Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add 2 fields to code_signature #1269

Merged
merged 9 commits into from
Feb 18, 2021
Merged
Show file tree
Hide file tree
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.next.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ Thanks, you're awesome :-) -->
* Added `cloud.service.name`. #1204
* Added `hash.ssdeep`. #1169
* Added `geo.timezone`, `geo.postal_code`, and `geo.continent_code`. #1229
* Added `code_signature.team_id`, `code_signature.signing_id`. #1249

#### Improvements

Expand Down
10 changes: 10 additions & 0 deletions code/go/ecs/code_signature.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

36 changes: 36 additions & 0 deletions docs/field-details.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -782,6 +782,24 @@ example: `true`

// ===============================================================

|
[[field-code-signature-signing-id]]
<<field-code-signature-signing-id, code_signature.signing_id>>

| The identifier used to sign the process.

This is used to identify the application manufactured by a software vendor. Leave unpopulated if unavailable.

type: keyword



example: `com.apple.xpc.proxy`

| extended

// ===============================================================

|
[[field-code-signature-status]]
<<field-code-signature-status, code_signature.status>>
Expand Down Expand Up @@ -816,6 +834,24 @@ example: `Microsoft Corporation`

// ===============================================================

|
[[field-code-signature-team-id]]
<<field-code-signature-team-id, code_signature.team_id>>

| The team identifier used to sign the process.

This is used to identify the team or vendor of a software product. Leave unpopulated if unavailable.

type: keyword



example: `EQHXZ8M8AV`

| extended

// ===============================================================

|
[[field-code-signature-trusted]]
<<field-code-signature-trusted, code_signature.trusted>>
Expand Down
100 changes: 100 additions & 0 deletions experimental/generated/beats/fields.ecs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -529,6 +529,16 @@
description: Boolean to capture if a signature is present.
example: 'true'
default_field: false
- name: signing_id
level: extended
type: keyword
ignore_above: 1024
description: 'The identifier used to sign the process.

This is used to identify the application manufactured by a software vendor.
Leave unpopulated if unavailable.'
example: com.apple.xpc.proxy
default_field: false
- name: status
level: extended
type: keyword
Expand All @@ -547,6 +557,16 @@
description: Subject name of the code signer
example: Microsoft Corporation
default_field: false
- name: team_id
level: extended
type: keyword
ignore_above: 1024
description: 'The team identifier used to sign the process.

This is used to identify the team or vendor of a software product. Leave unpopulated
if unavailable.'
example: EQHXZ8M8AV
default_field: false
- name: trusted
level: extended
type: boolean
Expand Down Expand Up @@ -951,6 +971,16 @@
description: Boolean to capture if a signature is present.
example: 'true'
default_field: false
- name: code_signature.signing_id
level: extended
type: keyword
ignore_above: 1024
description: 'The identifier used to sign the process.

This is used to identify the application manufactured by a software vendor.
Leave unpopulated if unavailable.'
example: com.apple.xpc.proxy
default_field: false
- name: code_signature.status
level: extended
type: keyword
Expand All @@ -969,6 +999,16 @@
description: Subject name of the code signer
example: Microsoft Corporation
default_field: false
- name: code_signature.team_id
level: extended
type: keyword
ignore_above: 1024
description: 'The team identifier used to sign the process.

This is used to identify the team or vendor of a software product. Leave unpopulated
if unavailable.'
example: EQHXZ8M8AV
default_field: false
- name: code_signature.trusted
level: extended
type: boolean
Expand Down Expand Up @@ -1636,6 +1676,16 @@
description: Boolean to capture if a signature is present.
example: 'true'
default_field: false
- name: code_signature.signing_id
level: extended
type: keyword
ignore_above: 1024
description: 'The identifier used to sign the process.

