diff --git a/code/go/ecs/code_signature.go b/code/go/ecs/code_signature.go new file mode 100644 index 0000000000..df61c3b935 --- /dev/null +++ b/code/go/ecs/code_signature.go @@ -0,0 +1,46 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +// These fields contain information about binary code signatures. +type CodeSignature struct { + // Boolean to capture if a signature is present. + Exists bool `ecs:"exists"` + + // Subject name of the code signer + SubjectName string `ecs:"subject_name"` + + // Boolean to capture if the digital signature is verified against the + // binary content. + // Leave unpopulated if a certificate was unchecked. + Valid bool `ecs:"valid"` + + // Stores the trust status of the certificate chain. + // Validating the trust of the certificate chain may be complicated, and + // this field should only be populated by tools that actively check the + // status. + Trusted bool `ecs:"trusted"` + + // Additional information about the certificate status. + // This is useful for logging cryptographic errors with the certificate + // validity or trust status. Leave unpopulated if the validity or trust of + // the certificate was unchecked. + Status string `ecs:"status"` +} diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 10dd88f038..7fe3b44c09 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -550,6 +550,101 @@ example: `us-east-1` |===== +[[ecs-code_signature]] +=== Code Signature Fields + +These fields contain information about binary code signatures. + +==== Code Signature Field Details + +[options="header"] +|===== +| Field | Description | Level + +// =============================================================== + +| code_signature.exists +| Boolean to capture if a signature is present. + +type: boolean + + + +example: `true` + +| core + +// =============================================================== + +| code_signature.status +| Additional information about the certificate status. + +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + + + +example: `ERROR_UNTRUSTED_ROOT` + +| extended + +// =============================================================== + +| code_signature.subject_name +| Subject name of the code signer + +type: keyword + + + +example: `Microsoft Corporation` + +| core + +// =============================================================== + +| code_signature.trusted +| Stores the trust status of the certificate chain. + +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + + + +example: `true` + +| extended + +// =============================================================== + +| code_signature.valid +| Boolean to capture if the digital signature is verified against the binary content. + +Leave unpopulated if a certificate was unchecked. + +type: boolean + + + +example: `true` + +| extended + +// =============================================================== + +|===== + +==== Field Reuse + +The `code_signature` fields are expected to be nested at: `dll.code_signature`, `file.code_signature`, `process.code_signature`, `process.parent.code_signature`. + +Note also that the `code_signature` fields are not expected to be used directly at the top level. + + + + [[ecs-container]] === Container Fields @@ -925,6 +1020,12 @@ example: `C:\Windows\System32\kernel32.dll` // =============================================================== +| <<ecs-code_signature,dll.code_signature.*>> +| These fields contain information about binary code signatures. + +// =============================================================== + + | <<ecs-hash,dll.hash.*>> | Hashes, usually file hashes. @@ -2049,6 +2150,12 @@ example: `1001` // =============================================================== +| <<ecs-code_signature,file.code_signature.*>> +| These fields contain information about binary code signatures. + +// =============================================================== + + | <<ecs-hash,file.hash.*>> | Hashes, usually file hashes. @@ -4198,6 +4305,12 @@ example: `/home/alice` // =============================================================== +| <<ecs-code_signature,process.code_signature.*>> +| These fields contain information about binary code signatures. + +// =============================================================== + + | <<ecs-hash,process.hash.*>> | Hashes, usually file hashes. diff --git a/docs/fields.asciidoc b/docs/fields.asciidoc index 47f60f48da..4afae5ded9 100644 --- a/docs/fields.asciidoc +++ b/docs/fields.asciidoc @@ -28,6 +28,8 @@ all fields are defined. | <<ecs-cloud,Cloud>> | Fields about the cloud resource. +| <<ecs-code_signature,Code Signature>> | These fields contain information about binary code signatures. + | <<ecs-container,Container>> | Fields describing the container that generated this event. | <<ecs-destination,Destination>> | Fields about the destination side of a network connection, used with source. diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 8a66797378..9fd24ef4ea 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -429,6 +429,54 @@ ignore_above: 1024 description: Region in which this host is running. example: us-east-1 + - name: code_signature + title: Code Signature + group: 2 + description: These fields contain information about binary code signatures. + type: group + fields: + - name: exists + level: core + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: status + level: extended + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: subject_name + level: core + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: trusted + level: extended + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: valid + level: extended + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false - name: container title: Container group: 2 @@ -709,6 +757,48 @@ * Dynamic library (`.dylib`) commonly used on macOS' type: group fields: + - name: code_signature.exists + level: core + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: code_signature.status + level: extended + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: code_signature.subject_name + level: core + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: code_signature.trusted + level: extended + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: code_signature.valid + level: extended + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false - name: hash.md5 level: extended type: keyword @@ -1288,6 +1378,48 @@ execute, hidden, read, readonly, system, write.' example: '["readonly", "system"]' default_field: false + - name: code_signature.exists + level: core + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: code_signature.status + level: extended + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: code_signature.subject_name + level: core + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: code_signature.trusted + level: extended + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: code_signature.valid + level: extended + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false - name: created level: extended type: date @@ -2549,6 +2681,48 @@ indication of suspicious activity.' example: 4 default_field: false + - name: code_signature.exists + level: core + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: code_signature.status + level: extended + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: code_signature.subject_name + level: core + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: code_signature.trusted + level: extended + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: code_signature.valid + level: extended + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false - name: command_line level: extended type: keyword @@ -2639,6 +2813,48 @@ indication of suspicious activity.' example: 4 default_field: false + - name: parent.code_signature.exists + level: core + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: parent.code_signature.status + level: extended + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: parent.code_signature.subject_name + level: core + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: parent.code_signature.trusted + level: extended + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: parent.code_signature.valid + level: extended + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false - name: parent.command_line level: extended type: keyword diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 4af0e4ebe8..3f59cc6fc5 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -51,6 +51,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.5.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. 1.5.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider. 1.5.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,Region in which this host is running. +1.5.0-dev,true,code_signature,code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.5.0-dev,true,code_signature,code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.5.0-dev,true,code_signature,code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.5.0-dev,true,code_signature,code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +1.5.0-dev,true,code_signature,code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. 1.5.0-dev,true,container,container.id,keyword,core,,,Unique container id. 1.5.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on. 1.5.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags. @@ -90,6 +95,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.5.0-dev,true,destination,destination.user.id,keyword,core,,,Unique identifiers of the user. 1.5.0-dev,true,destination,destination.user.name,keyword,core,,albert,Short name or login of the user. 1.5.0-dev,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user. +1.5.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.5.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.5.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.5.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +1.5.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. 1.5.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash. 1.5.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash. 1.5.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash. @@ -150,6 +160,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.5.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy. 1.5.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed. 1.5.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. +1.5.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.5.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.5.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.5.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +1.5.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. 1.5.0-dev,true,file,file.created,date,extended,,,File creation time. 1.5.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed. 1.5.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file. @@ -321,6 +336,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.5.0-dev,true,pe,pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." 1.5.0-dev,true,process,process.args,keyword,extended,array,"['/usr/bin/ssh', '-l', 'user', '10.0.0.16']",Array of process arguments. 1.5.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array. +1.5.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.5.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.5.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.5.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +1.5.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. 1.5.0-dev,true,process,process.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. 1.5.0-dev,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. 1.5.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. @@ -334,6 +354,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.5.0-dev,true,process,process.name.text,text,extended,,ssh,Process name. 1.5.0-dev,true,process,process.parent.args,keyword,extended,array,"['ssh', '-l', 'user', '10.0.0.16']",Array of process arguments. 1.5.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. +1.5.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.5.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.5.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.5.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +1.5.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. 1.5.0-dev,true,process,process.parent.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. 1.5.0-dev,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. 