @@ -13,6 +13,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -21,6 +25,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, diff --git a/experimental/generated/elasticsearch/component/file.json b/experimental/generated/elasticsearch/component/file.json index 8d771b34fc..198501754d 100644 --- a/experimental/generated/elasticsearch/component/file.json +++ b/experimental/generated/elasticsearch/component/file.json @@ -20,6 +20,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -28,6 +32,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, diff --git a/experimental/generated/elasticsearch/component/process.json b/experimental/generated/elasticsearch/component/process.json index 54b6700f89..8b73981614 100644 --- a/experimental/generated/elasticsearch/component/process.json +++ b/experimental/generated/elasticsearch/component/process.json @@ -20,6 +20,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -28,6 +32,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, @@ -108,6 +116,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -116,6 +128,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 0224230cf0..f24cfd501c 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -538,6 +538,16 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: signing_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + Leave unpopulated if unavailable.' + example: com.apple.xpc.proxy + default_field: false - name: status level: extended type: keyword @@ -556,6 +566,16 @@ description: Subject name of the code signer example: Microsoft Corporation default_field: false + - name: team_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. Leave unpopulated + if unavailable.' + example: EQHXZ8M8AV + default_field: false - name: trusted level: extended type: boolean @@ -915,6 +935,16 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: code_signature.signing_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + Leave unpopulated if unavailable.' + example: com.apple.xpc.proxy + default_field: false - name: code_signature.status level: extended type: keyword @@ -933,6 +963,16 @@ description: Subject name of the code signer example: Microsoft Corporation default_field: false + - name: code_signature.team_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. Leave unpopulated + if unavailable.' + example: EQHXZ8M8AV + default_field: false - name: code_signature.trusted level: extended type: boolean @@ -1606,6 +1646,16 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: code_signature.signing_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + Leave unpopulated if unavailable.' + example: com.apple.xpc.proxy + default_field: false - name: code_signature.status level: extended type: keyword @@ -1624,6 +1674,16 @@ description: Subject name of the code signer example: Microsoft Corporation default_field: false + - name: code_signature.team_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. Leave unpopulated + if unavailable.' + example: EQHXZ8M8AV + default_field: false - name: code_signature.trusted level: extended type: boolean @@ -3514,6 +3574,16 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: code_signature.signing_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + Leave unpopulated if unavailable.' + example: com.apple.xpc.proxy + default_field: false - name: code_signature.status level: extended type: keyword @@ -3532,6 +3602,16 @@ description: Subject name of the code signer example: Microsoft Corporation default_field: false + - name: code_signature.team_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. Leave unpopulated + if unavailable.' + example: EQHXZ8M8AV + default_field: false - name: code_signature.trusted level: extended type: boolean @@ -3664,6 +3744,16 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: parent.code_signature.signing_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + Leave unpopulated if unavailable.' + example: com.apple.xpc.proxy + default_field: false - name: parent.code_signature.status level: extended type: keyword @@ -3682,6 +3772,16 @@ description: Subject name of the code signer example: Microsoft Corporation default_field: false + - name: parent.code_signature.team_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. Leave unpopulated + if unavailable.' + example: EQHXZ8M8AV + default_field: false - name: parent.code_signature.trusted level: extended type: boolean diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index fff03bd7ae..b45c28cf57 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -103,8 +103,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user. 2.0.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. 2.0.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +2.0.0-dev,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 2.0.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 2.0.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +2.0.0-dev,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. 2.0.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. 2.0.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. 2.0.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash. @@ -174,8 +176,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed. 2.0.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. 2.0.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +2.0.0-dev,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 2.0.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 2.0.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +2.0.0-dev,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. 2.0.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. 2.0.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. 2.0.0-dev,true,file,file.created,date,extended,,,File creation time. @@ -385,8 +389,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. 2.0.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array. 2.0.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +2.0.0-dev,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 2.0.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 2.0.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +2.0.0-dev,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. 2.0.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. 2.0.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. 2.0.0-dev,true,process,process.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. @@ -405,8 +411,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. 2.0.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. 2.0.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +2.0.0-dev,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 2.0.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 2.0.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +2.0.0-dev,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. 2.0.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. 2.0.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. 2.0.0-dev,true,process,process.parent.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index b92392d17e..abc7aa7568 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -1224,6 +1224,21 @@ dll.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +dll.code_signature.signing_id: + dashed_name: dll-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. Leave + unpopulated if unavailable.' + example: com.apple.xpc.proxy + flat_name: dll.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword dll.code_signature.status: dashed_name: dll-code-signature-status description: 'Additional information about the certificate status. @@ -1252,6 +1267,21 @@ dll.code_signature.subject_name: original_fieldset: code_signature short: Subject name of the code signer type: keyword +dll.code_signature.team_id: + dashed_name: dll-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. Leave unpopulated + if unavailable.' + example: EQHXZ8M8AV + flat_name: dll.