From 058eb10f690752423d8261f33c19454599f3b907 Mon Sep 17 00:00:00 2001 From: Ross Wolf <31489089+rw-access@users.noreply.github.com> Date: Fri, 24 Jan 2020 14:36:06 -0700 Subject: [PATCH 01/10] Attempt to capture code signatures --- code/go/ecs/code_signature.go | 42 +++++ docs/field-details.asciidoc | 95 +++++++++++ docs/fields.asciidoc | 2 + generated/beats/fields.ecs.yml | 135 +++++++++++++++ generated/csv/fields.csv | 15 ++ generated/ecs/ecs_flat.yml | 207 ++++++++++++++++++++++ generated/ecs/ecs_nested.yml | 218 ++++++++++++++++++++++++ generated/elasticsearch/6/template.json | 66 +++++++ generated/elasticsearch/7/template.json | 66 +++++++ schemas/code_signature.yml | 59 +++++++ 10 files changed, 905 insertions(+) create mode 100644 code/go/ecs/code_signature.go create mode 100644 schemas/code_signature.yml diff --git a/code/go/ecs/code_signature.go b/code/go/ecs/code_signature.go new file mode 100644 index 0000000000..ba2e47d4b2 --- /dev/null +++ b/code/go/ecs/code_signature.go @@ -0,0 +1,42 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +// These fields contain information about binary code signatures. +type CodeSignature struct { + // Subject name of the code signer + SubjectName string `ecs:"subject_name"` + + // Boolean to capture if the digital signature is verified against the + // binary content. + Valid bool `ecs:"valid"` + + // Boolean to capture if a signature is present. + // This should only populated if the signature was checked. + Exists string `ecs:"exists"` + + // Stores the trust status of the certificate chain. + Trusted bool `ecs:"trusted"` + + // Additional information about the certificate status. + // This is useful for logging cryptographic errors with the certificate + // validity or trust status. + Status string `ecs:"status"` +} diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 6cdbbb963e..63aebd36ad 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -489,6 +489,89 @@ example: `us-east-1` |===== +[[ecs-code_signature]] +=== Code Signature Fields + +These fields contain information about binary code signatures. + +==== Code Signature Field Details + +[options="header"] +|===== +| Field | Description | Level + +// =============================================================== + +| code_signature.exists +| Boolean to capture if a signature is present. + +This should only populated if the signature was checked. + +type: keyword + +example: `True` + +| extended + +// =============================================================== + +| code_signature.status +| Additional information about the certificate status. + +This is useful for logging cryptographic errors with the certificate validity or trust status. + +type: keyword + +example: `ERROR_UNTRUSTED_ROOT` + +| extended + +// =============================================================== + +| code_signature.subject_name +| Subject name of the code signer + +type: keyword + +example: `Microsoft Corporation` + +| core + +// =============================================================== + +| code_signature.trusted +| Stores the trust status of the certificate chain. + +type: boolean + +example: `True` + +| extended + +// =============================================================== + +| code_signature.valid +| Boolean to capture if the digital signature is verified against the binary content. + +type: boolean + +example: `True` + +| core + +// =============================================================== + +|===== + +==== Field Reuse + +The `code_signature` fields are expected to be nested at: `file.code_signature`, `process.code_signature`. + +Note also that the `code_signature` fields are not expected to be used directly at the top level. + + + + [[ecs-container]] === Container Fields @@ -1719,6 +1802,12 @@ example: `1001` // =============================================================== +| <> +| These fields contain information about binary code signatures. + +// =============================================================== + + | <> | Hashes, usually file hashes. @@ -3521,6 +3610,12 @@ example: `/home/alice` // =============================================================== +| <> +| These fields contain information about binary code signatures. + +// =============================================================== + + | <> | Hashes, usually file hashes. diff --git a/docs/fields.asciidoc b/docs/fields.asciidoc index c3a11635b1..11a65027e9 100644 --- a/docs/fields.asciidoc +++ b/docs/fields.asciidoc @@ -28,6 +28,8 @@ all fields are defined. | <> | Fields about the cloud resource. +| <> | These fields contain information about binary code signatures. + | <> | Fields describing the container that generated this event. | <> | Fields about the destination side of a network connection, used with source. diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 98257e129d..627190b7b4 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -429,6 +429,55 @@ ignore_above: 1024 description: Region in which this host is running. example: us-east-1 + - name: code_signature + title: Code Signature + group: 2 + description: These fields contain information about binary code signatures. + type: group + fields: + - name: exists + level: extended + type: keyword + ignore_above: 1024 + format: core + description: 'Boolean to capture if a signature is present. + + This should only populated if the signature was checked.' + example: true + default_field: false + - name: status + level: extended + type: keyword + ignore_above: 1024 + format: string + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: subject_name + level: core + type: keyword + ignore_above: 1024 + format: string + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: trusted + level: extended + type: boolean + format: core + description: Stores the trust status of the certificate chain. + example: true + default_field: false + - name: valid + level: core + type: boolean + description: Boolean to capture if the digital signature is verified against + the binary content. + example: true + default_field: false - name: container title: Container group: 2 @@ -1196,6 +1245,49 @@ execute, hidden, read, readonly, system, write.' example: '["readonly", "system"]' default_field: false + - name: code_signature.exists + level: extended + type: keyword + ignore_above: 1024 + format: core + description: 'Boolean to capture if a signature is present. + + This should only populated if the signature was checked.' + example: true + default_field: false + - name: code_signature.status + level: extended + type: keyword + ignore_above: 1024 + format: string + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: code_signature.subject_name + level: core + type: keyword + ignore_above: 1024 + format: string + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: code_signature.trusted + level: extended + type: boolean + format: core + description: Stores the trust status of the certificate chain. + example: true + default_field: false + - name: code_signature.valid + level: core + type: boolean + description: Boolean to capture if the digital signature is verified against + the binary content. + example: true + default_field: false - name: created level: extended type: date @@ -2381,6 +2473,49 @@ indication of suspicious activity.' example: 4 default_field: false + - name: code_signature.exists + level: extended + type: keyword + ignore_above: 1024 + format: core + description: 'Boolean to capture if a signature is present. + + This should only populated if the signature was checked.' + example: true + default_field: false + - name: code_signature.status + level: extended + type: keyword + ignore_above: 1024 + format: string + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: code_signature.subject_name + level: core + type: keyword + ignore_above: 1024 + format: string + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: code_signature.trusted + level: extended + type: boolean + format: core + description: Stores the trust status of the certificate chain. + example: true + default_field: false + - name: code_signature.valid + level: core + type: boolean + description: Boolean to capture if the digital signature is verified against + the binary content. + example: true + default_field: false - name: command_line level: extended type: keyword diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 419079ffb6..b2cf6463bd 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -51,6 +51,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Example,Description 1.5.0-dev,true,cloud,cloud.machine.type,keyword,extended,t2.medium,Machine type of the host machine. 1.5.0-dev,true,cloud,cloud.provider,keyword,extended,aws,Name of the cloud provider. 1.5.0-dev,true,cloud,cloud.region,keyword,extended,us-east-1,Region in which this host is running. +1.5.0-dev,true,code_signature,code_signature.exists,keyword,extended,True,Boolean to capture if a signature is present. +1.5.0-dev,true,code_signature,code_signature.status,keyword,extended,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.5.0-dev,true,code_signature,code_signature.subject_name,keyword,core,Microsoft Corporation,Subject name of the code signer +1.5.0-dev,true,code_signature,code_signature.trusted,boolean,extended,True,Stores the trust status of the certificate chain. +1.5.0-dev,true,code_signature,code_signature.valid,boolean,core,True,Boolean to capture if the digital signature is verified against the binary content. 1.5.0-dev,true,container,container.id,keyword,core,,Unique container id. 1.5.0-dev,true,container,container.image.name,keyword,extended,,Name of the image the container was built on. 1.5.0-dev,true,container,container.image.tag,keyword,extended,,Container image tag. @@ -139,6 +144,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Example,Description 1.5.0-dev,true,event,event.type,keyword,core,,Event type. The third categorization field in the hierarchy. 1.5.0-dev,true,file,file.accessed,date,extended,,Last time the file was accessed. 1.5.0-dev,true,file,file.attributes,keyword,extended,"[""readonly"", ""system""]",Array of file attributes. +1.5.0-dev,true,file,file.code_signature.exists,keyword,extended,True,Boolean to capture if a signature is present. +1.5.0-dev,true,file,file.code_signature.status,keyword,extended,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.5.0-dev,true,file,file.code_signature.subject_name,keyword,core,Microsoft Corporation,Subject name of the code signer +1.5.0-dev,true,file,file.code_signature.trusted,boolean,extended,True,Stores the trust status of the certificate chain. +1.5.0-dev,true,file,file.code_signature.valid,boolean,core,True,Boolean to capture if the digital signature is verified against the binary content. 1.5.0-dev,true,file,file.created,date,extended,,File creation time. 1.5.0-dev,true,file,file.ctime,date,extended,,Last time the file attributes or metadata changed. 1.5.0-dev,true,file,file.device,keyword,extended,sda,Device that is the source of the file. @@ -300,6 +310,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Example,Description 1.5.0-dev,true,package,package.version,keyword,extended,1.12.9,Package version 1.5.0-dev,true,process,process.args,keyword,extended,"['/usr/bin/ssh', '-l', 'user', '10.0.0.16']",Array of process arguments. 1.5.0-dev,true,process,process.args_count,long,extended,4,Length of the process.args array. +1.5.0-dev,true,process,process.code_signature.exists,keyword,extended,True,Boolean to capture if a signature is present. +1.5.0-dev,true,process,process.code_signature.status,keyword,extended,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.5.0-dev,true,process,process.code_signature.subject_name,keyword,core,Microsoft Corporation,Subject name of the code signer +1.5.0-dev,true,process,process.code_signature.trusted,boolean,extended,True,Stores the trust status of the certificate chain. +1.5.0-dev,true,process,process.code_signature.valid,boolean,core,True,Boolean to capture if the digital signature is verified against the binary content. 1.5.0-dev,true,process,process.command_line,keyword,extended,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. 1.5.0-dev,true,process,process.command_line.text,text,extended,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. 1.5.0-dev,true,process,process.executable,keyword,extended,/usr/bin/ssh,Absolute path to the process executable. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 712aa5e6c0..e0718dd208 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -582,6 +582,75 @@ cloud.region: order: 2 short: Region in which this host is running. type: keyword +code_signature.exists: + dashed_name: code-signature-exists + description: 'Boolean to capture if a signature is present. + + This should only populated if the signature was checked.' + example: true + flat_name: code_signature.exists + format: core + ignore_above: 1024 + level: extended + name: exists + order: 2 + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: keyword +code_signature.status: + dashed_name: code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status.' + example: ERROR_UNTRUSTED_ROOT + flat_name: code_signature.status + format: string + ignore_above: 1024 + level: extended + name: status + order: 4 + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword +code_signature.subject_name: + dashed_name: code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: code_signature.subject_name + format: string + ignore_above: 1024 + level: core + name: subject_name + order: 0 + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword +code_signature.trusted: + dashed_name: code-signature-trusted + description: Stores the trust status of the certificate chain. + example: true + flat_name: code_signature.trusted + format: core + level: extended + name: trusted + order: 3 + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean +code_signature.valid: + dashed_name: code-signature-valid + description: Boolean to capture if the digital signature is verified against the + binary content. + example: true + flat_name: code_signature.valid + level: core + name: valid + order: 1 + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean container.id: dashed_name: container-id description: Unique container id. @@ -1983,6 +2052,75 @@ file.attributes: order: 1 short: Array of file attributes. type: keyword +file.code_signature.exists: + dashed_name: file-code-signature-exists + description: 'Boolean to capture if a signature is present. + + This should only populated if the signature was checked.' + example: true + flat_name: file.code_signature.exists + format: core + ignore_above: 1024 + level: extended + name: exists + order: 2 + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: keyword +file.code_signature.status: + dashed_name: file-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status.' + example: ERROR_UNTRUSTED_ROOT + flat_name: file.code_signature.status + format: string + ignore_above: 1024 + level: extended + name: status + order: 4 + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword +file.code_signature.subject_name: + dashed_name: file-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: file.code_signature.subject_name + format: string + ignore_above: 1024 + level: core + name: subject_name + order: 0 + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword +file.code_signature.trusted: + dashed_name: file-code-signature-trusted + description: Stores the trust status of the certificate chain. + example: true + flat_name: file.code_signature.trusted + format: core + level: extended + name: trusted + order: 3 + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean +file.code_signature.valid: + dashed_name: file-code-signature-valid + description: Boolean to capture if the digital signature is verified against the + binary content. + example: true + flat_name: file.code_signature.valid + level: core + name: valid + order: 1 + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean file.created: dashed_name: file-created description: 'File creation time. @@ -3875,6 +4013,75 @@ process.args_count: order: 12 short: Length of the process.args array. type: long +process.code_signature.exists: + dashed_name: process-code-signature-exists + description: 'Boolean to capture if a signature is present. + + This should only populated if the signature was checked.' + example: true + flat_name: process.code_signature.exists + format: core + ignore_above: 1024 + level: extended + name: exists + order: 2 + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: keyword +process.code_signature.status: + dashed_name: process-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status.' + example: ERROR_UNTRUSTED_ROOT + flat_name: process.code_signature.status + format: string + ignore_above: 1024 + level: extended + name: status + order: 4 + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword +process.code_signature.subject_name: + dashed_name: process-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: process.code_signature.subject_name + format: string + ignore_above: 1024 + level: core + name: subject_name + order: 0 + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword +process.code_signature.trusted: + dashed_name: process-code-signature-trusted + description: Stores the trust status of the certificate chain. + example: true + flat_name: process.code_signature.trusted + format: core + level: extended + name: trusted + order: 3 + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean +process.code_signature.valid: + dashed_name: process-code-signature-valid + description: Boolean to capture if the digital signature is verified against the + binary content. + example: true + flat_name: process.code_signature.valid + level: core + name: valid + order: 1 + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean process.command_line: dashed_name: process-command-line description: 'Full command line that started the process, including the absolute diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 3403d3cb49..53ef846da1 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -717,6 +717,84 @@ cloud: short: Fields about the cloud resource. title: Cloud type: group +code_signature: + description: These fields contain information about binary code signatures. + fields: + exists: + dashed_name: code-signature-exists + description: 'Boolean to capture if a signature is present. + + This should only populated if the signature was checked.' + example: true + flat_name: code_signature.exists + format: core + ignore_above: 1024 + level: extended + name: exists + order: 2 + short: Boolean to capture if a signature is present. + type: keyword + status: + dashed_name: code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status.' + example: ERROR_UNTRUSTED_ROOT + flat_name: code_signature.status + format: string + ignore_above: 1024 + level: extended + name: status + order: 4 + short: Additional information about the certificate status. + type: keyword + subject_name: + dashed_name: code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: code_signature.subject_name + format: string + ignore_above: 1024 + level: core + name: subject_name + order: 0 + short: Subject name of the code signer + type: keyword + trusted: + dashed_name: code-signature-trusted + description: Stores the trust status of the certificate chain. + example: true + flat_name: code_signature.trusted + format: core + level: extended + name: trusted + order: 3 + short: Stores the trust status of the certificate chain. + type: boolean + valid: + dashed_name: code-signature-valid + description: Boolean to capture if the digital signature is verified against + the binary content. + example: true + flat_name: code_signature.valid + level: core + name: valid + order: 1 + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean + group: 2 + name: code_signature + prefix: code_signature. + reusable: + expected: + - file + - process + top_level: false + short: These fields contain information about binary code signatures. + title: Code Signature + type: group container: description: 'Container fields are used for meta information about the specific container that is the source of information. @@ -2219,6 +2297,75 @@ file: order: 1 short: Array of file attributes. type: keyword + code_signature.exists: + dashed_name: file-code-signature-exists + description: 'Boolean to capture if a signature is present. + + This should only populated if the signature was checked.' + example: true + flat_name: file.code_signature.exists + format: core + ignore_above: 1024 + level: extended + name: exists + order: 2 + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: keyword + code_signature.status: + dashed_name: file-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status.' + example: ERROR_UNTRUSTED_ROOT + flat_name: file.code_signature.status + format: string + ignore_above: 1024 + level: extended + name: status + order: 4 + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword + code_signature.subject_name: + dashed_name: file-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: file.code_signature.subject_name + format: string + ignore_above: 1024 + level: core + name: subject_name + order: 0 + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword + code_signature.trusted: + dashed_name: file-code-signature-trusted + description: Stores the trust status of the certificate chain. + example: true + flat_name: file.code_signature.trusted + format: core + level: extended + name: trusted + order: 3 + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean + code_signature.valid: + dashed_name: file-code-signature-valid + description: Boolean to capture if the digital signature is verified against + the binary content. + example: true + flat_name: file.code_signature.valid + level: core + name: valid + order: 1 + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean created: dashed_name: file-created description: 'File creation time. @@ -2478,6 +2625,7 @@ file: group: 2 name: file nestings: + - code_signature - hash prefix: file. short: Fields describing files. @@ -4251,6 +4399,75 @@ process: order: 12 short: Length of the process.args array. type: long + code_signature.exists: + dashed_name: process-code-signature-exists + description: 'Boolean to capture if a signature is present. + + This should only populated if the signature was checked.' + example: true + flat_name: process.code_signature.exists + format: core + ignore_above: 1024 + level: extended + name: exists + order: 2 + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: keyword + code_signature.status: + dashed_name: process-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status.' + example: ERROR_UNTRUSTED_ROOT + flat_name: process.code_signature.status + format: string + ignore_above: 1024 + level: extended + name: status + order: 4 + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword + code_signature.subject_name: + dashed_name: process-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: process.code_signature.subject_name + format: string + ignore_above: 1024 + level: core + name: subject_name + order: 0 + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword + code_signature.trusted: + dashed_name: process-code-signature-trusted + description: Stores the trust status of the certificate chain. + example: true + flat_name: process.code_signature.trusted + format: core + level: extended + name: trusted + order: 3 + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean + code_signature.valid: + dashed_name: process-code-signature-valid + description: Boolean to capture if the digital signature is verified against + the binary content. + example: true + flat_name: process.code_signature.valid + level: core + name: valid + order: 1 + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean command_line: dashed_name: process-command-line description: 'Full command line that started the process, including the absolute @@ -4677,6 +4894,7 @@ process: group: 2 name: process nestings: + - code_signature - hash prefix: process. short: These fields contain information about a process. diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index 73913739e4..d8eeaf7b22 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -270,6 +270,28 @@ } } }, + "code_signature": { + "properties": { + "exists": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, "container": { "properties": { "id": { @@ -672,6 +694,28 @@ "ignore_above": 1024, "type": "keyword" }, + "code_signature": { + "properties": { + "exists": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, "created": { "type": "date" }, @@ -1435,6 +1479,28 @@ "args_count": { "type": "long" }, + "code_signature": { + "properties": { + "exists": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, "command_line": { "fields": { "text": { diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index a509ae3619..887196fc18 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -269,6 +269,28 @@ } } }, + "code_signature": { + "properties": { + "exists": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, "container": { "properties": { "id": { @@ -671,6 +693,28 @@ "ignore_above": 1024, "type": "keyword" }, + "code_signature": { + "properties": { + "exists": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, "created": { "type": "date" }, @@ -1434,6 +1478,28 @@ "args_count": { "type": "long" }, + "code_signature": { + "properties": { + "exists": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, "command_line": { "fields": { "text": { diff --git a/schemas/code_signature.yml b/schemas/code_signature.yml new file mode 100644 index 0000000000..543d577fd2 --- /dev/null +++ b/schemas/code_signature.yml @@ -0,0 +1,59 @@ +--- +- name: code_signature + title: Code Signature + group: 2 + description: These fields contain information about binary code signatures. + type: group + reusable: + top_level: false + expected: + - file + - process + # - dll + # - driver + fields: + + - name: subject_name + format: string + level: core + type: keyword + description: Subject name of the code signer + example: Microsoft Corporation + + + - name: valid + level: core + type: boolean + description: Boolean to capture if the digital signature is verified against the binary content. + example: true + + + - name: exists + format: core + level: extended + type: keyword + short: Boolean to capture if a signature is present. + description: > + Boolean to capture if a signature is present. + + This should only populated if the signature was checked. + example: true + + - name: trusted + format: core + level: extended + type: boolean + description: Stores the trust status of the certificate chain. + example: true + + + - name: status + format: string + level: extended + type: keyword + short: Additional information about the certificate status. + description: > + Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity or trust status. + example: ERROR_UNTRUSTED_ROOT From c5308f22fbd1872d62bc985b12be4d8835fda784 Mon Sep 17 00:00:00 2001 From: Ross Wolf <31489089+rw-access@users.noreply.github.com> Date: Wed, 5 Feb 2020 11:17:48 -0700 Subject: [PATCH 02/10] Change example --- docs/field-details.asciidoc | 6 +++--- generated/beats/fields.ecs.yml | 18 +++++++++--------- generated/csv/fields.csv | 18 +++++++++--------- generated/ecs/ecs_flat.yml | 18 +++++++++--------- generated/ecs/ecs_nested.yml | 18 +++++++++--------- schemas/code_signature.yml | 6 +++--- 6 files changed, 42 insertions(+), 42 deletions(-) diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 63aebd36ad..6c9b0b19b7 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -509,7 +509,7 @@ This should only populated if the signature was checked. type: keyword -example: `True` +example: `true` | extended @@ -544,7 +544,7 @@ example: `Microsoft Corporation` type: boolean -example: `True` +example: `true` | extended @@ -555,7 +555,7 @@ example: `True` type: boolean -example: `True` +example: `true` | core diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 627190b7b4..598fdf1d52 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -443,7 +443,7 @@ description: 'Boolean to capture if a signature is present. This should only populated if the signature was checked.' - example: true + example: 'true' default_field: false - name: status level: extended @@ -469,14 +469,14 @@ type: boolean format: core description: Stores the trust status of the certificate chain. - example: true + example: 'true' default_field: false - name: valid level: core type: boolean description: Boolean to capture if the digital signature is verified against the binary content. - example: true + example: 'true' default_field: false - name: container title: Container @@ -1253,7 +1253,7 @@ description: 'Boolean to capture if a signature is present. This should only populated if the signature was checked.' - example: true + example: 'true' default_field: false - name: code_signature.status level: extended @@ -1279,14 +1279,14 @@ type: boolean format: core description: Stores the trust status of the certificate chain. - example: true + example: 'true' default_field: false - name: code_signature.valid level: core type: boolean description: Boolean to capture if the digital signature is verified against the binary content. - example: true + example: 'true' default_field: false - name: created level: extended @@ -2481,7 +2481,7 @@ description: 'Boolean to capture if a signature is present. This should only populated if the signature was checked.' - example: true + example: 'true' default_field: false - name: code_signature.status level: extended @@ -2507,14 +2507,14 @@ type: boolean format: core description: Stores the trust status of the certificate chain. - example: true + example: 'true' default_field: false - name: code_signature.valid level: core type: boolean description: Boolean to capture if the digital signature is verified against the binary content. - example: true + example: 'true' default_field: false - name: command_line level: extended diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index b2cf6463bd..2193097c46 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -51,11 +51,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Example,Description 1.5.0-dev,true,cloud,cloud.machine.type,keyword,extended,t2.medium,Machine type of the host machine. 