Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RFC] Stage 2: Adding Apple Platform specific fields #2370

Merged
merged 15 commits into from
Sep 11, 2024
Merged

[RFC] Stage 2: Adding Apple Platform specific fields #2370

Show file tree
Hide file tree
Changes from 14 commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
c8138cf
Updating the RFC and moving it to stage two.
txhaflaire Aug 20, 2024
8429be6
updated PR reference number in RFC document.
txhaflaire Aug 20, 2024
9153714
Merge branch 'main' into adding_apple_platform_fields_stage2
txhaflaire Aug 20, 2024
532b42e
Added fields to related yml files and run make
txhaflaire Aug 20, 2024
67cc97c
Merge branch 'main' into adding_apple_platform_fields_stage2
mjwolf Aug 26, 2024
19335ff
Updated process.yml to remove example values and enhanced the short_o…
txhaflaire Aug 27, 2024
18ecccf
Merge branch 'adding_apple_platform_fields_stage2' of https://github.…
txhaflaire Aug 27, 2024
b243fd1
added description and reverted the short_override back to it's initia…
txhaflaire Aug 28, 2024
d574799
added indents and moved descrption to a new line
txhaflaire Aug 28, 2024
d6fec81
shortened it to 119 chars
txhaflaire Aug 28, 2024
cdbbc94
Moved it back into short_override.
txhaflaire Aug 28, 2024
d609b6f
just try&error, ran make again locally.
txhaflaire Aug 28, 2024
eb96731
Merge branch 'main' into adding_apple_platform_fields_stage2
txhaflaire Aug 29, 2024
5fe91eb
Merge branch 'main' into adding_apple_platform_fields_stage2
mjwolf Sep 11, 2024
57a3427
Update rfc date
mjwolf Sep 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
64 changes: 64 additions & 0 deletions docs/fields/field-details.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -865,6 +865,24 @@ example: `true`

// ===============================================================

|
[[field-code-signature-flags]]
<<field-code-signature-flags, code_signature.flags>>

a| beta:[ This field is beta and subject to change. ]

The flags used to sign the process.

type: string



example: `570522385`

| extended

// ===============================================================

|
[[field-code-signature-signing-id]]
<<field-code-signature-signing-id, code_signature.signing_id>>
Expand Down Expand Up @@ -1693,6 +1711,24 @@ example: `Samsung Galaxy S6`

// ===============================================================

|
[[field-device-serial-number]]
<<field-device-serial-number, device.serial_number>>

a| beta:[ This field is beta and subject to change. ]

The unique serial number serves as a distinct identifier for each device, aiding in inventory management and device authentication.

type: keyword



example: `DJGAQS4CW5`

| core

// ===============================================================

|=====


Expand Down Expand Up @@ -4811,6 +4847,24 @@ Note that this fieldset is used for common hashes that may be computed over a ra

// ===============================================================

|
[[field-hash-cdhash]]
<<field-hash-cdhash, hash.cdhash>>

a| beta:[ This field is beta and subject to change. ]

Code directory hash, utilized to uniquely identify and authenticate the integrity of the executable code.

type: keyword



example: `3783b4052fd474dbe30676b45c329e7a6d44acd9`

| extended

// ===============================================================

|
[[field-hash-md5]]
<<field-hash-md5, hash.md5>>
Expand Down Expand Up @@ -8685,6 +8739,8 @@ The `process` fields are expected to be nested at:

* `process.previous`

* `process.responsible`

* `process.session_leader`

* `process.session_leader.parent`
Expand Down Expand Up @@ -8839,6 +8895,14 @@ Note: this reuse should contain an array of process field set objects.
// ===============================================================


| `process.responsible.*`
| <<ecs-process,process>>| beta:[ This field is beta and subject to change.]

Responsible process in macOS tracks the originating process of an app, key for understanding permissions and hierarchy.

// ===============================================================


| `process.saved_group.*`
| <<ecs-group,group>>
| The saved group (sgid).
Expand Down
100 changes: 100 additions & 0 deletions experimental/generated/beats/fields.ecs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1227,6 +1227,14 @@
description: The human readable marketing name of the device model.
example: Samsung Galaxy S6
default_field: false
- name: serial_number
level: core
type: keyword
ignore_above: 1024
description: The unique serial number serves as a distinct identifier for each
device, aiding in inventory management and device authentication.
example: DJGAQS4CW5
default_field: false
- name: dll
title: DLL
group: 2
Expand Down Expand Up @@ -1261,6 +1269,12 @@
description: Boolean to capture if a signature is present.
example: 'true'
default_field: false
- name: code_signature.flags
level: extended
type: string
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think string is a valid field type. Should this be keyword?