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword dll.code_signature.trusted: dashed_name: dll-code-signature-trusted description: 'Stores the trust status of the certificate chain. @@ -2559,6 +2589,21 @@ file.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +file.code_signature.signing_id: + dashed_name: file-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. Leave + unpopulated if unavailable.' + example: com.apple.xpc.proxy + flat_name: file.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword file.code_signature.status: dashed_name: file-code-signature-status description: 'Additional information about the certificate status. @@ -2587,6 +2632,21 @@ file.code_signature.subject_name: original_fieldset: code_signature short: Subject name of the code signer type: keyword +file.code_signature.team_id: + dashed_name: file-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. Leave unpopulated + if unavailable.' + example: EQHXZ8M8AV + flat_name: file.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword file.code_signature.trusted: dashed_name: file-code-signature-trusted description: 'Stores the trust status of the certificate chain. @@ -5150,6 +5210,21 @@ process.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +process.code_signature.signing_id: + dashed_name: process-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. Leave + unpopulated if unavailable.' + example: com.apple.xpc.proxy + flat_name: process.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword process.code_signature.status: dashed_name: process-code-signature-status description: 'Additional information about the certificate status. @@ -5178,6 +5253,21 @@ process.code_signature.subject_name: original_fieldset: code_signature short: Subject name of the code signer type: keyword +process.code_signature.team_id: + dashed_name: process-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. Leave unpopulated + if unavailable.' + example: EQHXZ8M8AV + flat_name: process.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword process.code_signature.trusted: dashed_name: process-code-signature-trusted description: 'Stores the trust status of the certificate chain. @@ -5389,6 +5479,21 @@ process.parent.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +process.parent.code_signature.signing_id: + dashed_name: process-parent-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. Leave + unpopulated if unavailable.' + example: com.apple.xpc.proxy + flat_name: process.parent.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword process.parent.code_signature.status: dashed_name: process-parent-code-signature-status description: 'Additional information about the certificate status. @@ -5417,6 +5522,21 @@ process.parent.code_signature.subject_name: original_fieldset: code_signature short: Subject name of the code signer type: keyword +process.parent.code_signature.team_id: + dashed_name: process-parent-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. Leave unpopulated + if unavailable.' + example: EQHXZ8M8AV + flat_name: process.parent.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword process.parent.code_signature.trusted: dashed_name: process-parent-code-signature-trusted description: 'Stores the trust status of the certificate chain. diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index b11ded1d60..6e78f122f1 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -889,6 +889,20 @@ code_signature: normalize: [] short: Boolean to capture if a signature is present. type: boolean + code_signature.signing_id: + dashed_name: code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + Leave unpopulated if unavailable.' + example: com.apple.xpc.proxy + flat_name: code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + short: The identifier used to sign the process. + type: keyword code_signature.status: dashed_name: code-signature-status description: 'Additional information about the certificate status. @@ -915,6 +929,20 @@ code_signature: normalize: [] short: Subject name of the code signer type: keyword + code_signature.team_id: + dashed_name: code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. Leave unpopulated + if unavailable.' + example: EQHXZ8M8AV + flat_name: code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + short: The team identifier used to sign the process. + type: keyword code_signature.trusted: dashed_name: code-signature-trusted description: 'Stores the trust status of the certificate chain. @@ -1548,6 +1576,21 @@ dll: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + dll.code_signature.signing_id: + dashed_name: dll-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + Leave unpopulated if unavailable.' + example: com.apple.xpc.proxy + flat_name: dll.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword dll.code_signature.status: dashed_name: dll-code-signature-status description: 'Additional information about the certificate status. @@ -1576,6 +1619,21 @@ dll: original_fieldset: code_signature short: Subject name of the code signer type: keyword + dll.code_signature.team_id: + dashed_name: dll-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. Leave unpopulated + if unavailable.' + example: EQHXZ8M8AV + flat_name: dll.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword dll.code_signature.trusted: dashed_name: dll-code-signature-trusted description: 'Stores the trust status of the certificate chain. @@ -2985,6 +3043,21 @@ file: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + file.code_signature.signing_id: + dashed_name: file-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + Leave unpopulated if unavailable.' + example: com.apple.xpc.proxy + flat_name: file.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword file.code_signature.status: dashed_name: file-code-signature-status description: 'Additional information about the certificate status. @@ -3013,6 +3086,21 @@ file: original_fieldset: code_signature short: Subject name of the code signer type: keyword + file.code_signature.team_id: + dashed_name: file-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. Leave unpopulated + if unavailable.' + example: EQHXZ8M8AV + flat_name: file.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword file.code_signature.trusted: dashed_name: file-code-signature-trusted description: 'Stores the trust status of the certificate chain. @@ -6274,6 +6362,21 @@ process: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + process.code_signature.signing_id: + dashed_name: process-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + Leave unpopulated if unavailable.' + example: com.apple.xpc.proxy + flat_name: process.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword process.code_signature.status: dashed_name: process-code-signature-status description: 'Additional information about the certificate status. @@ -6302,6 +6405,21 @@ process: original_fieldset: code_signature short: Subject name of the code signer type: keyword + process.code_signature.team_id: + dashed_name: process-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. Leave unpopulated + if unavailable.' + example: EQHXZ8M8AV + flat_name: process.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword process.code_signature.trusted: dashed_name: process-code-signature-trusted description: 'Stores the trust status of the certificate chain. @@ -6513,6 +6631,21 @@ process: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + process.parent.code_signature.signing_id: + dashed_name: process-parent-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + Leave unpopulated if unavailable.' + example: com.apple.xpc.proxy + flat_name: process.parent.