1.5.0-dev,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 2311f18445..6ecb6dda93 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -627,6 +627,79 @@ cloud.region: order: 2 short: Region in which this host is running. type: keyword +code_signature.exists: + dashed_name: code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: code_signature.exists + level: core + name: exists + normalize: [] + order: 0 + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean +code_signature.status: + dashed_name: code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + order: 4 + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword +code_signature.subject_name: + dashed_name: code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + order: 1 + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword +code_signature.trusted: + dashed_name: code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this field + should only be populated by tools that actively check the status.' + example: 'true' + flat_name: code_signature.trusted + level: extended + name: trusted + normalize: [] + order: 3 + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean +code_signature.valid: + dashed_name: code-signature-valid + description: 'Boolean to capture if the digital signature is verified against the + binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: code_signature.valid + level: extended + name: valid + normalize: [] + order: 2 + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean container.id: dashed_name: container-id description: Unique container id. @@ -1110,6 +1183,79 @@ destination.user.name: original_fieldset: user short: Short name or login of the user. type: keyword +dll.code_signature.exists: + dashed_name: dll-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: dll.code_signature.exists + level: core + name: exists + normalize: [] + order: 0 + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean +dll.code_signature.status: + dashed_name: dll-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: dll.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + order: 4 + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword +dll.code_signature.subject_name: + dashed_name: dll-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: dll.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + order: 1 + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword +dll.code_signature.trusted: + dashed_name: dll-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this field + should only be populated by tools that actively check the status.' + example: 'true' + flat_name: dll.code_signature.trusted + level: extended + name: trusted + normalize: [] + order: 3 + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean +dll.code_signature.valid: + dashed_name: dll-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against the + binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: dll.code_signature.valid + level: extended + name: valid + normalize: [] + order: 2 + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean dll.hash.md5: dashed_name: dll-hash-md5 description: MD5 hash. @@ -2258,6 +2404,79 @@ file.attributes: order: 1 short: Array of file attributes. type: keyword +file.code_signature.exists: + dashed_name: file-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: file.code_signature.exists + level: core + name: exists + normalize: [] + order: 0 + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean +file.code_signature.status: + dashed_name: file-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: file.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + order: 4 + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword +file.code_signature.subject_name: + dashed_name: file-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: file.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + order: 1 + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword +file.code_signature.trusted: + dashed_name: file-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this field + should only be populated by tools that actively check the status.' + example: 'true' + flat_name: file.code_signature.trusted + level: extended + name: trusted + normalize: [] + order: 3 + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean +file.code_signature.valid: + dashed_name: file-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against the + binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: file.code_signature.valid + level: extended + name: valid + normalize: [] + order: 2 + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean file.created: dashed_name: file-created description: 'File creation time. @@ -4435,6 +4654,79 @@ process.args_count: order: 12 short: Length of the process.args array. type: long +process.code_signature.exists: + dashed_name: process-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: process.code_signature.exists + level: core + name: exists + normalize: [] + order: 0 + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean +process.code_signature.status: + dashed_name: process-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: process.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + order: 4 + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword +process.code_signature.subject_name: + dashed_name: process-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: process.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + order: 1 + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword +process.code_signature.trusted: + dashed_name: process-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this field + should only be populated by tools that actively check the status.' + example: 'true' + flat_name: process.code_signature.trusted + level: extended + name: trusted + normalize: [] + order: 3 + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean +process.code_signature.valid: + dashed_name: process-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against the + binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: process.code_signature.valid + level: extended + name: valid + normalize: [] + order: 2 + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean process.command_line: dashed_name: process-command-line description: 'Full command line that started the process, including the absolute @@ -4587,6 +4879,79 @@ process.parent.args_count: order: 13 short: Length of the process.args array. type: long +process.parent.code_signature.exists: + dashed_name: process-parent-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: process.parent.code_signature.exists + level: core + name: exists + normalize: [] + order: 0 + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean +process.parent.code_signature.status: + dashed_name: process-parent-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: process.parent.