This is used to identify the application manufactured by a software vendor.
Leave unpopulated if unavailable.'
example: com.apple.xpc.proxy
default_field: false
- name: code_signature.status
level: extended
type: keyword
Expand All @@ -1654,6 +1704,16 @@
description: Subject name of the code signer
example: Microsoft Corporation
default_field: false
- name: code_signature.team_id
level: extended
type: keyword
ignore_above: 1024
description: 'The team identifier used to sign the process.

This is used to identify the team or vendor of a software product. Leave unpopulated
if unavailable.'
example: EQHXZ8M8AV
default_field: false
- name: code_signature.trusted
level: extended
type: boolean
Expand Down Expand Up @@ -3564,6 +3624,16 @@
description: Boolean to capture if a signature is present.
example: 'true'
default_field: false
- name: code_signature.signing_id
level: extended
type: keyword
ignore_above: 1024
description: 'The identifier used to sign the process.

This is used to identify the application manufactured by a software vendor.
Leave unpopulated if unavailable.'
example: com.apple.xpc.proxy
default_field: false
- name: code_signature.status
level: extended
type: keyword
Expand All @@ -3582,6 +3652,16 @@
description: Subject name of the code signer
example: Microsoft Corporation
default_field: false
- name: code_signature.team_id
level: extended
type: keyword
ignore_above: 1024
description: 'The team identifier used to sign the process.

This is used to identify the team or vendor of a software product. Leave unpopulated
if unavailable.'
example: EQHXZ8M8AV
default_field: false
- name: code_signature.trusted
level: extended
type: boolean
Expand Down Expand Up @@ -3711,6 +3791,16 @@
description: Boolean to capture if a signature is present.
example: 'true'
default_field: false
- name: parent.code_signature.signing_id
level: extended
type: keyword
ignore_above: 1024
description: 'The identifier used to sign the process.

This is used to identify the application manufactured by a software vendor.
Leave unpopulated if unavailable.'
example: com.apple.xpc.proxy
default_field: false
- name: parent.code_signature.status
level: extended
type: keyword
Expand All @@ -3729,6 +3819,16 @@
description: Subject name of the code signer
example: Microsoft Corporation
default_field: false
- name: parent.code_signature.team_id
level: extended
type: keyword
ignore_above: 1024
description: 'The team identifier used to sign the process.

This is used to identify the team or vendor of a software product. Leave unpopulated
if unavailable.'
example: EQHXZ8M8AV
default_field: false
- name: parent.code_signature.trusted
level: extended
type: boolean
Expand Down
8 changes: 8 additions & 0 deletions experimental/generated/csv/fields.csv
Original file line number Diff line number Diff line change
Expand Up @@ -106,8 +106,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
2.0.0-dev+exp,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user.
2.0.0-dev+exp,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
2.0.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
2.0.0-dev+exp,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
2.0.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
2.0.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
2.0.0-dev+exp,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
2.0.0-dev+exp,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
2.0.0-dev+exp,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
2.0.0-dev+exp,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
Expand Down Expand Up @@ -177,8 +179,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
2.0.0-dev+exp,true,file,file.accessed,date,extended,,,Last time the file was accessed.
2.0.0-dev+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
2.0.0-dev+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
2.0.0-dev+exp,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
2.0.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
2.0.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
2.0.0-dev+exp,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
2.0.0-dev+exp,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
2.0.0-dev+exp,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
2.0.0-dev+exp,true,file,file.created,date,extended,,,File creation time.
Expand Down Expand Up @@ -395,8 +399,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
2.0.0-dev+exp,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
2.0.0-dev+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array.
2.0.0-dev+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
2.0.0-dev+exp,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
2.0.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
2.0.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
2.0.0-dev+exp,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
2.0.0-dev+exp,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
2.0.0-dev+exp,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
2.0.0-dev+exp,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
Expand All @@ -415,8 +421,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
2.0.0-dev+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
2.0.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
2.0.0-dev+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
2.0.0-dev+exp,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
2.0.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
2.0.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
2.0.0-dev+exp,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
2.0.0-dev+exp,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
2.0.0-dev+exp,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
2.0.0-dev+exp,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
Expand Down
Loading