1.5.0-dev,true,cloud,cloud.provider,keyword,extended,aws,Name of the cloud provider. 1.5.0-dev,true,cloud,cloud.region,keyword,extended,us-east-1,Region in which this host is running. -1.5.0-dev,true,code_signature,code_signature.exists,keyword,extended,True,Boolean to capture if a signature is present. +1.5.0-dev,true,code_signature,code_signature.exists,keyword,extended,true,Boolean to capture if a signature is present. 1.5.0-dev,true,code_signature,code_signature.status,keyword,extended,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 1.5.0-dev,true,code_signature,code_signature.subject_name,keyword,core,Microsoft Corporation,Subject name of the code signer -1.5.0-dev,true,code_signature,code_signature.trusted,boolean,extended,True,Stores the trust status of the certificate chain. -1.5.0-dev,true,code_signature,code_signature.valid,boolean,core,True,Boolean to capture if the digital signature is verified against the binary content. +1.5.0-dev,true,code_signature,code_signature.trusted,boolean,extended,true,Stores the trust status of the certificate chain. +1.5.0-dev,true,code_signature,code_signature.valid,boolean,core,true,Boolean to capture if the digital signature is verified against the binary content. 1.5.0-dev,true,container,container.id,keyword,core,,Unique container id. 1.5.0-dev,true,container,container.image.name,keyword,extended,,Name of the image the container was built on. 1.5.0-dev,true,container,container.image.tag,keyword,extended,,Container image tag. @@ -144,11 +144,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Example,Description 1.5.0-dev,true,event,event.type,keyword,core,,Event type. The third categorization field in the hierarchy. 1.5.0-dev,true,file,file.accessed,date,extended,,Last time the file was accessed. 1.5.0-dev,true,file,file.attributes,keyword,extended,"[""readonly"", ""system""]",Array of file attributes. -1.5.0-dev,true,file,file.code_signature.exists,keyword,extended,True,Boolean to capture if a signature is present. +1.5.0-dev,true,file,file.code_signature.exists,keyword,extended,true,Boolean to capture if a signature is present. 1.5.0-dev,true,file,file.code_signature.status,keyword,extended,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 1.5.0-dev,true,file,file.code_signature.subject_name,keyword,core,Microsoft Corporation,Subject name of the code signer -1.5.0-dev,true,file,file.code_signature.trusted,boolean,extended,True,Stores the trust status of the certificate chain. -1.5.0-dev,true,file,file.code_signature.valid,boolean,core,True,Boolean to capture if the digital signature is verified against the binary content. +1.5.0-dev,true,file,file.code_signature.trusted,boolean,extended,true,Stores the trust status of the certificate chain. +1.5.0-dev,true,file,file.code_signature.valid,boolean,core,true,Boolean to capture if the digital signature is verified against the binary content. 1.5.0-dev,true,file,file.created,date,extended,,File creation time. 1.5.0-dev,true,file,file.ctime,date,extended,,Last time the file attributes or metadata changed. 1.5.0-dev,true,file,file.device,keyword,extended,sda,Device that is the source of the file. @@ -310,11 +310,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Example,Description 1.5.0-dev,true,package,package.version,keyword,extended,1.12.9,Package version 1.5.0-dev,true,process,process.args,keyword,extended,"['/usr/bin/ssh', '-l', 'user', '10.0.0.16']",Array of process arguments. 1.5.0-dev,true,process,process.args_count,long,extended,4,Length of the process.args array. -1.5.0-dev,true,process,process.code_signature.exists,keyword,extended,True,Boolean to capture if a signature is present. +1.5.0-dev,true,process,process.code_signature.exists,keyword,extended,true,Boolean to capture if a signature is present. 1.5.0-dev,true,process,process.code_signature.status,keyword,extended,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 1.5.0-dev,true,process,process.code_signature.subject_name,keyword,core,Microsoft Corporation,Subject name of the code signer -1.5.0-dev,true,process,process.code_signature.trusted,boolean,extended,True,Stores the trust status of the certificate chain. -1.5.0-dev,true,process,process.code_signature.valid,boolean,core,True,Boolean to capture if the digital signature is verified against the binary content. +1.5.0-dev,true,process,process.code_signature.trusted,boolean,extended,true,Stores the trust status of the certificate chain. +1.5.0-dev,true,process,process.code_signature.valid,boolean,core,true,Boolean to capture if the digital signature is verified against the binary content. 1.5.0-dev,true,process,process.command_line,keyword,extended,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. 1.5.0-dev,true,process,process.command_line.text,text,extended,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. 1.5.0-dev,true,process,process.executable,keyword,extended,/usr/bin/ssh,Absolute path to the process executable. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index e0718dd208..bdc1c74753 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -587,7 +587,7 @@ code_signature.exists: description: 'Boolean to capture if a signature is present. This should only populated if the signature was checked.' - example: true + example: 'true' flat_name: code_signature.exists format: core ignore_above: 1024 @@ -629,7 +629,7 @@ code_signature.subject_name: code_signature.trusted: dashed_name: code-signature-trusted description: Stores the trust status of the certificate chain. - example: true + example: 'true' flat_name: code_signature.trusted format: core level: extended @@ -642,7 +642,7 @@ code_signature.valid: dashed_name: code-signature-valid description: Boolean to capture if the digital signature is verified against the binary content. - example: true + example: 'true' flat_name: code_signature.valid level: core name: valid @@ -2057,7 +2057,7 @@ file.code_signature.exists: description: 'Boolean to capture if a signature is present. This should only populated if the signature was checked.' - example: true + example: 'true' flat_name: file.code_signature.exists format: core ignore_above: 1024 @@ -2099,7 +2099,7 @@ file.code_signature.subject_name: file.code_signature.trusted: dashed_name: file-code-signature-trusted description: Stores the trust status of the certificate chain. - example: true + example: 'true' flat_name: file.code_signature.trusted format: core level: extended @@ -2112,7 +2112,7 @@ file.code_signature.valid: dashed_name: file-code-signature-valid description: Boolean to capture if the digital signature is verified against the binary content. - example: true + example: 'true' flat_name: file.code_signature.valid level: core name: valid @@ -4018,7 +4018,7 @@ process.code_signature.exists: description: 'Boolean to capture if a signature is present. This should only populated if the signature was checked.' - example: true + example: 'true' flat_name: process.code_signature.exists format: core ignore_above: 1024 @@ -4060,7 +4060,7 @@ process.code_signature.subject_name: process.code_signature.trusted: dashed_name: process-code-signature-trusted description: Stores the trust status of the certificate chain. - example: true + example: 'true' flat_name: process.code_signature.trusted format: core level: extended @@ -4073,7 +4073,7 @@ process.code_signature.valid: dashed_name: process-code-signature-valid description: Boolean to capture if the digital signature is verified against the binary content. - example: true + example: 'true' flat_name: process.code_signature.valid level: core name: valid diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 53ef846da1..a82403337c 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -725,7 +725,7 @@ code_signature: description: 'Boolean to capture if a signature is present. This should only populated if the signature was checked.' - example: true + example: 'true' flat_name: code_signature.exists format: core ignore_above: 1024 @@ -764,7 +764,7 @@ code_signature: trusted: dashed_name: code-signature-trusted description: Stores the trust status of the certificate chain. - example: true + example: 'true' flat_name: code_signature.trusted format: core level: extended @@ -776,7 +776,7 @@ code_signature: dashed_name: code-signature-valid description: Boolean to capture if the digital signature is verified against the binary content. - example: true + example: 'true' flat_name: code_signature.valid level: core name: valid @@ -2302,7 +2302,7 @@ file: description: 'Boolean to capture if a signature is present. This should only populated if the signature was checked.' - example: true + example: 'true' flat_name: file.code_signature.exists format: core ignore_above: 1024 @@ -2344,7 +2344,7 @@ file: code_signature.trusted: dashed_name: file-code-signature-trusted description: Stores the trust status of the certificate chain. - example: true + example: 'true' flat_name: file.code_signature.trusted format: core level: extended @@ -2357,7 +2357,7 @@ file: dashed_name: file-code-signature-valid description: Boolean to capture if the digital signature is verified against the binary content. - example: true + example: 'true' flat_name: file.code_signature.valid level: core name: valid @@ -4404,7 +4404,7 @@ process: description: 'Boolean to capture if a signature is present. This should only populated if the signature was checked.' - example: true + example: 'true' flat_name: process.code_signature.exists format: core ignore_above: 1024 @@ -4446,7 +4446,7 @@ process: code_signature.trusted: dashed_name: process-code-signature-trusted description: Stores the trust status of the certificate chain. - example: true + example: 'true' flat_name: process.code_signature.trusted format: core level: extended @@ -4459,7 +4459,7 @@ process: dashed_name: process-code-signature-valid description: Boolean to capture if the digital signature is verified against the binary content. - example: true + example: 'true' flat_name: process.code_signature.valid level: core name: valid diff --git a/schemas/code_signature.yml b/schemas/code_signature.yml index 543d577fd2..c824bf347c 100644 --- a/schemas/code_signature.yml +++ b/schemas/code_signature.yml @@ -25,7 +25,7 @@ level: core type: boolean description: Boolean to capture if the digital signature is verified against the binary content. - example: true + example: "true" - name: exists @@ -37,14 +37,14 @@ Boolean to capture if a signature is present. This should only populated if the signature was checked. - example: true + example: "true" - name: trusted format: core level: extended type: boolean description: Stores the trust status of the certificate chain. - example: true + example: "true" - name: status From af264e38f7a6a97f0647c4e26e7ac50c97060509 Mon Sep 17 00:00:00 2001 From: Ross Wolf <31489089+rw-access@users.noreply.github.com> Date: Fri, 7 Feb 2020 11:17:53 -0700 Subject: [PATCH 03/10] Remove format: * --- schemas/code_signature.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/schemas/code_signature.yml b/schemas/code_signature.yml index c824bf347c..264c439bad 100644 --- a/schemas/code_signature.yml +++ b/schemas/code_signature.yml @@ -14,7 +14,6 @@ fields: - name: subject_name - format: string level: core type: keyword description: Subject name of the code signer @@ -29,7 +28,6 @@ - name: exists - format: core level: extended type: keyword short: Boolean to capture if a signature is present. @@ -40,7 +38,6 @@ example: "true" - name: trusted - format: core level: extended type: boolean description: Stores the trust status of the certificate chain. @@ -48,7 +45,6 @@ - name: status - format: string level: extended type: keyword short: Additional information about the certificate status. From 40aec6a4947136339c935855fa29c17107b09247 Mon Sep 17 00:00:00 2001 From: Ross Wolf <31489089+rw-access@users.noreply.github.com> Date: Fri, 7 Feb 2020 11:21:29 -0700 Subject: [PATCH 04/10] Mark core/extended --- schemas/code_signature.