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + order: 4 + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword +process.parent.code_signature.subject_name: + dashed_name: process-parent-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: process.parent.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + order: 1 + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword +process.parent.code_signature.trusted: + dashed_name: process-parent-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this field + should only be populated by tools that actively check the status.' + example: 'true' + flat_name: process.parent.code_signature.trusted + level: extended + name: trusted + normalize: [] + order: 3 + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean +process.parent.code_signature.valid: + dashed_name: process-parent-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against the + binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: process.parent.code_signature.valid + level: extended + name: valid + normalize: [] + order: 2 + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean process.parent.command_line: dashed_name: process-parent-command-line description: 'Full command line that started the process, including the absolute diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index c0016813c9..c20207a5cb 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -766,6 +766,90 @@ cloud: short: Fields about the cloud resource. title: Cloud type: group +code_signature: + description: These fields contain information about binary code signatures. + fields: + exists: + dashed_name: code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: code_signature.exists + level: core + name: exists + normalize: [] + order: 0 + short: Boolean to capture if a signature is present. + type: boolean + status: + dashed_name: code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + order: 4 + short: Additional information about the certificate status. + type: keyword + subject_name: + dashed_name: code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + order: 1 + short: Subject name of the code signer + type: keyword + trusted: + dashed_name: code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + flat_name: code_signature.trusted + level: extended + name: trusted + normalize: [] + order: 3 + short: Stores the trust status of the certificate chain. + type: boolean + valid: + dashed_name: code-signature-valid + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: code_signature.valid + level: extended + name: valid + normalize: [] + order: 2 + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean + group: 2 + name: code_signature + prefix: code_signature. + reusable: + expected: + - file + - process + - process.parent + - dll + top_level: false + short: These fields contain information about binary code signatures. + title: Code Signature + type: group container: description: 'Container fields are used for meta information about the specific container that is the source of information. @@ -1290,6 +1374,79 @@ dll: * Dynamic library (`.dylib`) commonly used on macOS' fields: + code_signature.exists: + dashed_name: dll-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: dll.code_signature.exists + level: core + name: exists + normalize: [] + order: 0 + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean + code_signature.status: + dashed_name: dll-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: dll.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + order: 4 + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword + code_signature.subject_name: + dashed_name: dll-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: dll.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + order: 1 + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword + code_signature.trusted: + dashed_name: dll-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + flat_name: dll.code_signature.trusted + level: extended + name: trusted + normalize: [] + order: 3 + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean + code_signature.valid: + dashed_name: dll-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: dll.code_signature.valid + level: extended + name: valid + normalize: [] + order: 2 + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean hash.md5: dashed_name: dll-hash-md5 description: MD5 hash. @@ -1432,6 +1589,7 @@ dll: group: 2 name: dll nestings: + - code_signature - hash - pe prefix: dll. @@ -2522,6 +2680,79 @@ file: order: 1 short: Array of file attributes. type: keyword + code_signature.exists: + dashed_name: file-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: file.code_signature.exists + level: core + name: exists + normalize: [] + order: 0 + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean + code_signature.status: + dashed_name: file-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: file.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + order: 4 + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword + code_signature.subject_name: + dashed_name: file-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: file.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + order: 1 + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword + code_signature.trusted: + dashed_name: file-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + flat_name: file.code_signature.trusted + level: extended + name: trusted + normalize: [] + order: 3 + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean + code_signature.valid: + dashed_name: file-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: file.code_signature.valid + level: extended + name: valid + normalize: [] + order: 2 + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean created: dashed_name: file-created description: 'File creation time. @@ -2868,6 +3099,7 @@ file: group: 2 name: file nestings: + - code_signature - hash - pe prefix: file. @@ -4850,6 +5082,79 @@ process: order: 12 short: Length of the process.args array. type: long + code_signature.exists: + dashed_name: process-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: process.code_signature.exists + level: core + name: exists + normalize: [] + order: 0 + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean + code_signature.status: + dashed_name: process-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: process.