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword process.parent.code_signature.status: dashed_name: process-parent-code-signature-status description: 'Additional information about the certificate status. @@ -6541,6 +6674,21 @@ process: original_fieldset: code_signature short: Subject name of the code signer type: keyword + process.parent.code_signature.team_id: + dashed_name: process-parent-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. Leave unpopulated + if unavailable.' + example: EQHXZ8M8AV + flat_name: process.parent.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword process.parent.code_signature.trusted: dashed_name: process-parent-code-signature-trusted description: 'Stores the trust status of the certificate chain. diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index 53a790dd46..5cbc64a0f4 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -517,6 +517,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -525,6 +529,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, @@ -829,6 +837,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -837,6 +849,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, @@ -1823,6 +1839,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -1831,6 +1851,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, @@ -1914,6 +1938,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -1922,6 +1950,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 590142e166..e5184c3747 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -516,6 +516,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -524,6 +528,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, @@ -828,6 +836,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -836,6 +848,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, @@ -1822,6 +1838,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -1830,6 +1850,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, @@ -1913,6 +1937,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -1921,6 +1949,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, diff --git a/generated/elasticsearch/component/dll.json b/generated/elasticsearch/component/dll.json index a0ccb8f130..a9f4ddfb47 100644 --- a/generated/elasticsearch/component/dll.json +++ b/generated/elasticsearch/component/dll.json @@ -13,6 +13,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -21,6 +25,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, diff --git a/generated/elasticsearch/component/file.json b/generated/elasticsearch/component/file.json index 42dd4cef41..ea4c4a4a1d 100644 --- a/generated/elasticsearch/component/file.json +++ b/generated/elasticsearch/component/file.json @@ -20,6 +20,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -28,6 +32,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, diff --git a/generated/elasticsearch/component/process.json b/generated/elasticsearch/component/process.json index b91f0be9f6..5bbf33b350 100644 --- a/generated/elasticsearch/component/process.json +++ b/generated/elasticsearch/component/process.json @@ -20,6 +20,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -28,6 +32,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, @@ -111,6 +119,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -119,6 +131,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, From 29007764f47c8e3850a3c3aae20b8e9a69713d62 Mon Sep 17 00:00:00 2001 From: Yamin Tian Date: Tue, 16 Feb 2021 19:00:02 -0800 Subject: [PATCH 3/8] changelog --- CHANGELOG.next.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 7d0346ed09..caa630c105 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -21,6 +21,7 @@ Thanks, you're awesome :-) --> * Added `cloud.service.name`. #1204 * Added `hash.ssdeep`. #1169 * Added `geo.timezone`, `geo.postal_code`, and `geo.continent_code`. #1229 +* Added `code_signature.team_id`, `code_signature.signing_id`. #1249 #### Improvements From 03cc1f8b1b0892e9201e3a029c87d22878d61b8f Mon Sep 17 00:00:00 2001 From: Yamin Tian <56367679+Trinity2019@users.noreply.github.com> Date: Wed, 17 Feb 2021 09:00:10 -0800 Subject: [PATCH 4/8] Update schemas/code_signature.yml Co-authored-by: Eric Beahan --- schemas/code_signature.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/schemas/code_signature.yml b/schemas/code_signature.yml index d3e497164b..fcc062cffd 100644 --- a/schemas/code_signature.yml +++ b/schemas/code_signature.yml @@ -66,7 +66,6 @@ The team identifier used to sign the process. This is used to identify the team or vendor of a software product. - Leave unpopulated if unavailable. example: EQHXZ8M8AV - name: signing_id From cc9999fb9807426b9a74a283d9e8f0f7727c91a8 Mon Sep 17 00:00:00 2001 From: Yamin Tian Date: Wed, 17 Feb 2021 10:51:18 -0800 Subject: [PATCH 5/8] cleanup unnecessary comment --- schemas/code_signature.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/schemas/code_signature.yml b/schemas/code_signature.yml index fcc062cffd..7244c7d12c 100644 --- a/schemas/code_signature.yml +++ b/schemas/code_signature.yml @@ -76,5 +76,4 @@ The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. - Leave unpopulated if unavailable. example: com.apple.xpc.proxy From 194c805a3ff7f5d0cd6ddeb4f6d65f17099c0324 Mon Sep 17 00:00:00 2001 From: Yamin Tian Date: Wed, 17 Feb 2021 10:56:44 -0800 Subject: [PATCH 6/8] update description fields --- code/go/ecs/code_signature.go | 5 ++-- docs/field-details.asciidoc | 4 +-- experimental/generated/beats/fields.ecs.yml | 30 +++++++-------------- experimental/generated/ecs/ecs_flat.yml | 24 ++++++----------- experimental/generated/ecs/ecs_nested.yml | 30 +++++++-------------- generated/beats/fields.ecs.yml | 30 +++++++-------------- generated/ecs/ecs_flat.yml | 24 ++++++----------- generated/ecs/ecs_nested.yml | 30 +++++++-------------- 8 files changed, 60 insertions(+), 117 deletions(-) diff --git a/code/go/ecs/code_signature.go b/code/go/ecs/code_signature.go index 3a6007c04c..fe81ce62a1 100644 --- a/code/go/ecs/code_signature.go +++ b/code/go/ecs/code_signature.go @@ -45,12 +45,11 @@ type CodeSignature struct { Status string `ecs:"status"` // The team identifier used to sign the process. - // This is used to identify the team or vendor of a software product. Leave - // unpopulated if unavailable. + // This is used to identify the team or vendor of a software product. TeamID string `ecs:"team_id"` // The identifier used to sign the process. // This is used to identify the application manufactured by a software - // vendor. Leave unpopulated if unavailable. + // vendor. SigningID string `ecs:"signing_id"` } diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index fe2b43f4a5..54944f1804 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -788,7 +788,7 @@ example: `true` | The identifier used to sign the process. -This is used to identify the application manufactured by a software vendor. Leave unpopulated if unavailable. +This is used to identify the application manufactured by a software vendor. type: keyword @@ -840,7 +840,7 @@ example: `Microsoft Corporation` | The team identifier used to sign the process. -This is used to identify the team or vendor of a software product. Leave unpopulated if unavailable. +This is used to identify the team or vendor of a software product. type: keyword diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index e6622a21e9..eb43f21635 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -535,8 +535,7 @@ ignore_above: 1024 description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor. - Leave unpopulated if unavailable.' + This is used to identify the application manufactured by a software vendor.' example: com.apple.xpc.proxy