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/schemas/code_signature.yml b/schemas/code_signature.yml index 264c439bad..2f462127f9 100644 --- a/schemas/code_signature.yml +++ b/schemas/code_signature.yml @@ -21,14 +21,14 @@ - name: valid - level: core + level: extended type: boolean description: Boolean to capture if the digital signature is verified against the binary content. example: "true" - name: exists - level: extended + level: core type: keyword short: Boolean to capture if a signature is present. description: > From 1dc566336fd1805adf3036369bce23c6226d439e Mon Sep 17 00:00:00 2001 From: Ross Wolf <31489089+rw-access@users.noreply.github.com> Date: Fri, 7 Feb 2020 11:37:16 -0700 Subject: [PATCH 05/10] Regenerate code signature core fields --- docs/field-details.asciidoc | 4 ++-- generated/beats/fields.ecs.yml | 24 ++++++------------------ generated/csv/fields.csv | 12 ++++++------ generated/ecs/ecs_flat.yml | 24 ++++++------------------ generated/ecs/ecs_nested.yml | 24 ++++++------------------ 5 files changed, 26 insertions(+), 62 deletions(-) diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index c6d6220744..83b235b06b 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -574,7 +574,7 @@ type: keyword example: `true` -| extended +| core // =============================================================== @@ -628,7 +628,7 @@ type: boolean example: `true` -| core +| extended // =============================================================== diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index ebc935fe27..ac2da2375c 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -436,10 +436,9 @@ type: group fields: - name: exists - level: extended + level: core type: keyword ignore_above: 1024 - format: core description: 'Boolean to capture if a signature is present. This should only populated if the signature was checked.' @@ -449,7 +448,6 @@ level: extended type: keyword ignore_above: 1024 - format: string description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity @@ -460,19 +458,17 @@ level: core type: keyword ignore_above: 1024 - format: string description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: trusted level: extended type: boolean - format: core description: Stores the trust status of the certificate chain. example: 'true' default_field: false - name: valid - level: core + level: extended type: boolean description: Boolean to capture if the digital signature is verified against the binary content. @@ -1246,10 +1242,9 @@ example: '["readonly", "system"]' default_field: false - name: code_signature.exists - level: extended + level: core type: keyword ignore_above: 1024 - format: core description: 'Boolean to capture if a signature is present. This should only populated if the signature was checked.' @@ -1259,7 +1254,6 @@ level: extended type: keyword ignore_above: 1024 - format: string description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity @@ -1270,19 +1264,17 @@ level: core type: keyword ignore_above: 1024 - format: string description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: code_signature.trusted level: extended type: boolean - format: core description: Stores the trust status of the certificate chain. example: 'true' default_field: false - name: code_signature.valid - level: core + level: extended type: boolean description: Boolean to capture if the digital signature is verified against the binary content. @@ -2474,10 +2466,9 @@ example: 4 default_field: false - name: code_signature.exists - level: extended + level: core type: keyword ignore_above: 1024 - format: core description: 'Boolean to capture if a signature is present. This should only populated if the signature was checked.' @@ -2487,7 +2478,6 @@ level: extended type: keyword ignore_above: 1024 - format: string description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity @@ -2498,19 +2488,17 @@ level: core type: keyword ignore_above: 1024 - format: string description: Subject name of the code signer example: Microsoft Corporation default_field: false - name: code_signature.trusted level: extended type: boolean - format: core description: Stores the trust status of the certificate chain. example: 'true' default_field: false - name: code_signature.valid - level: core + level: extended type: boolean description: Boolean to capture if the digital signature is verified against the binary content. diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 53e2431683..41143a0f8d 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -51,11 +51,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.5.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. 1.5.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider. 1.5.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,Region in which this host is running. -1.5.0-dev,true,code_signature,code_signature.exists,keyword,extended,,true,Boolean to capture if a signature is present. +1.5.0-dev,true,code_signature,code_signature.exists,keyword,core,,true,Boolean to capture if a signature is present. 1.5.0-dev,true,code_signature,code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 1.5.0-dev,true,code_signature,code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer 1.5.0-dev,true,code_signature,code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -1.5.0-dev,true,code_signature,code_signature.valid,boolean,core,,true,Boolean to capture if the digital signature is verified against the binary content. +1.5.0-dev,true,code_signature,code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. 1.5.0-dev,true,container,container.id,keyword,core,,,Unique container id. 1.5.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on. 1.5.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags. @@ -144,11 +144,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.5.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy. 1.5.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed. 1.5.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. -1.5.0-dev,true,file,file.code_signature.exists,keyword,extended,,true,Boolean to capture if a signature is present. +1.5.0-dev,true,file,file.code_signature.exists,keyword,core,,true,Boolean to capture if a signature is present. 1.5.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 1.5.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer 1.5.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -1.5.0-dev,true,file,file.code_signature.valid,boolean,core,,true,Boolean to capture if the digital signature is verified against the binary content. +1.5.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. 1.5.0-dev,true,file,file.created,date,extended,,,File creation time. 1.5.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed. 1.5.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file. @@ -310,11 +310,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.5.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version 1.5.0-dev,true,process,process.args,keyword,extended,array,"['/usr/bin/ssh', '-l', 'user', '10.0.0.16']",Array of process arguments. 1.5.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array. -1.5.0-dev,true,process,process.code_signature.exists,keyword,extended,,true,Boolean to capture if a signature is present. +1.5.0-dev,true,process,process.code_signature.exists,keyword,core,,true,Boolean to capture if a signature is present. 1.5.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 1.5.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer 1.5.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -1.5.0-dev,true,process,process.code_signature.valid,boolean,core,,true,Boolean to capture if the digital signature is verified against the binary content. +1.5.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. 1.5.0-dev,true,process,process.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. 1.5.0-dev,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. 1.5.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 25b8162af7..d281f0d25f 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -634,9 +634,8 @@ code_signature.exists: This should only populated if the signature was checked.' example: 'true' flat_name: code_signature.exists - format: core ignore_above: 1024 - level: extended + level: core name: exists normalize: [] order: 2 @@ -651,7 +650,6 @@ code_signature.status: or trust status.' example: ERROR_UNTRUSTED_ROOT flat_name: code_signature.status - format: string ignore_above: 1024 level: extended name: status @@ -665,7 +663,6 @@ code_signature.subject_name: description: Subject name of the code signer example: Microsoft Corporation flat_name: code_signature.subject_name - format: string ignore_above: 1024 level: core name: subject_name @@ -679,7 +676,6 @@ code_signature.trusted: description: Stores the trust status of the certificate chain. example: 'true' flat_name: code_signature.trusted - format: core level: extended name: trusted normalize: [] @@ -693,7 +689,7 @@ code_signature.valid: binary content. example: 'true' flat_name: code_signature.valid - level: core + level: extended name: valid normalize: [] order: 1 @@ -2200,9 +2196,8 @@ file.code_signature.exists: This should only populated if the signature was checked.' example: 'true' flat_name: file.code_signature.exists - format: core ignore_above: 1024 - level: extended + level: core name: exists normalize: [] order: 2 @@ -2217,7 +2212,6 @@ file.code_signature.status: or trust status.' example: ERROR_UNTRUSTED_ROOT flat_name: file.code_signature.status - format: string ignore_above: 1024 level: extended name: status @@ -2231,7 +2225,6 @@ file.code_signature.subject_name: description: Subject name of the code signer example: Microsoft Corporation flat_name: file.code_signature.subject_name - format: string ignore_above: 1024 level: core name: subject_name @@ -2245,7 +2238,6 @@ file.code_signature.trusted: description: Stores the trust status of the certificate chain. example: 'true' flat_name: file.code_signature.trusted - format: core level: extended name: trusted normalize: [] @@ -2259,7 +2251,7 @@ file.code_signature.valid: binary content. example: 'true' flat_name: file.code_signature.valid - level: core + level: extended name: valid normalize: [] order: 1 @@ -4321,9 +4313,8 @@ process.code_signature.exists: This should only populated if the signature was checked.' example: 'true' flat_name: process.code_signature.exists - format: core ignore_above: 1024 - level: extended + level: core name: exists normalize: [] order: 2 @@ -4338,7 +4329,6 @@ process.code_signature.status: or trust status.' example: ERROR_UNTRUSTED_ROOT flat_name: process.code_signature.status - format: string ignore_above: 1024 level: extended name: status @@ -4352,7 +4342,6 @@ process.code_signature.subject_name: description: Subject name of the code signer example: Microsoft Corporation flat_name: process.code_signature.subject_name - format: string ignore_above: 1024 level: core name: subject_name @@ -4366,7 +4355,6 @@ process.code_signature.trusted: description: Stores the trust status of the certificate chain. example: 'true' flat_name: process.code_signature.trusted - format: core level: extended name: trusted normalize: [] @@ -4380,7 +4368,7 @@ process.code_signature.valid: binary content. example: 'true' flat_name: process.code_signature.valid - level: core + level: extended name: valid normalize: [] order: 1 diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 1f0412f49b..94206418e8 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -776,9 +776,8 @@ code_signature: This should only populated if the signature was checked.' example: 'true' flat_name: code_signature.exists - format: core ignore_above: 1024 - level: extended + level: core name: exists normalize: [] order: 2 @@ -792,7 +791,6 @@ code_signature: or trust status.' example: ERROR_UNTRUSTED_ROOT flat_name: code_signature.status - format: string ignore_above: 1024 level: extended name: status @@ -805,7 +803,6 @@ code_signature: description: Subject name of the code signer example: Microsoft Corporation flat_name: code_signature.subject_name - format: string ignore_above: 1024 level: core name: subject_name @@ -818,7 +815,6 @@ code_signature: description: Stores the trust status of the certificate chain. example: 'true' flat_name: code_signature.trusted - format: core level: extended name: trusted normalize: [] @@ -831,7 +827,7 @@ code_signature: the binary content. example: 'true' flat_name: code_signature.valid - level: core + level: extended name: valid normalize: [] order: 1 @@ -2449,9 +2445,8 @@ file: This should only populated if the signature was checked.' example: 'true' flat_name: file.code_signature.exists - format: core ignore_above: 1024 - level: extended + level: core name: exists normalize: [] order: 2 @@ -2466,7 +2461,6 @@ file: or trust status.' example: ERROR_UNTRUSTED_ROOT flat_name: file.code_signature.status - format: string ignore_above: 1024 level: extended name: status @@ -2480,7 +2474,6 @@ file: description: Subject name of the code signer example: Microsoft Corporation flat_name: file.code_signature.subject_name - format: string ignore_above: 1024 level: core name: subject_name @@ -2494,7 +2487,6 @@ file: description: Stores the trust status of the certificate chain. example: 'true' flat_name: file.code_signature.trusted - format: core level: extended name: trusted normalize: [] @@ -2508,7 +2500,7 @@ file: the binary content. example: 'true' flat_name: file.code_signature.valid - level: core + level: extended name: valid normalize: [] order: 1 @@ -4710,9 +4702,8 @@ process: This should only populated if the signature was checked.' example: 'true' flat_name: process.code_signature.exists - format: core ignore_above: 1024 - level: extended + level: core name: exists normalize: [] order: 2 @@ -4727,7 +4718,6 @@ process: or trust status.' example: ERROR_UNTRUSTED_ROOT flat_name: process.code_signature.status - format: string ignore_above: 1024 level: extended name: status @@ -4741,7 +4731,6 @@ process: description: Subject name of the code signer example: Microsoft Corporation flat_name: process.code_signature.subject_name - format: string ignore_above: 1024 level: core name: subject_name @@ -4755,7 +4744,6 @@ process: description: Stores the trust status of the certificate chain. example: 'true' flat_name: process.code_signature.trusted - format: core level: extended name: trusted normalize: [] @@ -4769,7 +4757,7 @@ process: the binary content. example: 'true' flat_name: process.code_signature.valid - level: core + level: extended name: valid normalize: [] order: 1 From 135622c3074e5971066fc430e7d9ac5ddbb20ed5 Mon Sep 17 00:00:00 2001 From: Ross Wolf <31489089+rw-access@users.noreply.github.com> Date: Wed, 12 Feb 2020 14:24:30 -0700 Subject: [PATCH 06/10] Add process.parent.code_signature,dll.code_signature --- docs/field-details.asciidoc | 8 +- generated/beats/fields.ecs.yml | 78 +++++++++++++ generated/csv/fields.csv | 10 ++ generated/ecs/ecs_flat.yml | 140 +++++++++++++++++++++++ generated/ecs/ecs_nested.yml | 143 ++++++++++++++++++++++++ generated/elasticsearch/6/template.json | 44 ++++++++ generated/elasticsearch/7/template.json | 44 ++++++++ schemas/code_signature.yml | 3 +- 8 files changed, 468 insertions(+), 2 deletions(-) diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 7bf591d898..d8288ca722 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -636,7 +636,7 @@ example: `true` ==== Field Reuse -The `code_signature` fields are expected to be nested at: `file.code_signature`, `process.code_signature`. +The `code_signature` fields are expected to be nested at: `dll.code_signature`, `file.code_signature`, `process.code_signature`, `process.parent.code_signature`. Note also that the `code_signature` fields are not expected to be used directly at the top level. @@ -1018,6 +1018,12 @@ example: `C:\Windows\System32\kernel32.dll` // =============================================================== +| <> +| These fields contain information about binary code signatures. + +// =============================================================== + + | <> | Hashes, usually file hashes. diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index aff0096800..ee6ab11583 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -754,6 +754,45 @@ * Dynamic library (`.dylib`) commonly used on macOS' type: group fields: + - name: code_signature.exists + level: core + type: keyword + ignore_above: 1024 + description: 'Boolean to capture if a signature is present. + + This should only populated if the signature was checked.' + example: 'true' + default_field: false + - name: code_signature.status + level: extended + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: code_signature.subject_name + level: core + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: code_signature.trusted + level: extended + type: boolean + description: Stores the trust status of the certificate chain. + example: 'true' + default_field: false + - name: code_signature.valid + level: extended + type: boolean + description: Boolean to capture if the digital signature is verified against + the binary content. + example: 'true' + default_field: false - name: hash.md5 level: extended type: keyword @@ -2762,6 +2801,45 @@ indication of suspicious activity.' example: 4 default_field: false + - name: parent.code_signature.exists + level: core + type: keyword + ignore_above: 1024 + description: 'Boolean to capture if a signature is present. + + This should only populated if the signature was checked.' + example: 'true' + default_field: false + - name: parent.code_signature.status + level: extended + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: parent.code_signature.subject_name + level: core + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: parent.code_signature.trusted + level: extended + type: boolean + description: Stores the trust status of the certificate chain. + example: 'true' + default_field: false + - name: parent.code_signature.valid + level: extended + type: boolean + description: Boolean to capture if the digital signature is verified against + the binary content. + example: 'true' + default_field: false - name: parent.command_line level: extended type: keyword diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 6e5892ae12..2706e536ee 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -95,6 +95,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.5.0-dev,true,destination,destination.user.id,keyword,core,,,Unique identifiers of the user. 1.5.0-dev,true,destination,destination.user.name,keyword,core,,albert,Short name or login of the user. 1.5.0-dev,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user. +1.5.0-dev,true,dll,dll.code_signature.exists,keyword,core,,true,Boolean to capture if a signature is present. +1.5.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.5.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.5.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +1.5.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. 1.5.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash. 1.5.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash. 1.5.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash. @@ -349,6 +354,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.5.0-dev,true,process,process.name.text,text,extended,,ssh,Process name. 1.5.0-dev,true,process,process.parent.args,keyword,extended,array,"['ssh', '-l', 'user', '10.0.0.16']",Array of process arguments. 1.5.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. +1.5.0-dev,true,process,process.parent.code_signature.exists,keyword,core,,true,Boolean to capture if a signature is present. +1.5.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.5.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.5.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +1.5.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. 1.5.0-dev,true,process,process.parent.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. 1.5.0-dev,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. 1.5.0-dev,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 3f8510ccf1..aaa03eefaf 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -1180,6 +1180,76 @@ destination.user.name: original_fieldset: user short: Short name or login of the user. type: keyword +dll.code_signature.exists: + dashed_name: dll-code-signature-exists + description: 'Boolean to capture if a signature is present. + + This should only populated if the signature was checked.' + example: 'true' + flat_name: dll.code_signature.exists + ignore_above: 1024 + level: core + name: exists + normalize: [] + order: 2 + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: keyword +dll.code_signature.status: + dashed_name: dll-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status.' + example: ERROR_UNTRUSTED_ROOT + flat_name: dll.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + order: 4 + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword +dll.code_signature.subject_name: + dashed_name: dll-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: dll.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + order: 0 + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword +dll.code_signature.trusted: + dashed_name: dll-code-signature-trusted + description: Stores the trust status of the certificate chain. + example: 'true' + flat_name: dll.code_signature.trusted + level: extended + name: trusted + normalize: [] + order: 3 + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean +dll.code_signature.valid: + dashed_name: dll-code-signature-valid + description: Boolean to capture if the digital signature is verified against the + binary content. + example: 'true' + flat_name: dll.code_signature.valid + level: extended + name: valid + normalize: [] + order: 1 + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean dll.hash.md5: dashed_name: dll-hash-md5 description: MD5 hash. @@ -4797,6 +4867,76 @@ process.parent.args_count: order: 13 short: Length of the process.args array. type: long +process.parent.code_signature.exists: + dashed_name: process-parent-code-signature-exists + description: 'Boolean to capture if a signature is present. + + This should only populated if the signature was checked.' + example: 'true' + flat_name: process.parent.code_signature.exists + ignore_above: 1024 + level: core + name: exists + normalize: [] + order: 2 + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: keyword +process.parent.code_signature.status: + dashed_name: process-parent-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status.' + example: ERROR_UNTRUSTED_ROOT + flat_name: process.parent.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + order: 4 + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword +process.parent.code_signature.subject_name: + dashed_name: process-parent-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: process.parent.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + order: 0 + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword +process.parent.code_signature.trusted: + dashed_name: process-parent-code-signature-trusted + description: Stores the trust status of the certificate chain. + example: 'true' + flat_name: process.parent.code_signature.trusted + level: extended + name: trusted + normalize: [] + order: 3 + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean +process.parent.code_signature.valid: + dashed_name: process-parent-code-signature-valid + description: Boolean to capture if the digital signature is verified against the + binary content. + example: 'true' + flat_name: process.parent.code_signature.valid + level: extended + name: valid + normalize: [] + order: 1 + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean process.parent.command_line: dashed_name: process-parent-command-line description: 'Full command line that started the process, including the absolute diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 4533e45979..2ec5ca1e94 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -841,6 +841,8 @@ code_signature: expected: - file - process + - process.parent + - dll top_level: false short: These fields contain information about binary code signatures. title: Code Signature @@ -1369,6 +1371,76 @@ dll: * Dynamic library (`.dylib`) commonly used on macOS' fields: + code_signature.exists: + dashed_name: dll-code-signature-exists + description: 'Boolean to capture if a signature is present. + + This should only populated if the signature was checked.' + example: 'true' + flat_name: dll.code_signature.exists + ignore_above: 1024 + level: core + name: exists + normalize: [] + order: 2 + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: keyword + code_signature.status: + dashed_name: dll-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status.' + example: ERROR_UNTRUSTED_ROOT + flat_name: dll.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + order: 4 + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword + code_signature.subject_name: + dashed_name: dll-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: dll.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + order: 0 + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword + code_signature.trusted: + dashed_name: dll-code-signature-trusted + description: Stores the trust status of the certificate chain. + example: 'true' + flat_name: dll.code_signature.trusted + level: extended + name: trusted + normalize: [] + order: 3 + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean + code_signature.valid: + dashed_name: dll-code-signature-valid + description: Boolean to capture if the digital signature is verified against + the binary content. + example: 'true' + flat_name: dll.code_signature.valid + level: extended + name: valid + normalize: [] + order: 1 + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean hash.md5: dashed_name: dll-hash-md5 description: MD5 hash. @@ -1511,6 +1583,7 @@ dll: group: 2 name: dll nestings: + - code_signature - hash - pe prefix: dll. @@ -5222,6 +5295,76 @@ process: order: 13 short: Length of the process.args array. type: long + parent.code_signature.exists: + dashed_name: process-parent-code-signature-exists + description: 'Boolean to capture if a signature is present. + + This should only populated if the signature was checked.' + example: 'true' + flat_name: process.parent.code_signature.exists + ignore_above: 1024 + level: core + name: exists + normalize: [] + order: 2 + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: keyword + parent.code_signature.status: + dashed_name: process-parent-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status.' + example: ERROR_UNTRUSTED_ROOT + flat_name: process.parent.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + order: 4 + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword + parent.code_signature.subject_name: + dashed_name: process-parent-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: process.parent.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + order: 0 + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword + parent.code_signature.trusted: + dashed_name: process-parent-code-signature-trusted + description: Stores the trust status of the certificate chain. + example: 'true' + flat_name: process.parent.code_signature.trusted + level: extended + name: trusted + normalize: [] + order: 3 + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean + parent.code_signature.valid: + dashed_name: process-parent-code-signature-valid + description: Boolean to capture if the digital signature is verified against + the binary content. + example: 'true' + flat_name: process.parent.code_signature.valid + level: extended + name: valid + normalize: [] + order: 1 + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean parent.command_line: dashed_name: process-parent-command-line description: 'Full command line that started the process, including the absolute diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index 666ecba04f..f9abdd0d49 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -483,6 +483,28 @@ }, "dll": { "properties": { + "code_signature": { + "properties": { + "exists": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, "hash": { "properties": { "md5": { @@ -1667,6 +1689,28 @@ "args_count": { "type": "long" }, + "code_signature": { + "properties": { + "exists": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, "command_line": { "fields": { "text": { diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 87715ce9d5..e404550c28 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -482,6 +482,28 @@ }, "dll": { "properties": { + "code_signature": { + "properties": { + "exists": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, "hash": { "properties": { "md5": { @@ -1666,6 +1688,28 @@ "args_count": { "type": "long" }, + "code_signature": { + "properties": { + "exists": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, "command_line": { "fields": { "text": { diff --git a/schemas/code_signature.yml b/schemas/code_signature.yml index 2f462127f9..f0d6dfa759 100644 --- a/schemas/code_signature.yml +++ b/schemas/code_signature.yml @@ -9,7 +9,8 @@ expected: - file - process - # - dll + - process.parent + - dll # - driver fields: From 88703c7970a3058e8e9406cec9586fec2b5d2758 Mon Sep 17 00:00:00 2001 From: Ross Wolf <31489089+rw-access@users.noreply.github.com> Date: Fri, 14 Feb 2020 11:47:19 -0700 Subject: [PATCH 07/10] Change exists type to boolean Co-Authored-By: Mathieu Martin --- schemas/code_signature.