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + order: 4 + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword + code_signature.subject_name: + dashed_name: process-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: process.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + order: 1 + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword + code_signature.trusted: + dashed_name: process-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + flat_name: process.code_signature.trusted + level: extended + name: trusted + normalize: [] + order: 3 + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean + code_signature.valid: + dashed_name: process-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: process.code_signature.valid + level: extended + name: valid + normalize: [] + order: 2 + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean command_line: dashed_name: process-command-line description: 'Full command line that started the process, including the absolute @@ -5002,6 +5307,79 @@ process: order: 13 short: Length of the process.args array. type: long + parent.code_signature.exists: + dashed_name: process-parent-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: process.parent.code_signature.exists + level: core + name: exists + normalize: [] + order: 0 + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean + parent.code_signature.status: + dashed_name: process-parent-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: process.parent.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + order: 4 + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword + parent.code_signature.subject_name: + dashed_name: process-parent-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: process.parent.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + order: 1 + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword + parent.code_signature.trusted: + dashed_name: process-parent-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + flat_name: process.parent.code_signature.trusted + level: extended + name: trusted + normalize: [] + order: 3 + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean + parent.code_signature.valid: + dashed_name: process-parent-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: process.parent.code_signature.valid + level: extended + name: valid + normalize: [] + order: 2 + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean parent.command_line: dashed_name: process-parent-command-line description: 'Full command line that started the process, including the absolute @@ -5422,6 +5800,7 @@ process: group: 2 name: process nestings: + - code_signature - hash - pe prefix: process. diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index 2bb1fab8bc..6b5099473d 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -270,6 +270,27 @@ } } }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, "container": { "properties": { "id": { @@ -461,6 +482,27 @@ }, "dll": { "properties": { + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, "hash": { "properties": { "md5": { @@ -728,6 +770,27 @@ "ignore_above": 1024, "type": "keyword" }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, "created": { "type": "date" }, @@ -1539,6 +1602,27 @@ "args_count": { "type": "long" }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, "command_line": { "fields": { "text": { @@ -1601,6 +1685,27 @@ "args_count": { "type": "long" }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, "command_line": { "fields": { "text": { diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 7c2e8e7d7a..c721e2004f 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -269,6 +269,27 @@ } } }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, "container": { "properties": { "id": { @@ -460,6 +481,27 @@ }, "dll": { "properties": { + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, "hash": { "properties": { "md5": { @@ -727,6 +769,27 @@ "ignore_above": 1024, "type": "keyword" }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, "created": { "type": "date" }, @@ -1538,6 +1601,27 @@ "args_count": { "type": "long" }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, "command_line": { "fields": { "text": { @@ -1600,6 +1684,27 @@ "args_count": { "type": "long" }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, "command_line": { "fields": { "text": { diff --git a/schemas/code_signature.yml b/schemas/code_signature.yml new file mode 100644 index 0000000000..a4be8cf758 --- /dev/null +++ b/schemas/code_signature.yml @@ -0,0 +1,60 @@ +--- +- name: code_signature + title: Code Signature + group: 2 + description: These fields contain information about binary code signatures. + type: group + reusable: + top_level: false + expected: + - file + - process + - process.parent + - dll + # - driver + fields: + + - name: exists + level: core + type: boolean + description: Boolean to capture if a signature is present. + example: "true" + + - name: subject_name + level: core + type: keyword + description: Subject name of the code signer + example: Microsoft Corporation + + - name: valid + level: extended + type: boolean + short: Boolean to capture if the digital signature is verified against the binary content. + example: "true" + description: > + Boolean to capture if the digital signature is verified against the binary content. + + Leave unpopulated if a certificate was unchecked. + + - name: trusted + level: extended + type: boolean + short: Stores the trust status of the certificate chain. + example: "true" + description: > + Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this field should only be populated + by tools that actively check the status. + + + - name: status + level: extended + type: keyword + short: Additional information about the certificate status. + description: > + Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity or trust status. + Leave unpopulated if the validity or trust of the certificate was unchecked. + example: ERROR_UNTRUSTED_ROOT