default_field: false - name: status @@ -563,8 +562,7 @@ ignore_above: 1024 description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product. Leave unpopulated - if unavailable.' + This is used to identify the team or vendor of a software product.' example: EQHXZ8M8AV default_field: false - name: trusted @@ -977,8 +975,7 @@ ignore_above: 1024 description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor. - Leave unpopulated if unavailable.' + This is used to identify the application manufactured by a software vendor.' example: com.apple.xpc.proxy default_field: false - name: code_signature.status @@ -1005,8 +1002,7 @@ ignore_above: 1024 description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product. Leave unpopulated - if unavailable.' + This is used to identify the team or vendor of a software product.' example: EQHXZ8M8AV default_field: false - name: code_signature.trusted @@ -1682,8 +1678,7 @@ ignore_above: 1024 description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor. - Leave unpopulated if unavailable.' + This is used to identify the application manufactured by a software vendor.' example: com.apple.xpc.proxy default_field: false - name: code_signature.status @@ -1710,8 +1705,7 @@ ignore_above: 1024 description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product. Leave unpopulated - if unavailable.' + This is used to identify the team or vendor of a software product.' example: EQHXZ8M8AV default_field: false - name: code_signature.trusted @@ -3630,8 +3624,7 @@ ignore_above: 1024 description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor. - Leave unpopulated if unavailable.' + This is used to identify the application manufactured by a software vendor.' example: com.apple.xpc.proxy default_field: false - name: code_signature.status @@ -3658,8 +3651,7 @@ ignore_above: 1024 description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product. Leave unpopulated - if unavailable.' + This is used to identify the team or vendor of a software product.' example: EQHXZ8M8AV default_field: false - name: code_signature.trusted @@ -3797,8 +3789,7 @@ ignore_above: 1024 description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor. - Leave unpopulated if unavailable.' + This is used to identify the application manufactured by a software vendor.' example: com.apple.xpc.proxy default_field: false - name: parent.code_signature.status @@ -3825,8 +3816,7 @@ ignore_above: 1024 description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product. Leave unpopulated - if unavailable.' + This is used to identify the team or vendor of a software product.' example: EQHXZ8M8AV default_field: false - name: parent.code_signature.trusted diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 090a8f2545..8f71d0d760 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -1259,8 +1259,7 @@ dll.code_signature.signing_id: dashed_name: dll-code-signature-signing-id description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor. Leave - unpopulated if unavailable.' + This is used to identify the application manufactured by a software vendor.' example: com.apple.xpc.proxy flat_name: dll.code_signature.signing_id ignore_above: 1024 @@ -1302,8 +1301,7 @@ dll.code_signature.team_id: dashed_name: dll-code-signature-team-id description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product. Leave unpopulated - if unavailable.' + This is used to identify the team or vendor of a software product.' example: EQHXZ8M8AV flat_name: dll.code_signature.team_id ignore_above: 1024 @@ -2617,8 +2615,7 @@ file.code_signature.signing_id: dashed_name: file-code-signature-signing-id description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor. Leave - unpopulated if unavailable.' + This is used to identify the application manufactured by a software vendor.' example: com.apple.xpc.proxy flat_name: file.code_signature.signing_id ignore_above: 1024 @@ -2660,8 +2657,7 @@ file.code_signature.team_id: dashed_name: file-code-signature-team-id description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product. Leave unpopulated - if unavailable.' + This is used to identify the team or vendor of a software product.' example: EQHXZ8M8AV flat_name: file.code_signature.team_id ignore_above: 1024 @@ -5290,8 +5286,7 @@ process.code_signature.signing_id: dashed_name: process-code-signature-signing-id description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor. Leave - unpopulated if unavailable.' + This is used to identify the application manufactured by a software vendor.' example: com.apple.xpc.proxy flat_name: process.code_signature.signing_id ignore_above: 1024 @@ -5333,8 +5328,7 @@ process.code_signature.team_id: dashed_name: process-code-signature-team-id description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product. Leave unpopulated - if unavailable.' + This is used to identify the team or vendor of a software product.' example: EQHXZ8M8AV flat_name: process.code_signature.team_id ignore_above: 1024 @@ -5556,8 +5550,7 @@ process.parent.code_signature.signing_id: dashed_name: process-parent-code-signature-signing-id description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor. Leave - unpopulated if unavailable.' + This is used to identify the application manufactured by a software vendor.' example: com.apple.xpc.proxy flat_name: process.parent.code_signature.signing_id ignore_above: 1024 @@ -5599,8 +5592,7 @@ process.parent.code_signature.team_id: dashed_name: process-parent-code-signature-team-id description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product. Leave unpopulated - if unavailable.' + This is used to identify the team or vendor of a software product.' example: EQHXZ8M8AV flat_name: process.parent.code_signature.team_id ignore_above: 1024 diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 2b65f0dcbc..393ac03213 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -884,8 +884,7 @@ code_signature: dashed_name: code-signature-signing-id description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor. - Leave unpopulated if unavailable.' + This is used to identify the application manufactured by a software vendor.' example: com.apple.xpc.proxy flat_name: code_signature.signing_id ignore_above: 1024 @@ -924,8 +923,7 @@ code_signature: dashed_name: code-signature-team-id description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product. Leave unpopulated - if unavailable.' + This is used to identify the team or vendor of a software product.' example: EQHXZ8M8AV flat_name: code_signature.team_id ignore_above: 1024 @@ -1633,8 +1631,7 @@ dll: dashed_name: dll-code-signature-signing-id description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor. - Leave unpopulated if unavailable.' + This is used to identify the application manufactured by a software vendor.' example: com.apple.xpc.proxy flat_name: dll.code_signature.signing_id ignore_above: 1024 @@ -1676,8 +1673,7 @@ dll: dashed_name: dll-code-signature-team-id description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product. Leave unpopulated - if unavailable.' + This is used to identify the team or vendor of a software product.' example: EQHXZ8M8AV flat_name: dll.code_signature.team_id ignore_above: 1024 @@ -3093,8 +3089,7 @@ file: dashed_name: file-code-signature-signing-id description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor. - Leave unpopulated if unavailable.' + This is used to identify the application manufactured by a software vendor.' example: com.apple.xpc.proxy flat_name: file.code_signature.signing_id ignore_above: 1024 @@ -3136,8 +3131,7 @@ file: dashed_name: file-code-signature-team-id description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product. Leave