Skip to content

Commit

Permalink
Digital code signatures for process, file and dll events (elastic#733)
Browse files Browse the repository at this point in the history
  • Loading branch information
rw-access authored and dcode committed Apr 15, 2020
1 parent 99f6a3f commit 5e8c3f8
Show file tree
Hide file tree
Showing 10 changed files with 1,416 additions and 0 deletions.
46 changes: 46 additions & 0 deletions code/go/ecs/code_signature.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

113 changes: 113 additions & 0 deletions docs/field-details.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -550,6 +550,101 @@ example: `us-east-1`

|=====

[[ecs-code_signature]]
=== Code Signature Fields

These fields contain information about binary code signatures.

==== Code Signature Field Details

[options="header"]
|=====
| Field | Description | Level

// ===============================================================

| code_signature.exists
| Boolean to capture if a signature is present.

type: boolean



example: `true`

| core

// ===============================================================

| code_signature.status
| Additional information about the certificate status.

This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.

type: keyword



example: `ERROR_UNTRUSTED_ROOT`

| extended

// ===============================================================

| code_signature.subject_name
| Subject name of the code signer

type: keyword



example: `Microsoft Corporation`

| core

// ===============================================================

| code_signature.trusted
| Stores the trust status of the certificate chain.

Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.

type: boolean



example: `true`

| extended

// ===============================================================

| code_signature.valid
| Boolean to capture if the digital signature is verified against the binary content.

Leave unpopulated if a certificate was unchecked.

type: boolean



example: `true`

| extended

// ===============================================================

|=====

==== Field Reuse

The `code_signature` fields are expected to be nested at: `dll.code_signature`, `file.code_signature`, `process.code_signature`, `process.parent.code_signature`.

Note also that the `code_signature` fields are not expected to be used directly at the top level.




[[ecs-container]]
=== Container Fields

Expand Down Expand Up @@ -925,6 +1020,12 @@ example: `C:\Windows\System32\kernel32.dll`
// ===============================================================


| <<ecs-code_signature,dll.code_signature.*>>
| These fields contain information about binary code signatures.

// ===============================================================


| <<ecs-hash,dll.hash.*>>
| Hashes, usually file hashes.

Expand Down Expand Up @@ -2049,6 +2150,12 @@ example: `1001`
// ===============================================================


| <<ecs-code_signature,file.code_signature.*>>
| These fields contain information about binary code signatures.

// ===============================================================


| <<ecs-hash,file.hash.*>>
| Hashes, usually file hashes.

Expand Down Expand Up @@ -4198,6 +4305,12 @@ example: `/home/alice`
// ===============================================================


| <<ecs-code_signature,process.code_signature.*>>
| These fields contain information about binary code signatures.

// ===============================================================


| <<ecs-hash,process.hash.*>>
| Hashes, usually file hashes.

Expand Down
2 changes: 2 additions & 0 deletions docs/fields.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,8 @@ all fields are defined.

| <<ecs-cloud,Cloud>> | Fields about the cloud resource.

| <<ecs-code_signature,Code Signature>> | These fields contain information about binary code signatures.

| <<ecs-container,Container>> | Fields describing the container that generated this event.

| <<ecs-destination,Destination>> | Fields about the destination side of a network connection, used with source.
Expand Down
Loading

0 comments on commit 5e8c3f8

Please sign in to comment.