Digital code signatures for process, file and dll events

docs/field-details.asciidoc

@@ -550,6 +550,99 @@ example: `us-east-1`
 
 |=====
 
+[[ecs-code_signature]]
+=== Code Signature Fields
+
+These fields contain information about binary code signatures.
+
+==== Code Signature Field Details
+
+[options="header"]
+|=====
+| Field  | Description | Level
+
+// ===============================================================
+
+| code_signature.exists
+| Boolean to capture if a signature is present.
+
+This should only populated if the signature was checked.
+
+type: keyword
+
+
+
+example: `true`
+
+| core
+
+// ===============================================================
+
+| code_signature.status
+| Additional information about the certificate status.
+
+This is useful for logging cryptographic errors with the certificate validity or trust status.
+
+type: keyword
+
+
+
+example: `ERROR_UNTRUSTED_ROOT`
+
+| extended
+
+// ===============================================================
+
+| code_signature.subject_name
+| Subject name of the code signer
+
+type: keyword
+
+
+
+example: `Microsoft Corporation`
+
+| core
+
+// ===============================================================
+
+| code_signature.trusted
+| Stores the trust status of the certificate chain.
+
+type: boolean
+
+
+
+example: `true`
+
+| extended
+
+// ===============================================================
+
+| code_signature.valid
+| Boolean to capture if the digital signature is verified against the binary content.
+
+type: boolean
+
+
+
+example: `true`
+
+| extended
+
+// ===============================================================
+
+|=====
+
+==== Field Reuse
+
+The `code_signature` fields are expected to be nested at: `file.code_signature`, `process.code_signature`.
+
+Note also that the `code_signature` fields are not expected to be used directly at the top level.
+
+
+
+
 [[ecs-container]]
 === Container Fields
 
@@ -1967,6 +2060,12 @@ example: `1001`
 // ===============================================================
 
 
+| <<ecs-code_signature,file.code_signature.*>>
+| These fields contain information about binary code signatures.
+
+// ===============================================================
+
+
 | <<ecs-hash,file.hash.*>>
 | Hashes, usually file hashes.
 
@@ -4021,6 +4120,12 @@ example: `/home/alice`
 // ===============================================================
 
 
+| <<ecs-code_signature,process.code_signature.*>>
+| These fields contain information about binary code signatures.
+
+// ===============================================================
+
+
 | <<ecs-hash,process.hash.*>>
 | Hashes, usually file hashes.
 

docs/fields.asciidoc

@@ -28,6 +28,8 @@ all fields are defined.
 
 | <<ecs-cloud,Cloud>> | Fields about the cloud resource.
 
+| <<ecs-code_signature,Code Signature>> | These fields contain information about binary code signatures.
+
 | <<ecs-container,Container>> | Fields describing the container that generated this event.
 
 | <<ecs-destination,Destination>> | Fields about the destination side of a network connection, used with source.

generated/beats/fields.ecs.yml

@@ -429,6 +429,51 @@
       ignore_above: 1024
       description: Region in which this host is running.
       example: us-east-1
+  - name: code_signature
+    title: Code Signature
+    group: 2
+    description: These fields contain information about binary code signatures.
+    type: group
+    fields:
+    - name: exists
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Boolean to capture if a signature is present.
+
+        This should only populated if the signature was checked.'
+      example: 'true'
+      default_field: false
+    - name: status
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status.'
+      example: ERROR_UNTRUSTED_ROOT
+      default_field: false
+    - name: subject_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      default_field: false
+    - name: trusted
+      level: extended
+      type: boolean
+      description: Stores the trust status of the certificate chain.
+      example: 'true'
+      default_field: false
+    - name: valid
+      level: extended
+      type: boolean
+      description: Boolean to capture if the digital signature is verified against
+        the binary content.
+      example: 'true'
+      default_field: false
   - name: container
     title: Container
     group: 2
@@ -1196,6 +1241,45 @@
         execute, hidden, read, readonly, system, write.'
       example: '["readonly", "system"]'
       default_field: false
+    - name: code_signature.exists
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Boolean to capture if a signature is present.
+
+        This should only populated if the signature was checked.'
+      example: 'true'
+      default_field: false
+    - name: code_signature.status
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status.'
+      example: ERROR_UNTRUSTED_ROOT
+      default_field: false
+    - name: code_signature.subject_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      default_field: false
+    - name: code_signature.trusted
+      level: extended
+      type: boolean
+      description: Stores the trust status of the certificate chain.
+      example: 'true'
+      default_field: false
+    - name: code_signature.valid
+      level: extended
+      type: boolean
+      description: Boolean to capture if the digital signature is verified against
+        the binary content.
+      example: 'true'
+      default_field: false
     - name: created
       level: extended
       type: date
@@ -2381,6 +2465,45 @@
         indication of suspicious activity.'
       example: 4
       default_field: false
+    - name: code_signature.exists
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Boolean to capture if a signature is present.
+
+        This should only populated if the signature was checked.'
+      example: 'true'
+      default_field: false
+    - name: code_signature.status
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Additional information about the certificate status.
+
+        This is useful for logging cryptographic errors with the certificate validity
+        or trust status.'
+      example: ERROR_UNTRUSTED_ROOT
+      default_field: false
+    - name: code_signature.subject_name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Subject name of the code signer
+      example: Microsoft Corporation
+      default_field: false
+    - name: code_signature.trusted
+      level: extended
+      type: boolean
+      description: Stores the trust status of the certificate chain.
+      example: 'true'
+      default_field: false
+    - name: code_signature.valid
+      level: extended
+      type: boolean
+      description: Boolean to capture if the digital signature is verified against
+        the binary content.
+      example: 'true'
+      default_field: false
     - name: command_line
       level: extended
       type: keyword

generated/csv/fields.csv

@@ -51,6 +51,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.5.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine.
 1.5.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider.
 1.5.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,Region in which this host is running.
+1.5.0-dev,true,code_signature,code_signature.exists,keyword,core,,true,Boolean to capture if a signature is present.
+1.5.0-dev,true,code_signature,code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+1.5.0-dev,true,code_signature,code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.5.0-dev,true,code_signature,code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+1.5.0-dev,true,code_signature,code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
 1.5.0-dev,true,container,container.id,keyword,core,,,Unique container id.
 1.5.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on.
 1.5.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags.
@@ -139,6 +144,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.5.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy.
 1.5.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed.
 1.5.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
+1.5.0-dev,true,file,file.code_signature.exists,keyword,core,,true,Boolean to capture if a signature is present.
+1.5.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+1.5.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.5.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+1.5.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
 1.5.0-dev,true,file,file.created,date,extended,,,File creation time.
 1.5.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed.
 1.5.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file.
@@ -300,6 +310,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.5.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version
 1.5.0-dev,true,process,process.args,keyword,extended,array,"['/usr/bin/ssh', '-l', 'user', '10.0.0.16']",Array of process arguments.
 1.5.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array.
+1.5.0-dev,true,process,process.code_signature.exists,keyword,core,,true,Boolean to capture if a signature is present.
+1.5.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
+1.5.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.5.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
+1.5.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
 1.5.0-dev,true,process,process.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
 1.5.0-dev,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
 1.5.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.