unpopulated - if unavailable.' + This is used to identify the team or vendor of a software product.' example: EQHXZ8M8AV flat_name: file.code_signature.team_id ignore_above: 1024 @@ -6460,8 +6454,7 @@ process: dashed_name: process-code-signature-signing-id description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor. - Leave unpopulated if unavailable.' + This is used to identify the application manufactured by a software vendor.' example: com.apple.xpc.proxy flat_name: process.code_signature.signing_id ignore_above: 1024 @@ -6503,8 +6496,7 @@ process: dashed_name: process-code-signature-team-id description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product. Leave unpopulated - if unavailable.' + This is used to identify the team or vendor of a software product.' example: EQHXZ8M8AV flat_name: process.code_signature.team_id ignore_above: 1024 @@ -6726,8 +6718,7 @@ process: dashed_name: process-parent-code-signature-signing-id description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor. - Leave unpopulated if unavailable.' + This is used to identify the application manufactured by a software vendor.' example: com.apple.xpc.proxy flat_name: process.parent.code_signature.signing_id ignore_above: 1024 @@ -6769,8 +6760,7 @@ process: dashed_name: process-parent-code-signature-team-id description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product. Leave unpopulated - if unavailable.' + This is used to identify the team or vendor of a software product.' example: EQHXZ8M8AV flat_name: process.parent.code_signature.team_id ignore_above: 1024 diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index f24cfd501c..0bab11a733 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -544,8 +544,7 @@ ignore_above: 1024 description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor. - Leave unpopulated if unavailable.' + This is used to identify the application manufactured by a software vendor.' example: com.apple.xpc.proxy default_field: false - name: status @@ -572,8 +571,7 @@ ignore_above: 1024 description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product. Leave unpopulated - if unavailable.' + This is used to identify the team or vendor of a software product.' example: EQHXZ8M8AV default_field: false - name: trusted @@ -941,8 +939,7 @@ ignore_above: 1024 description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor. - Leave unpopulated if unavailable.' + This is used to identify the application manufactured by a software vendor.' example: com.apple.xpc.proxy default_field: false - name: code_signature.status @@ -969,8 +966,7 @@ ignore_above: 1024 description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product. Leave unpopulated - if unavailable.' + This is used to identify the team or vendor of a software product.' example: EQHXZ8M8AV default_field: false - name: code_signature.trusted @@ -1652,8 +1648,7 @@ ignore_above: 1024 description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor. - Leave unpopulated if unavailable.' + This is used to identify the application manufactured by a software vendor.' example: com.apple.xpc.proxy default_field: false - name: code_signature.status @@ -1680,8 +1675,7 @@ ignore_above: 1024 description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product. Leave unpopulated - if unavailable.' + This is used to identify the team or vendor of a software product.' example: EQHXZ8M8AV default_field: false - name: code_signature.trusted @@ -3580,8 +3574,7 @@ ignore_above: 1024 description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor. - Leave unpopulated if unavailable.' + This is used to identify the application manufactured by a software vendor.' example: com.apple.xpc.proxy default_field: false - name: code_signature.status @@ -3608,8 +3601,7 @@ ignore_above: 1024 description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product. Leave unpopulated - if unavailable.' + This is used to identify the team or vendor of a software product.' example: EQHXZ8M8AV default_field: false - name: code_signature.trusted @@ -3750,8 +3742,7 @@ ignore_above: 1024 description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor. - Leave unpopulated if unavailable.' + This is used to identify the application manufactured by a software vendor.' example: com.apple.xpc.proxy default_field: false - name: parent.code_signature.status @@ -3778,8 +3769,7 @@ ignore_above: 1024 description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product. Leave unpopulated - if unavailable.' + This is used to identify the team or vendor of a software product.' example: EQHXZ8M8AV default_field: false - name: parent.code_signature.trusted diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index abc7aa7568..9d32cdfcc2 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -1228,8 +1228,7 @@ dll.code_signature.signing_id: dashed_name: dll-code-signature-signing-id description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor. Leave - unpopulated if unavailable.' + This is used to identify the application manufactured by a software vendor.' example: com.apple.xpc.proxy flat_name: dll.code_signature.signing_id ignore_above: 1024 @@ -1271,8 +1270,7 @@ dll.code_signature.team_id: dashed_name: dll-code-signature-team-id description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product. Leave unpopulated - if unavailable.' + This is used to identify the team or vendor of a software product.' example: EQHXZ8M8AV flat_name: dll.code_signature.team_id ignore_above: 1024 @@ -2593,8 +2591,7 @@ file.code_signature.signing_id: dashed_name: file-code-signature-signing-id description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor. Leave - unpopulated if unavailable.' + This is used to identify the application manufactured by a software vendor.' example: com.apple.xpc.proxy flat_name: file.code_signature.signing_id ignore_above: 1024 @@ -2636,8 +2633,7 @@ file.code_signature.team_id: dashed_name: file-code-signature-team-id description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product. Leave unpopulated - if unavailable.' + This is used to identify the team or vendor of a software product.' example: EQHXZ8M8AV flat_name: file.code_signature.team_id ignore_above: 1024 @@ -5214,8 +5210,7 @@ process.code_signature.signing_id: dashed_name: process-code-signature-signing-id description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor. Leave - unpopulated if unavailable.' + This is used to identify the application manufactured by a software vendor.' example: com.apple.xpc.proxy flat_name: process.code_signature.signing_id ignore_above: 1024 @@ -5257,8 +5252,7 @@ process.code_signature.team_id: dashed_name: process-code-signature-team-id description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product. Leave unpopulated - if unavailable.' + This is used to identify the team or vendor of a software product.' example: EQHXZ8M8AV flat_name: process.code_signature.team_id ignore_above: 1024 @@ -5483,8 +5477,7 @@ process.parent.code_signature.signing_id: dashed_name: process-parent-code-signature-signing-id description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor. Leave - unpopulated if unavailable.' + This is used to identify the application manufactured by a software vendor.' example: com.apple.xpc.proxy flat_name: process.parent.code_signature.signing_id ignore_above: 1024 @@ -5526,8 +5519,7 @@ process.parent.code_signature.team_id: dashed_name: process-parent-code-signature-team-id description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product. Leave unpopulated - if unavailable.' + This is used to identify the team or vendor of a software product.' example: EQHXZ8M8AV flat_name: process.parent.code_signature.team_id