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schemas/code_signature.yml b/schemas/code_signature.yml index f0d6dfa759..82917e08d5 100644 --- a/schemas/code_signature.yml +++ b/schemas/code_signature.yml @@ -30,7 +30,7 @@ - name: exists level: core - type: keyword + type: boolean short: Boolean to capture if a signature is present. description: > Boolean to capture if a signature is present. From 20aa8c23d280b44d7673c56ab555872ec054ed21 Mon Sep 17 00:00:00 2001 From: Ross Wolf <31489089+rw-access@users.noreply.github.com> Date: Fri, 14 Feb 2020 11:47:51 -0700 Subject: [PATCH 08/10] Regenerate after fixing type --- code/go/ecs/code_signature.go | 2 +- docs/field-details.asciidoc | 2 +- generated/beats/fields.ecs.yml | 15 +++++---------- generated/csv/fields.csv | 10 +++++----- generated/ecs/ecs_flat.yml | 15 +++++---------- generated/ecs/ecs_nested.yml | 15 +++++---------- generated/elasticsearch/6/template.json | 15 +++++---------- generated/elasticsearch/7/template.json | 15 +++++---------- 8 files changed, 32 insertions(+), 57 deletions(-) diff --git a/code/go/ecs/code_signature.go b/code/go/ecs/code_signature.go index ba2e47d4b2..4df6dccdab 100644 --- a/code/go/ecs/code_signature.go +++ b/code/go/ecs/code_signature.go @@ -30,7 +30,7 @@ type CodeSignature struct { // Boolean to capture if a signature is present. // This should only populated if the signature was checked. - Exists string `ecs:"exists"` + Exists bool `ecs:"exists"` // Stores the trust status of the certificate chain. Trusted bool `ecs:"trusted"` diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index d8288ca722..83df6ceee8 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -568,7 +568,7 @@ These fields contain information about binary code signatures. This should only populated if the signature was checked. -type: keyword +type: boolean diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index ee6ab11583..00180a6307 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -437,8 +437,7 @@ fields: - name: exists level: core - type: keyword - ignore_above: 1024 + type: boolean description: 'Boolean to capture if a signature is present. This should only populated if the signature was checked.' @@ -756,8 +755,7 @@ fields: - name: code_signature.exists level: core - type: keyword - ignore_above: 1024 + type: boolean description: 'Boolean to capture if a signature is present. This should only populated if the signature was checked.' @@ -1374,8 +1372,7 @@ default_field: false - name: code_signature.exists level: core - type: keyword - ignore_above: 1024 + type: boolean description: 'Boolean to capture if a signature is present. This should only populated if the signature was checked.' @@ -2674,8 +2671,7 @@ default_field: false - name: code_signature.exists level: core - type: keyword - ignore_above: 1024 + type: boolean description: 'Boolean to capture if a signature is present. This should only populated if the signature was checked.' @@ -2803,8 +2799,7 @@ default_field: false - name: parent.code_signature.exists level: core - type: keyword - ignore_above: 1024 + type: boolean description: 'Boolean to capture if a signature is present. This should only populated if the signature was checked.' diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 2706e536ee..3f59cc6fc5 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -51,7 +51,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.5.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. 1.5.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider. 1.5.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,Region in which this host is running. -1.5.0-dev,true,code_signature,code_signature.exists,keyword,core,,true,Boolean to capture if a signature is present. +1.5.0-dev,true,code_signature,code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. 1.5.0-dev,true,code_signature,code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 1.5.0-dev,true,code_signature,code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer 1.5.0-dev,true,code_signature,code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. @@ -95,7 +95,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.5.0-dev,true,destination,destination.user.id,keyword,core,,,Unique identifiers of the user. 1.5.0-dev,true,destination,destination.user.name,keyword,core,,albert,Short name or login of the user. 1.5.0-dev,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user. -1.5.0-dev,true,dll,dll.code_signature.exists,keyword,core,,true,Boolean to capture if a signature is present. +1.5.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. 1.5.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 1.5.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer 1.5.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. @@ -160,7 +160,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.5.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy. 1.5.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed. 1.5.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. -1.5.0-dev,true,file,file.code_signature.exists,keyword,core,,true,Boolean to capture if a signature is present. +1.5.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. 1.5.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 1.5.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer 1.5.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. @@ -336,7 +336,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.5.0-dev,true,pe,pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." 1.5.0-dev,true,process,process.args,keyword,extended,array,"['/usr/bin/ssh', '-l', 'user', '10.0.0.16']",Array of process arguments. 1.5.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array. -1.5.0-dev,true,process,process.code_signature.exists,keyword,core,,true,Boolean to capture if a signature is present. +1.5.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. 1.5.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 1.5.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer 1.5.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. @@ -354,7 +354,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.5.0-dev,true,process,process.name.text,text,extended,,ssh,Process name. 1.5.0-dev,true,process,process.parent.args,keyword,extended,array,"['ssh', '-l', 'user', '10.0.0.16']",Array of process arguments. 1.5.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. -1.5.0-dev,true,process,process.parent.code_signature.exists,keyword,core,,true,Boolean to capture if a signature is present. +1.5.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. 1.5.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 1.5.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer 1.5.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index aaa03eefaf..cb8d13233e 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -634,14 +634,13 @@ code_signature.exists: This should only populated if the signature was checked.' example: 'true' flat_name: code_signature.exists - ignore_above: 1024 level: core name: exists normalize: [] order: 2 original_fieldset: code_signature short: Boolean to capture if a signature is present. - type: keyword + type: boolean code_signature.status: dashed_name: code-signature-status description: 'Additional information about the certificate status. @@ -1187,14 +1186,13 @@ dll.code_signature.exists: This should only populated if the signature was checked.' example: 'true' flat_name: dll.code_signature.exists - ignore_above: 1024 level: core name: exists normalize: [] order: 2 original_fieldset: code_signature short: Boolean to capture if a signature is present. - type: keyword + type: boolean dll.code_signature.status: dashed_name: dll-code-signature-status description: 'Additional information about the certificate status. @@ -2405,14 +2403,13 @@ file.code_signature.exists: This should only populated if the signature was checked.' example: 'true' flat_name: file.code_signature.exists - ignore_above: 1024 level: core name: exists normalize: [] order: 2 original_fieldset: code_signature short: Boolean to capture if a signature is present. - type: keyword + type: boolean file.code_signature.status: dashed_name: file-code-signature-status description: 'Additional information about the certificate status. @@ -4652,14 +4649,13 @@ process.code_signature.exists: This should only populated if the signature was checked.' example: 'true' flat_name: process.code_signature.exists - ignore_above: 1024 level: core name: exists normalize: [] order: 2 original_fieldset: code_signature short: Boolean to capture if a signature is present. - type: keyword + type: boolean process.code_signature.status: dashed_name: process-code-signature-status description: 'Additional information about the certificate status. @@ -4874,14 +4870,13 @@ process.parent.code_signature.exists: This should only populated if the signature was checked.' example: 'true' flat_name: process.parent.code_signature.exists - ignore_above: 1024 level: core name: exists normalize: [] order: 2 original_fieldset: code_signature short: Boolean to capture if a signature is present. - type: keyword + type: boolean process.parent.code_signature.status: dashed_name: process-parent-code-signature-status description: 'Additional information about the certificate status. diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 2ec5ca1e94..ea0bd9abc6 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -776,13 +776,12 @@ code_signature: This should only populated if the signature was checked.' example: 'true' flat_name: code_signature.exists - ignore_above: 1024 level: core name: exists normalize: [] order: 2 short: Boolean to capture if a signature is present. - type: keyword + type: boolean status: dashed_name: code-signature-status description: 'Additional information about the certificate status. @@ -1378,14 +1377,13 @@ dll: This should only populated if the signature was checked.' example: 'true' flat_name: dll.code_signature.exists - ignore_above: 1024 level: core name: exists normalize: [] order: 2 original_fieldset: code_signature short: Boolean to capture if a signature is present. - type: keyword + type: boolean code_signature.status: dashed_name: dll-code-signature-status description: 'Additional information about the certificate status. @@ -2681,14 +2679,13 @@ file: This should only populated if the signature was checked.' example: 'true' flat_name: file.code_signature.exists - ignore_above: 1024 level: core name: exists normalize: [] order: 2 original_fieldset: code_signature short: Boolean to capture if a signature is present. - type: keyword + type: boolean code_signature.status: dashed_name: file-code-signature-status description: 'Additional information about the certificate status. @@ -5080,14 +5077,13 @@ process: This should only populated if the signature was checked.' example: 'true' flat_name: process.code_signature.exists - ignore_above: 1024 level: core name: exists normalize: [] order: 2 original_fieldset: code_signature short: Boolean to capture if a signature is present. - type: keyword + type: boolean code_signature.status: dashed_name: process-code-signature-status description: 'Additional information about the certificate status. @@ -5302,14 +5298,13 @@ process: This should only populated if the signature was checked.' example: 'true' flat_name: process.parent.code_signature.exists - ignore_above: 1024 level: core name: exists normalize: [] order: 2 original_fieldset: code_signature short: Boolean to capture if a signature is present. - type: keyword + type: boolean parent.code_signature.status: dashed_name: process-parent-code-signature-status description: 'Additional information about the certificate status. diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index f9abdd0d49..6b5099473d 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -273,8 +273,7 @@ "code_signature": { "properties": { "exists": { - "ignore_above": 1024, - "type": "keyword" + "type": "boolean" }, "status": { "ignore_above": 1024, @@ -486,8 +485,7 @@ "code_signature": { "properties": { "exists": { - "ignore_above": 1024, - "type": "keyword" + "type": "boolean" }, "status": { "ignore_above": 1024, @@ -775,8 +773,7 @@ "code_signature": { "properties": { "exists": { - "ignore_above": 1024, - "type": "keyword" + "type": "boolean" }, "status": { "ignore_above": 1024, @@ -1608,8 +1605,7 @@ "code_signature": { "properties": { "exists": { - "ignore_above": 1024, - "type": "keyword" + "type": "boolean" }, "status": { "ignore_above": 1024, @@ -1692,8 +1688,7 @@ "code_signature": { "properties": { "exists": { - "ignore_above": 1024, - "type": "keyword" + "type": "boolean" }, "status": { "ignore_above": 1024, diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index e404550c28..c721e2004f 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -272,8 +272,7 @@ "code_signature": { "properties": { "exists": { - "ignore_above": 1024, - "type": "keyword" + "type": "boolean" }, "status": { "ignore_above": 1024, @@ -485,8 +484,7 @@ "code_signature": { "properties": { "exists": { - "ignore_above": 1024, - "type": "keyword" + "type": "boolean" }, "status": { "ignore_above": 1024, @@ -774,8 +772,7 @@ "code_signature": { "properties": { "exists": { - "ignore_above": 1024, - "type": "keyword" + "type": "boolean" }, "status": { "ignore_above": 1024, @@ -1607,8 +1604,7 @@ "code_signature": { "properties": { "exists": { - "ignore_above": 1024, - "type": "keyword" + "type": "boolean" }, "status": { "ignore_above": 1024, @@ -1691,8 +1687,7 @@ "code_signature": { "properties": { "exists": { - "ignore_above": 1024, - "type": "keyword" + "type": "boolean" }, "status": { "ignore_above": 1024, From 96890efb12a87175aac77257ff2bc59491849c58 Mon Sep 17 00:00:00 2001 From: Ross Wolf <31489089+rw-access@users.noreply.github.com> Date: Fri, 14 Feb 2020 15:15:39 -0700 Subject: [PATCH 09/10] Add notes about extended fields --- code/go/ecs/code_signature.go | 8 +++- docs/field-details.asciidoc | 8 ++-- generated/beats/fields.ecs.yml | 80 +++++++++++++++++++++------------- generated/ecs/ecs_flat.yml | 80 +++++++++++++++++++++------------- generated/ecs/ecs_nested.yml | 80 +++++++++++++++++++++------------- schemas/code_signature.yml | 20 +++++---- 6 files changed, 173 insertions(+), 103 deletions(-) diff --git a/code/go/ecs/code_signature.go b/code/go/ecs/code_signature.go index 4df6dccdab..0ef69115c0 100644 --- a/code/go/ecs/code_signature.go +++ b/code/go/ecs/code_signature.go @@ -26,17 +26,21 @@ type CodeSignature struct { // Boolean to capture if the digital signature is verified against the // binary content. + // Leave unpopulated if a certificate was unchecked. Valid bool `ecs:"valid"` // Boolean to capture if a signature is present. - // This should only populated if the signature was checked. Exists bool `ecs:"exists"` // Stores the trust status of the certificate chain. + // Validating the trust of the certificate chain may be complicated, and + // this field should only be populated by tools that actively check the + // status. Trusted bool `ecs:"trusted"` // Additional information about the certificate status. // This is useful for logging cryptographic errors with the certificate - // validity or trust status. + // validity or trust status. Leave unpopulated if the validity or trust of + // the certificate was unchecked. Status string `ecs:"status"` } diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 83df6ceee8..7fe3b44c09 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -566,8 +566,6 @@ These fields contain information about binary code signatures. | code_signature.exists | Boolean to capture if a signature is present. -This should only populated if the signature was checked. - type: boolean @@ -581,7 +579,7 @@ example: `true` | code_signature.status | Additional information about the certificate status. -This is useful for logging cryptographic errors with the certificate validity or trust status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. type: keyword @@ -609,6 +607,8 @@ example: `Microsoft Corporation` | code_signature.trusted | Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + type: boolean @@ -622,6 +622,8 @@ example: `true` | code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + type: boolean diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 00180a6307..9fd24ef4ea 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -438,9 +438,7 @@ - name: exists level: core type: boolean - description: 'Boolean to capture if a signature is present. - - This should only populated if the signature was checked.' + description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: status @@ -450,7 +448,8 @@ description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity - or trust status.' + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: subject_name @@ -463,14 +462,19 @@ - name: trusted level: extended type: boolean - description: Stores the trust status of the certificate chain. + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: valid level: extended type: boolean - description: Boolean to capture if the digital signature is verified against + description: 'Boolean to capture if the digital signature is verified against the binary content. + + Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: container @@ -756,9 +760,7 @@ - name: code_signature.exists level: core type: boolean - description: 'Boolean to capture if a signature is present. - - This should only populated if the signature was checked.' + description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: code_signature.status @@ -768,7 +770,8 @@ description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity - or trust status.' + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: code_signature.subject_name @@ -781,14 +784,19 @@ - name: code_signature.trusted level: extended type: boolean - description: Stores the trust status of the certificate chain. + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: code_signature.valid level: extended type: boolean - description: Boolean to capture if the digital signature is verified against + description: 'Boolean to capture if the digital signature is verified against the binary content. + + Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: hash.md5 @@ -1373,9 +1381,7 @@ - name: code_signature.exists level: core type: boolean - description: 'Boolean to capture if a signature is present. - - This should only populated if the signature was checked.' + description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: code_signature.status @@ -1385,7 +1391,8 @@ description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity - or trust status.' + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: code_signature.subject_name @@ -1398,14 +1405,19 @@ - name: code_signature.trusted level: extended type: boolean - description: Stores the trust status of the certificate chain. + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: code_signature.valid level: extended type: boolean - description: Boolean to capture if the digital signature is verified against + description: 'Boolean to capture if the digital signature is verified against the binary content. + + Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: created @@ -2672,9 +2684,7 @@ - name: code_signature.exists level: core type: boolean - description: 'Boolean to capture if a signature is present. - - This should only populated if the signature was checked.' + description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: code_signature.status @@ -2684,7 +2694,8 @@ description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity - or trust status.' + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: code_signature.subject_name @@ -2697,14 +2708,19 @@ - name: code_signature.trusted level: extended type: boolean - description: Stores the trust status of the certificate chain. + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: code_signature.valid level: extended type: boolean - description: Boolean to capture if the digital signature is verified against + description: 'Boolean to capture if the digital signature is verified against the binary content. + + Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: command_line @@ -2800,9 +2816,7 @@ - name: parent.code_signature.exists level: core type: boolean - description: 'Boolean to capture if a signature is present. - - This should only populated if the signature was checked.' + description: Boolean to capture if a signature is present. example: 'true' default_field: false - name: parent.code_signature.status @@ -2812,7 +2826,8 @@ description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity - or trust status.' + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - name: parent.code_signature.subject_name @@ -2825,14 +2840,19 @@ - name: parent.code_signature.trusted level: extended type: boolean - description: Stores the trust status of the certificate chain. + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' example: 'true' default_field: false - name: parent.code_signature.valid level: extended type: boolean - description: Boolean to capture if the digital signature is verified against + description: 'Boolean to capture if the digital signature is verified against the binary content. + + Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - name: parent.command_line diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index cb8d13233e..9ed522e0e8 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -629,9 +629,7 @@ cloud.region: type: keyword code_signature.exists: dashed_name: code-signature-exists - description: 'Boolean to capture if a signature is present. - - This should only populated if the signature was checked.' + description: Boolean to capture if a signature is present. example: 'true' flat_name: code_signature.exists level: core @@ -646,7 +644,8 @@ code_signature.status: description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity - or trust status.' + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' example: ERROR_UNTRUSTED_ROOT flat_name: code_signature.status ignore_above: 1024 @@ -672,7 +671,10 @@ code_signature.subject_name: type: keyword code_signature.trusted: dashed_name: code-signature-trusted - description: Stores the trust status of the certificate chain. + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this field + should only be populated by tools that actively check the status.' example: 'true' flat_name: code_signature.trusted level: extended @@ -684,8 +686,10 @@ code_signature.trusted: type: boolean code_signature.valid: dashed_name: code-signature-valid - description: Boolean to capture if the digital signature is verified against the + description: 'Boolean to capture if the digital signature is verified against the binary content. + + Leave unpopulated if a certificate was unchecked.' example: 'true' flat_name: code_signature.valid level: extended @@ -1181,9 +1185,7 @@ destination.user.name: type: keyword dll.code_signature.exists: dashed_name: dll-code-signature-exists - description: 'Boolean to capture if a signature is present. - - This should only populated if the signature was checked.' + description: Boolean to capture if a signature is present. example: 'true' flat_name: dll.code_signature.exists level: core @@ -1198,7 +1200,8 @@ dll.code_signature.status: description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity - or trust status.' + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' example: ERROR_UNTRUSTED_ROOT flat_name: dll.code_signature.status ignore_above: 1024 @@ -1224,7 +1227,10 @@ dll.code_signature.subject_name: type: keyword dll.code_signature.trusted: dashed_name: dll-code-signature-trusted - description: Stores the trust status of the certificate chain. + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this field + should only be populated by tools that actively check the status.' example: 'true' flat_name: dll.code_signature.trusted level: extended @@ -1236,8 +1242,10 @@ dll.code_signature.trusted: type: boolean dll.code_signature.valid: dashed_name: dll-code-signature-valid - description: Boolean to capture if the digital signature is verified against the + description: 'Boolean to capture if the digital signature is verified against the binary content. + + Leave unpopulated if a certificate was unchecked.' example: 'true' flat_name: dll.code_signature.valid level: extended @@ -2398,9 +2406,7 @@ file.attributes: type: keyword file.code_signature.exists: dashed_name: file-code-signature-exists - description: 'Boolean to capture if a signature is present. - - This should only populated if the signature was checked.' + description: Boolean to capture if a signature is present. example: 'true' flat_name: file.code_signature.exists level: core @@ -2415,7 +2421,8 @@ file.code_signature.status: description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity - or trust status.' + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' example: ERROR_UNTRUSTED_ROOT flat_name: file.code_signature.status ignore_above: 1024 @@ -2441,7 +2448,10 @@ file.code_signature.subject_name: type: keyword file.code_signature.trusted: dashed_name: file-code-signature-trusted - description: Stores the trust status of the certificate chain. + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this field + should only be populated by tools that actively check the status.' example: 'true' flat_name: file.code_signature.trusted level: extended @@ -2453,8 +2463,10 @@ file.code_signature.trusted: type: boolean file.code_signature.valid: dashed_name: file-code-signature-valid - description: Boolean to capture if the digital signature is verified against the + description: 'Boolean to capture if the digital signature is verified against the binary content. + + Leave unpopulated if a certificate was unchecked.' example: 'true' flat_name: file.code_signature.valid level: extended @@ -4644,9 +4656,7 @@ process.args_count: type: long process.code_signature.exists: dashed_name: process-code-signature-exists - description: 'Boolean to capture if a signature is present. - - This should only populated if the signature was checked.' + description: Boolean to capture if a signature is present. example: 'true' flat_name: process.code_signature.exists level: core @@ -4661,7 +4671,8 @@ process.code_signature.status: description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity - or trust status.' + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' example: ERROR_UNTRUSTED_ROOT flat_name: process.code_signature.status ignore_above: 1024 @@ -4687,7 +4698,10 @@ process.code_signature.subject_name: type: keyword process.code_signature.trusted: dashed_name: process-code-signature-trusted - description: Stores the trust status of the certificate chain. + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this field + should only be populated by tools that actively check the status.' example: 'true' flat_name: process.code_signature.trusted level: extended @@ -4699,8 +4713,10 @@ process.code_signature.trusted: type: boolean process.code_signature.valid: dashed_name: process-code-signature-valid - description: Boolean to capture if the digital signature is verified against the + description: 'Boolean to capture if the digital signature is verified against the binary content. + + Leave unpopulated if a certificate was unchecked.' example: 'true' flat_name: process.code_signature.valid level: extended @@ -4865,9 +4881,7 @@ process.parent.args_count: type: long process.parent.code_signature.exists: dashed_name: process-parent-code-signature-exists - description: 'Boolean to capture if a signature is present. - - This should only populated if the signature was checked.' + description: Boolean to capture if a signature is present. example: 'true' flat_name: process.parent.code_signature.exists level: core @@ -4882,7 +4896,8 @@ process.parent.code_signature.status: description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity - or trust status.' + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' example: ERROR_UNTRUSTED_ROOT flat_name: process.parent.code_signature.status ignore_above: 1024 @@ -4908,7 +4923,10 @@ process.parent.code_signature.subject_name: type: keyword process.parent.code_signature.trusted: dashed_name: process-parent-code-signature-trusted - description: Stores the trust status of the certificate chain. + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this field + should only be populated by tools that actively check the status.' example: 'true' flat_name: process.parent.code_signature.trusted level: extended @@ -4920,8 +4938,10 @@ process.parent.code_signature.trusted: type: boolean process.parent.code_signature.valid: dashed_name: process-parent-code-signature-valid - description: Boolean to capture if the digital signature is verified against the + description: 'Boolean to capture if the digital signature is verified against the binary content. + + Leave unpopulated if a certificate was unchecked.' example: 'true' flat_name: process.parent.code_signature.valid level: extended diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index ea0bd9abc6..c07ff680ac 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -771,9 +771,7 @@ code_signature: fields: exists: dashed_name: code-signature-exists - description: 'Boolean to capture if a signature is present. - - This should only populated if the signature was checked.' + description: Boolean to capture if a signature is present. example: 'true' flat_name: code_signature.exists level: core @@ -787,7 +785,8 @@ code_signature: description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity - or trust status.' + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' example: ERROR_UNTRUSTED_ROOT flat_name: code_signature.status ignore_above: 1024 @@ -811,7 +810,10 @@ code_signature: type: keyword trusted: dashed_name: code-signature-trusted - description: Stores the trust status of the certificate chain. + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' example: 'true' flat_name: code_signature.trusted level: extended @@ -822,8 +824,10 @@ code_signature: type: boolean valid: dashed_name: code-signature-valid - description: Boolean to capture if the digital signature is verified against + description: 'Boolean to capture if the digital signature is verified against the binary content. + + Leave unpopulated if a certificate was unchecked.' example: 'true' flat_name: code_signature.valid level: extended @@ -1372,9 +1376,7 @@ dll: fields: code_signature.exists: dashed_name: dll-code-signature-exists - description: 'Boolean to capture if a signature is present. - - This should only populated if the signature was checked.' + description: Boolean to capture if a signature is present. example: 'true' flat_name: dll.code_signature.exists level: core @@ -1389,7 +1391,8 @@ dll: description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity - or trust status.' + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' example: ERROR_UNTRUSTED_ROOT flat_name: dll.code_signature.status ignore_above: 1024 @@ -1415,7 +1418,10 @@ dll: type: keyword code_signature.trusted: dashed_name: dll-code-signature-trusted - description: Stores the trust status of the certificate chain. + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' example: 'true' flat_name: dll.code_signature.trusted level: extended @@ -1427,8 +1433,10 @@ dll: type: boolean code_signature.valid: dashed_name: dll-code-signature-valid - description: Boolean to capture if the digital signature is verified against + description: 'Boolean to capture if the digital signature is verified against the binary content. + + Leave unpopulated if a certificate was unchecked.' example: 'true' flat_name: dll.code_signature.valid level: extended @@ -2674,9 +2682,7 @@ file: type: keyword code_signature.exists: dashed_name: file-code-signature-exists - description: 'Boolean to capture if a signature is present. - - This should only populated if the signature was checked.' + description: Boolean to capture if a signature is present. example: 'true' flat_name: file.code_signature.exists level: core @@ -2691,7 +2697,8 @@ file: description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity - or trust status.' + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' example: ERROR_UNTRUSTED_ROOT flat_name: file.code_signature.status ignore_above: 1024 @@ -2717,7 +2724,10 @@ file: type: keyword code_signature.trusted: dashed_name: file-code-signature-trusted - description: Stores the trust status of the certificate chain. + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' example: 'true' flat_name: file.code_signature.trusted level: extended @@ -2729,8 +2739,10 @@ file: type: boolean code_signature.valid: dashed_name: file-code-signature-valid - description: Boolean to capture if the digital signature is verified against + description: 'Boolean to capture if the digital signature is verified against the binary content. + + Leave unpopulated if a certificate was unchecked.' example: 'true' flat_name: file.code_signature.valid level: extended @@ -5072,9 +5084,7 @@ process: type: long code_signature.exists: dashed_name: process-code-signature-exists - description: 'Boolean to capture if a signature is present. - - This should only populated if the signature was checked.' + description: Boolean to capture if a signature is present. example: 'true' flat_name: process.code_signature.exists level: core @@ -5089,7 +5099,8 @@ process: description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity - or trust status.' + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' example: ERROR_UNTRUSTED_ROOT flat_name: process.code_signature.status ignore_above: 1024 @@ -5115,7 +5126,10 @@ process: type: keyword code_signature.trusted: dashed_name: process-code-signature-trusted - description: Stores the trust status of the certificate chain. + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' example: 'true' flat_name: process.code_signature.trusted level: extended @@ -5127,8 +5141,10 @@ process: type: boolean code_signature.valid: dashed_name: process-code-signature-valid - description: Boolean to capture if the digital signature is verified against + description: 'Boolean to capture if the digital signature is verified against the binary content. + + Leave unpopulated if a certificate was unchecked.' example: 'true' flat_name: process.code_signature.valid level: extended @@ -5293,9 +5309,7 @@ process: type: long parent.code_signature.exists: dashed_name: process-parent-code-signature-exists - description: 'Boolean to capture if a signature is present. - - This should only populated if the signature was checked.' + description: Boolean to capture if a signature is present. example: 'true' flat_name: process.parent.code_signature.exists level: core @@ -5310,7 +5324,8 @@ process: description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity - or trust status.' + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' example: ERROR_UNTRUSTED_ROOT flat_name: process.parent.code_signature.status ignore_above: 1024 @@ -5336,7 +5351,10 @@ process: type: keyword parent.code_signature.trusted: dashed_name: process-parent-code-signature-trusted - description: Stores the trust status of the certificate chain. + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' example: 'true' flat_name: process.parent.code_signature.trusted level: extended @@ -5348,8 +5366,10 @@ process: type: boolean parent.code_signature.valid: dashed_name: process-parent-code-signature-valid - description: Boolean to capture if the digital signature is verified against + description: 'Boolean to capture if the digital signature is verified against the binary content. + + Leave unpopulated if a certificate was unchecked.' example: 'true' flat_name: process.parent.code_signature.valid level: extended diff --git a/schemas/code_signature.yml b/schemas/code_signature.yml index 82917e08d5..43cff15536 100644 --- a/schemas/code_signature.yml +++ b/schemas/code_signature.yml @@ -20,29 +20,32 @@ description: Subject name of the code signer example: Microsoft Corporation - - name: valid level: extended type: boolean - description: Boolean to capture if the digital signature is verified against the binary content. + short: Boolean to capture if the digital signature is verified against the binary content. example: "true" + description: > + Boolean to capture if the digital signature is verified against the binary content. + Leave unpopulated if a certificate was unchecked. - name: exists level: core type: boolean - short: Boolean to capture if a signature is present. - description: > - Boolean to capture if a signature is present. - - This should only populated if the signature was checked. + description: Boolean to capture if a signature is present. example: "true" - name: trusted level: extended type: boolean - description: Stores the trust status of the certificate chain. + short: Stores the trust status of the certificate chain. example: "true" + description: > + Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this field should only be populated + by tools that actively check the status. - name: status @@ -53,4 +56,5 @@ Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. + Leave unpopulated if the validity or trust of the certificate was unchecked. example: ERROR_UNTRUSTED_ROOT From a3c87725af6d4171d00df8157d1d3d06f36a253f Mon Sep 17 00:00:00 2001 From: Ross Wolf <31489089+rw-access@users.noreply.github.com> Date: Fri, 14 Feb 2020 15:16:18 -0700 Subject: [PATCH 10/10] Change the order --- code/go/ecs/code_signature.go | 6 +++--- generated/ecs/ecs_flat.yml | 30 +++++++++++++++--------------- generated/ecs/ecs_nested.yml | 30 +++++++++++++++--------------- schemas/code_signature.yml | 12 ++++++------ 4 files changed, 39 insertions(+), 39 deletions(-) diff --git a/code/go/ecs/code_signature.go b/code/go/ecs/code_signature.go index 0ef69115c0..df61c3b935 100644 --- a/code/go/ecs/code_signature.go +++ b/code/go/ecs/code_signature.go @@ -21,6 +21,9 @@ package ecs // These fields contain information about binary code signatures. type CodeSignature struct { + // Boolean to capture if a signature is present. + Exists bool `ecs:"exists"` + // Subject name of the code signer SubjectName string `ecs:"subject_name"` @@ -29,9 +32,6 @@ type CodeSignature struct { // Leave unpopulated if a certificate was unchecked. Valid bool `ecs:"valid"` - // Boolean to capture if a signature is present. - Exists bool `ecs:"exists"` - // Stores the trust status of the certificate chain. // Validating the trust of the certificate chain may be complicated, and // this field should only be populated by tools that actively check the diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 9ed522e0e8..6ecb6dda93 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -635,7 +635,7 @@ code_signature.exists: level: core name: exists normalize: [] - order: 2 + order: 0 original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean @@ -665,7 +665,7 @@ code_signature.subject_name: level: core name: subject_name normalize: [] - order: 0 + order: 1 original_fieldset: code_signature short: Subject name of the code signer type: keyword @@ -695,7 +695,7 @@ code_signature.valid: level: extended name: valid normalize: [] - order: 1 + order: 2 original_fieldset: code_signature short: Boolean to capture if the digital signature is verified against the binary content. @@ -1191,7 +1191,7 @@ dll.code_signature.exists: level: core name: exists normalize: [] - order: 2 + order: 0 original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean @@ -1221,7 +1221,7 @@ dll.code_signature.subject_name: level: core name: subject_name normalize: [] - order: 0 + order: 1 original_fieldset: code_signature short: Subject name of the code signer type: keyword @@ -1251,7 +1251,7 @@ dll.code_signature.valid: level: extended name: valid normalize: [] - order: 1 + order: 2 original_fieldset: code_signature short: Boolean to capture if the digital signature is verified against the binary content. @@ -2412,7 +2412,7 @@ file.code_signature.exists: level: core name: exists normalize: [] - order: 2 + order: 0 original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean @@ -2442,7 +2442,7 @@ file.code_signature.subject_name: level: core name: subject_name normalize: [] - order: 0 + order: 1 original_fieldset: code_signature short: Subject name of the code signer type: keyword @@ -2472,7 +2472,7 @@ file.code_signature.valid: level: extended name: valid normalize: [] - order: 1 + order: 2 original_fieldset: code_signature short: Boolean to capture if the digital signature is verified against the binary content. @@ -4662,7 +4662,7 @@ process.code_signature.exists: level: core name: exists normalize: [] - order: 2 + order: 0 original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean @@ -4692,7 +4692,7 @@ process.code_signature.subject_name: level: core name: subject_name normalize: [] - order: 0 + order: 1 original_fieldset: code_signature short: Subject name of the code signer type: keyword @@ -4722,7 +4722,7 @@ process.code_signature.valid: level: extended name: valid normalize: [] - order: 1 + order: 2 original_fieldset: code_signature short: Boolean to capture if the digital signature is verified against the binary content. @@ -4887,7 +4887,7 @@ process.parent.code_signature.exists: level: core name: exists normalize: [] - order: 2 + order: 0 original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean @@ -4917,7 +4917,7 @@ process.parent.code_signature.subject_name: level: core name: subject_name normalize: [] - order: 0 + order: 1 original_fieldset: code_signature short: Subject name of the code signer type: keyword @@ -4947,7 +4947,7 @@ process.parent.code_signature.valid: level: extended name: valid normalize: [] - order: 1 + order: 2 original_fieldset: code_signature short: Boolean to capture if the digital signature is verified against the binary content. diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index c07ff680ac..c20207a5cb 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -777,7 +777,7 @@ code_signature: level: core name: exists normalize: [] - order: 2 + order: 0 short: Boolean to capture if a signature is present. type: boolean status: @@ -805,7 +805,7 @@ code_signature: level: core name: subject_name normalize: [] - order: 0 + order: 1 short: Subject name of the code signer type: keyword trusted: @@ -833,7 +833,7 @@ code_signature: level: extended name: valid normalize: [] - order: 1 + order: 2 short: Boolean to capture if the digital signature is verified against the binary content. type: boolean @@ -1382,7 +1382,7 @@ dll: level: core name: exists normalize: [] - order: 2 + order: 0 original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean @@ -1412,7 +1412,7 @@ dll: level: core name: subject_name normalize: [] - order: 0 + order: 1 original_fieldset: code_signature short: Subject name of the code signer type: keyword @@ -1442,7 +1442,7 @@ dll: level: extended name: valid normalize: [] - order: 1 + order: 2 original_fieldset: code_signature short: Boolean to capture if the digital signature is verified against the binary content. @@ -2688,7 +2688,7 @@ file: level: core name: exists normalize: [] - order: 2 + order: 0 original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean @@ -2718,7 +2718,7 @@ file: level: core name: subject_name normalize: [] - order: 0 + order: 1 original_fieldset: code_signature short: Subject name of the code signer type: keyword @@ -2748,7 +2748,7 @@ file: level: extended name: valid normalize: [] - order: 1 + order: 2 original_fieldset: code_signature short: Boolean to capture if the digital signature is verified against the binary content. @@ -5090,7 +5090,7 @@ process: level: core name: exists normalize: [] - order: 2 + order: 0 original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean @@ -5120,7 +5120,7 @@ process: level: core name: subject_name normalize: [] - order: 0 + order: 1 original_fieldset: code_signature short: Subject name of the code signer type: keyword @@ -5150,7 +5150,7 @@ process: level: extended name: valid normalize: [] - order: 1 + order: 2 original_fieldset: code_signature short: Boolean to capture if the digital signature is verified against the binary content. @@ -5315,7 +5315,7 @@ process: level: core name: exists normalize: [] - order: 2 + order: 0 original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean @@ -5345,7 +5345,7 @@ process: level: core name: subject_name normalize: [] - order: 0 + order: 1 original_fieldset: code_signature short: Subject name of the code signer type: keyword @@ -5375,7 +5375,7 @@ process: level: extended name: valid normalize: [] - order: 1 + order: 2 original_fieldset: code_signature short: Boolean to capture if the digital signature is verified against the binary content. diff --git a/schemas/code_signature.yml b/schemas/code_signature.yml index 43cff15536..a4be8cf758 100644 --- a/schemas/code_signature.yml +++ b/schemas/code_signature.yml @@ -14,6 +14,12 @@ # - driver fields: + - name: exists + level: core + type: boolean + description: Boolean to capture if a signature is present. + example: "true" + - name: subject_name level: core type: keyword @@ -30,12 +36,6 @@ Leave unpopulated if a certificate was unchecked. - - name: exists - level: core - type: boolean - description: Boolean to capture if a signature is present. - example: "true" - - name: trusted level: extended type: boolean