description: The flags used to sign the process.
example: 570522385
default_field: false
- name: code_signature.signing_id
level: extended
type: keyword
Expand Down Expand Up @@ -1323,6 +1337,14 @@
Leave unpopulated if a certificate was unchecked.'
example: 'true'
default_field: false
- name: hash.cdhash
level: extended
type: keyword
ignore_above: 1024
description: Code directory hash, utilized to uniquely identify and authenticate
the integrity of the executable code.
example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
default_field: false
- name: hash.md5
level: extended
type: keyword
Expand Down Expand Up @@ -1760,6 +1782,14 @@
description: Attachment file extension, excluding the leading dot.
example: txt
default_field: false
- name: attachments.file.hash.cdhash
level: extended
type: keyword
ignore_above: 1024
description: Code directory hash, utilized to uniquely identify and authenticate
the integrity of the executable code.
example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
default_field: false
- name: attachments.file.hash.md5
level: extended
type: keyword
Expand Down Expand Up @@ -2405,6 +2435,12 @@
description: Boolean to capture if a signature is present.
example: 'true'
default_field: false
- name: code_signature.flags
level: extended
type: string
description: The flags used to sign the process.
example: 570522385
default_field: false
- name: code_signature.signing_id
level: extended
type: keyword
Expand Down Expand Up @@ -2789,6 +2825,14 @@
ignore_above: 1024
description: Primary group name of the file.
example: alice
- name: hash.cdhash
level: extended
type: keyword
ignore_above: 1024
description: Code directory hash, utilized to uniquely identify and authenticate
the integrity of the executable code.
example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
default_field: false
- name: hash.md5
level: extended
type: keyword
Expand Down Expand Up @@ -4745,6 +4789,12 @@
description: Boolean to capture if a signature is present.
example: 'true'
default_field: false
- name: code_signature.flags
level: extended
type: string
description: The flags used to sign the process.
example: 570522385
default_field: false
- name: code_signature.signing_id
level: extended
type: keyword
Expand Down Expand Up @@ -5774,6 +5824,14 @@
description: The working directory of the process.
example: /home/alice
default_field: false
- name: hash.cdhash
level: extended
type: keyword
ignore_above: 1024
description: Code directory hash, utilized to uniquely identify and authenticate
the integrity of the executable code.
example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
default_field: false
- name: hash.md5
level: extended
type: keyword
Expand Down Expand Up @@ -6055,6 +6113,12 @@
description: Boolean to capture if a signature is present.
example: 'true'
default_field: false
- name: parent.code_signature.flags
level: extended
type: string
description: The flags used to sign the process.
example: 570522385
default_field: false
- name: parent.code_signature.signing_id
level: extended
type: keyword
Expand Down Expand Up @@ -6466,6 +6530,14 @@
the process exists within.'
example: 4242
default_field: false
- name: parent.hash.cdhash
level: extended
type: keyword
ignore_above: 1024
description: Code directory hash, utilized to uniquely identify and authenticate
the integrity of the executable code.
example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
default_field: false
- name: parent.hash.md5
level: extended
type: keyword
Expand Down Expand Up @@ -9101,6 +9173,12 @@
description: Boolean to capture if a signature is present.
example: 'true'
default_field: false
- name: enrichments.indicator.file.code_signature.flags
level: extended
type: string
description: The flags used to sign the process.
example: 570522385
default_field: false
- name: enrichments.indicator.file.code_signature.signing_id
level: extended
type: keyword
Expand Down Expand Up @@ -9492,6 +9570,14 @@
description: Primary group name of the file.
example: alice
default_field: false
- name: enrichments.indicator.file.hash.cdhash
level: extended
type: keyword
ignore_above: 1024
description: Code directory hash, utilized to uniquely identify and authenticate
the integrity of the executable code.
example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
default_field: false
- name: enrichments.indicator.file.hash.md5
level: extended
type: keyword
Expand Down Expand Up @@ -10708,6 +10794,12 @@
description: Boolean to capture if a signature is present.
example: 'true'
default_field: false
- name: indicator.file.code_signature.flags
level: extended
type: string
description: The flags used to sign the process.
example: 570522385
default_field: false
- name: indicator.file.code_signature.signing_id
level: extended
type: keyword
Expand Down Expand Up @@ -11099,6 +11191,14 @@
description: Primary group name of the file.
example: alice
default_field: false
- name: indicator.file.hash.cdhash
level: extended
type: keyword
ignore_above: 1024
description: Code directory hash, utilized to uniquely identify and authenticate
the integrity of the executable code.
example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
default_field: false
- name: indicator.file.hash.md5
level: extended
type: keyword
Expand Down
Loading