ignore_above: 1024 diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 6e78f122f1..0d1e0490ee 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -893,8 +893,7 @@ code_signature: dashed_name: code-signature-signing-id description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor. - Leave unpopulated if unavailable.' + This is used to identify the application manufactured by a software vendor.' example: com.apple.xpc.proxy flat_name: code_signature.signing_id ignore_above: 1024 @@ -933,8 +932,7 @@ code_signature: dashed_name: code-signature-team-id description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product. Leave unpopulated - if unavailable.' + This is used to identify the team or vendor of a software product.' example: EQHXZ8M8AV flat_name: code_signature.team_id ignore_above: 1024 @@ -1580,8 +1578,7 @@ dll: dashed_name: dll-code-signature-signing-id description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor. - Leave unpopulated if unavailable.' + This is used to identify the application manufactured by a software vendor.' example: com.apple.xpc.proxy flat_name: dll.code_signature.signing_id ignore_above: 1024 @@ -1623,8 +1620,7 @@ dll: dashed_name: dll-code-signature-team-id description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product. Leave unpopulated - if unavailable.' + This is used to identify the team or vendor of a software product.' example: EQHXZ8M8AV flat_name: dll.code_signature.team_id ignore_above: 1024 @@ -3047,8 +3043,7 @@ file: dashed_name: file-code-signature-signing-id description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor. - Leave unpopulated if unavailable.' + This is used to identify the application manufactured by a software vendor.' example: com.apple.xpc.proxy flat_name: file.code_signature.signing_id ignore_above: 1024 @@ -3090,8 +3085,7 @@ file: dashed_name: file-code-signature-team-id description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product. Leave unpopulated - if unavailable.' + This is used to identify the team or vendor of a software product.' example: EQHXZ8M8AV flat_name: file.code_signature.team_id ignore_above: 1024 @@ -6366,8 +6360,7 @@ process: dashed_name: process-code-signature-signing-id description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor. - Leave unpopulated if unavailable.' + This is used to identify the application manufactured by a software vendor.' example: com.apple.xpc.proxy flat_name: process.code_signature.signing_id ignore_above: 1024 @@ -6409,8 +6402,7 @@ process: dashed_name: process-code-signature-team-id description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product. Leave unpopulated - if unavailable.' + This is used to identify the team or vendor of a software product.' example: EQHXZ8M8AV flat_name: process.code_signature.team_id ignore_above: 1024 @@ -6635,8 +6627,7 @@ process: dashed_name: process-parent-code-signature-signing-id description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor. - Leave unpopulated if unavailable.' + This is used to identify the application manufactured by a software vendor.' example: com.apple.xpc.proxy flat_name: process.parent.code_signature.signing_id ignore_above: 1024 @@ -6678,8 +6669,7 @@ process: dashed_name: process-parent-code-signature-team-id description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product. Leave unpopulated - if unavailable.' + This is used to identify the team or vendor of a software product.' example: EQHXZ8M8AV flat_name: process.parent.code_signature.team_id ignore_above: 1024 From 5a6d1b20e1865d265956859a996b433294154183 Mon Sep 17 00:00:00 2001 From: Yamin Tian Date: Wed, 17 Feb 2021 11:31:01 -0800 Subject: [PATCH 7/8] review feedback --- schemas/code_signature.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/schemas/code_signature.yml b/schemas/code_signature.yml index 7244c7d12c..e86cf88827 100644 --- a/schemas/code_signature.yml +++ b/schemas/code_signature.yml @@ -66,6 +66,7 @@ The team identifier used to sign the process. This is used to identify the team or vendor of a software product. + The field is relevant to Apple *OS only. example: EQHXZ8M8AV - name: signing_id @@ -76,4 +77,5 @@ The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only. example: com.apple.xpc.proxy From ef9da929b50066a20f830cf3d927946737891622 Mon Sep 17 00:00:00 2001 From: Yamin Tian Date: Wed, 17 Feb 2021 12:10:15 -0800 Subject: [PATCH 8/8] modify descriptions --- code/go/ecs/code_signature.go | 5 ++-- docs/field-details.asciidoc | 4 +-- experimental/generated/beats/fields.ecs.yml | 30 ++++++++++++++------- experimental/generated/ecs/ecs_flat.yml | 24 +++++++++++------ experimental/generated/ecs/ecs_nested.yml | 30 ++++++++++++++------- generated/beats/fields.ecs.yml | 30 ++++++++++++++------- generated/ecs/ecs_flat.yml | 24 +++++++++++------ generated/ecs/ecs_nested.yml | 30 ++++++++++++++------- 8 files changed, 117 insertions(+), 60 deletions(-) diff --git a/code/go/ecs/code_signature.go b/code/go/ecs/code_signature.go index fe81ce62a1..c13152941d 100644 --- a/code/go/ecs/code_signature.go +++ b/code/go/ecs/code_signature.go @@ -45,11 +45,12 @@ type CodeSignature struct { Status string `ecs:"status"` // The team identifier used to sign the process. - // This is used to identify the team or vendor of a software product. + // This is used to identify the team or vendor of a software product. The + // field is relevant to Apple *OS only. TeamID string `ecs:"team_id"` // The identifier used to sign the process. // This is used to identify the application manufactured by a software - // vendor. + // vendor. The field is relevant to Apple *OS only. SigningID string `ecs:"signing_id"` } diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index cbddca911b..18fd6dd687 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -788,7 +788,7 @@ example: `true` | The identifier used to sign the process. -This is used to identify the application manufactured by a software vendor. +This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. type: keyword @@ -840,7 +840,7 @@ example: `Microsoft Corporation` | The team identifier used to sign the process. -This is used to identify the team or vendor of a software product. +This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. type: keyword diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index c944e0840b..e03030c9b8 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -535,7 +535,8 @@ ignore_above: 1024 description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor.' + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy default_field: false - name: status @@ -562,7 +563,8 @@ ignore_above: 1024 description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product.' + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' example: EQHXZ8M8AV default_field: false - name: trusted @@ -975,7 +977,8 @@ ignore_above: 1024 description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor.' + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy default_field: false - name: code_signature.status @@ -1002,7 +1005,8 @@ ignore_above: 1024 description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product.' + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' example: EQHXZ8M8AV default_field: false - name: code_signature.trusted @@ -1888,7 +1892,8 @@ ignore_above: 1024 description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor.' + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy default_field: false - name: code_signature.status @@ -1915,7 +1920,8 @@ ignore_above: 1024 description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product.' + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' example: EQHXZ8M8AV default_field: false - name: code_signature.trusted @@ -4256,7 +4262,8 @@ ignore_above: 1024 description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor.' + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy default_field: false - name: code_signature.status @@ -4283,7 +4290,8 @@ ignore_above: 1024 description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product.' + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' example: EQHXZ8M8AV default_field: false - name: code_signature.trusted @@ -4421,7 +4429,8 @@ ignore_above: 1024 description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor.' + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy default_field: false - name: parent.code_signature.status @@ -4448,7 +4457,8 @@ ignore_above: 1024 description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product.' + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' example: EQHXZ8M8AV default_field: false - name: parent.code_signature.trusted diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index db05646cc7..a166c0bc37 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -1259,7 +1259,8 @@ dll.code_signature.signing_id: dashed_name: dll-code-signature-signing-id description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor.' + This is used to identify the application manufactured by a software vendor. The + field is relevant to Apple *OS only.' example: com.apple.xpc.proxy flat_name: dll.code_signature.signing_id ignore_above: 1024 @@ -1301,7 +1302,8 @@ dll.code_signature.team_id: dashed_name: dll-code-signature-team-id description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product.' + This is used to identify the team or vendor of a software product. The field is + relevant to Apple *OS only.' example: EQHXZ8M8AV flat_name: dll.code_signature.team_id ignore_above: 1024 @@ -2986,7 +2988,8 @@ file.code_signature.signing_id: dashed_name: file-code-signature-signing-id description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor.' + This is used to identify the application manufactured by a software vendor. The + field is relevant to Apple *OS only.' example: com.apple.xpc.proxy flat_name: file.code_signature.signing_id ignore_above: 1024 @@ -3028,7 +3031,8 @@ file.code_signature.team_id: dashed_name: file-code-signature-team-id description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product.' + This is used to identify the team or vendor of a software product. The field is + relevant to Apple *OS only.' example: EQHXZ8M8AV flat_name: file.code_signature.team_id ignore_above: 1024 @@ -6037,7 +6041,8 @@ process.code_signature.signing_id: dashed_name: process-code-signature-signing-id description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor.' + This is used to identify the application manufactured by a software vendor. The + field is relevant to Apple *OS only.' example: com.apple.xpc.proxy flat_name: process.code_signature.signing_id ignore_above: 1024 @@ -6079,7 +6084,8 @@ process.code_signature.team_id: dashed_name: process-code-signature-team-id description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product.' + This is used to identify the team or vendor of a software product. The field is + relevant to Apple *OS only.' example: EQHXZ8M8AV flat_name: process.code_signature.team_id ignore_above: 1024 @@ -6301,7 +6307,8 @@ process.parent.code_signature.signing_id: dashed_name: process-parent-code-signature-signing-id description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor.' + This is used to identify the application manufactured by a software vendor. The + field is relevant to Apple *OS only.' example: com.apple.xpc.proxy flat_name: process.parent.code_signature.signing_id ignore_above: 1024 @@ -6343,7 +6350,8 @@ process.parent.code_signature.team_id: dashed_name: process-parent-code-signature-team-id description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product.' + This is used to identify the team or vendor of a software product. The field is + relevant to Apple *OS only.' example: EQHXZ8M8AV flat_name: process.parent.code_signature.team_id ignore_above: 1024 diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 89b376fb83..5c39e8b51f 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -884,7 +884,8 @@ code_signature: dashed_name: code-signature-signing-id description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor.' + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy flat_name: code_signature.signing_id ignore_above: 1024 @@ -923,7 +924,8 @@ code_signature: dashed_name: code-signature-team-id description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product.' + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' example: EQHXZ8M8AV flat_name: code_signature.team_id ignore_above: 1024 @@ -1631,7 +1633,8 @@ dll: dashed_name: dll-code-signature-signing-id description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor.' + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy flat_name: dll.code_signature.signing_id ignore_above: 1024 @@ -1673,7 +1676,8 @@ dll: dashed_name: dll-code-signature-team-id description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product.' + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' example: EQHXZ8M8AV flat_name: dll.code_signature.team_id ignore_above: 1024 @@ -3461,7 +3465,8 @@ file: dashed_name: file-code-signature-signing-id description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor.' + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy flat_name: file.code_signature.signing_id ignore_above: 1024 @@ -3503,7 +3508,8 @@ file: dashed_name: file-code-signature-team-id description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product.' + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' example: EQHXZ8M8AV flat_name: file.code_signature.team_id ignore_above: 1024 @@ -7548,7 +7554,8 @@ process: dashed_name: process-code-signature-signing-id description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor.' + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy flat_name: process.code_signature.signing_id ignore_above: 1024 @@ -7590,7 +7597,8 @@ process: dashed_name: process-code-signature-team-id description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product.' + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' example: EQHXZ8M8AV flat_name: process.code_signature.team_id ignore_above: 1024 @@ -7812,7 +7820,8 @@ process: dashed_name: process-parent-code-signature-signing-id description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor.' + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy flat_name: process.parent.code_signature.signing_id ignore_above: 1024 @@ -7854,7 +7863,8 @@ process: dashed_name: process-parent-code-signature-team-id description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product.' + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' example: EQHXZ8M8AV flat_name: process.parent.code_signature.team_id ignore_above: 1024 diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index fb5dc2b8ab..57fb93dbab 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -544,7 +544,8 @@ ignore_above: 1024 description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor.' + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy default_field: false - name: status @@ -571,7 +572,8 @@ ignore_above: 1024 description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product.' + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' example: EQHXZ8M8AV default_field: false - name: trusted @@ -939,7 +941,8 @@ ignore_above: 1024 description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor.' + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy default_field: false - name: code_signature.status @@ -966,7 +969,8 @@ ignore_above: 1024 description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product.' + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' example: EQHXZ8M8AV default_field: false - name: code_signature.trusted @@ -1648,7 +1652,8 @@ ignore_above: 1024 description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor.' + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy default_field: false - name: code_signature.status @@ -1675,7 +1680,8 @@ ignore_above: 1024 description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product.' + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' example: EQHXZ8M8AV default_field: false - name: code_signature.trusted @@ -3622,7 +3628,8 @@ ignore_above: 1024 description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor.' + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy default_field: false - name: code_signature.status @@ -3649,7 +3656,8 @@ ignore_above: 1024 description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product.' + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' example: EQHXZ8M8AV default_field: false - name: code_signature.trusted @@ -3790,7 +3798,8 @@ ignore_above: 1024 description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor.' + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy default_field: false - name: parent.code_signature.status @@ -3817,7 +3826,8 @@ ignore_above: 1024 description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product.' + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' example: EQHXZ8M8AV default_field: false - name: parent.code_signature.trusted diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index d35d9727db..d1b62aa903 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -1228,7 +1228,8 @@ dll.code_signature.signing_id: dashed_name: dll-code-signature-signing-id description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor.' + This is used to identify the application manufactured by a software vendor. The + field is relevant to Apple *OS only.' example: com.apple.xpc.proxy flat_name: dll.code_signature.signing_id ignore_above: 1024 @@ -1270,7 +1271,8 @@ dll.code_signature.team_id: dashed_name: dll-code-signature-team-id description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product.' + This is used to identify the team or vendor of a software product. The field is + relevant to Apple *OS only.' example: EQHXZ8M8AV flat_name: dll.code_signature.team_id ignore_above: 1024 @@ -2591,7 +2593,8 @@ file.code_signature.signing_id: dashed_name: file-code-signature-signing-id description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor.' + This is used to identify the application manufactured by a software vendor. The + field is relevant to Apple *OS only.' example: com.apple.xpc.proxy flat_name: file.code_signature.signing_id ignore_above: 1024 @@ -2633,7 +2636,8 @@ file.code_signature.team_id: dashed_name: file-code-signature-team-id description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product.' + This is used to identify the team or vendor of a software product. The field is + relevant to Apple *OS only.' example: EQHXZ8M8AV flat_name: file.code_signature.team_id ignore_above: 1024 @@ -5293,7 +5297,8 @@ process.code_signature.signing_id: dashed_name: process-code-signature-signing-id description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor.' + This is used to identify the application manufactured by a software vendor. The + field is relevant to Apple *OS only.' example: com.apple.xpc.proxy flat_name: process.code_signature.signing_id ignore_above: 1024 @@ -5335,7 +5340,8 @@ process.code_signature.team_id: dashed_name: process-code-signature-team-id description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product.' + This is used to identify the team or vendor of a software product. The field is + relevant to Apple *OS only.' example: EQHXZ8M8AV flat_name: process.code_signature.team_id ignore_above: 1024 @@ -5560,7 +5566,8 @@ process.parent.code_signature.signing_id: dashed_name: process-parent-code-signature-signing-id description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor.' + This is used to identify the application manufactured by a software vendor. The + field is relevant to Apple *OS only.' example: com.apple.xpc.proxy flat_name: process.parent.code_signature.signing_id ignore_above: 1024 @@ -5602,7 +5609,8 @@ process.parent.code_signature.team_id: dashed_name: process-parent-code-signature-team-id description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product.' + This is used to identify the team or vendor of a software product. The field is + relevant to Apple *OS only.' example: EQHXZ8M8AV flat_name: process.parent.code_signature.team_id ignore_above: 1024 diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 9b4bcf63f2..24ddb6be63 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -893,7 +893,8 @@ code_signature: dashed_name: code-signature-signing-id description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor.' + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy flat_name: code_signature.signing_id ignore_above: 1024 @@ -932,7 +933,8 @@ code_signature: dashed_name: code-signature-team-id description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product.' + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' example: EQHXZ8M8AV flat_name: code_signature.team_id ignore_above: 1024 @@ -1578,7 +1580,8 @@ dll: dashed_name: dll-code-signature-signing-id description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor.' + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy flat_name: dll.code_signature.signing_id ignore_above: 1024 @@ -1620,7 +1623,8 @@ dll: dashed_name: dll-code-signature-team-id description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product.' + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' example: EQHXZ8M8AV flat_name: dll.code_signature.team_id ignore_above: 1024 @@ -3043,7 +3047,8 @@ file: dashed_name: file-code-signature-signing-id description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor.' + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy flat_name: file.code_signature.signing_id ignore_above: 1024 @@ -3085,7 +3090,8 @@ file: dashed_name: file-code-signature-team-id description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product.' + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' example: EQHXZ8M8AV flat_name: file.code_signature.team_id ignore_above: 1024 @@ -6443,7 +6449,8 @@ process: dashed_name: process-code-signature-signing-id description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor.' + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy flat_name: process.code_signature.signing_id ignore_above: 1024 @@ -6485,7 +6492,8 @@ process: dashed_name: process-code-signature-team-id description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product.' + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' example: EQHXZ8M8AV flat_name: process.code_signature.team_id ignore_above: 1024 @@ -6710,7 +6718,8 @@ process: dashed_name: process-parent-code-signature-signing-id description: 'The identifier used to sign the process. - This is used to identify the application manufactured by a software vendor.' + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy flat_name: process.parent.code_signature.signing_id ignore_above: 1024 @@ -6752,7 +6761,8 @@ process: dashed_name: process-parent-code-signature-team-id description: 'The team identifier used to sign the process. - This is used to identify the team or vendor of a software product.' + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' example: EQHXZ8M8AV flat_name: process.parent.code_signature.team_id ignore_above: 1024