Secondary Malware Signature Fields (#538) (#539)

* Add some missing 8.15 custom docs. * Add missing process.Ext.memory_region.malware_signature.secondary fields
elastic · Sep 6, 2024 · 20a13bb · 20a13bb
1 parent 56b0dd4
commit 20a13bb
Show file tree

Hide file tree

Showing 7 changed files with 232 additions and 0 deletions.
diff --git a/custom_documentation/doc/endpoint/alerts/linux/linux_malware_alert.md b/custom_documentation/doc/endpoint/alerts/linux/linux_malware_alert.md
@@ -50,6 +50,10 @@ This alert is generated when a Malware alert occurs.
 | file.Ext.malware_signature.primary.signature.hash.sha256 |
 | file.Ext.malware_signature.primary.signature.id |
 | file.Ext.malware_signature.primary.signature.name |
+| file.Ext.malware_signature.secondary.matches |
+| file.Ext.malware_signature.secondary.signature.hash.sha256 |
+| file.Ext.malware_signature.secondary.signature.id |
+| file.Ext.malware_signature.secondary.signature.name |
 | file.Ext.malware_signature.version |
 | file.Ext.quarantine_message |
 | file.Ext.quarantine_path |

diff --git a/custom_documentation/doc/endpoint/alerts/macos/macos_malware_alert.md b/custom_documentation/doc/endpoint/alerts/macos/macos_malware_alert.md
@@ -50,6 +50,10 @@ This alert is generated when a macOS Malware alert occurs.
 | file.Ext.malware_signature.primary.signature.hash.sha256 |
 | file.Ext.malware_signature.primary.signature.id |
 | file.Ext.malware_signature.primary.signature.name |
+| file.Ext.malware_signature.secondary.matches |
+| file.Ext.malware_signature.secondary.signature.hash.sha256 |
+| file.Ext.malware_signature.secondary.signature.id |
+| file.Ext.malware_signature.secondary.signature.name |
 | file.Ext.malware_signature.version |
 | file.Ext.quarantine_message |
 | file.Ext.quarantine_path |

diff --git a/custom_documentation/src/endpoint/data_stream/alerts/linux/linux_malware_alert.yaml b/custom_documentation/src/endpoint/data_stream/alerts/linux/linux_malware_alert.yaml
@@ -55,6 +55,10 @@ fields:
   - file.Ext.malware_signature.primary.signature.hash.sha256
   - file.Ext.malware_signature.primary.signature.id
   - file.Ext.malware_signature.primary.signature.name
+  - file.Ext.malware_signature.secondary.matches
+  - file.Ext.malware_signature.secondary.signature.hash.sha256
+  - file.Ext.malware_signature.secondary.signature.id
+  - file.Ext.malware_signature.secondary.signature.name
   - file.Ext.malware_signature.version
   - file.Ext.quarantine_message
   - file.Ext.quarantine_path

diff --git a/custom_documentation/src/endpoint/data_stream/alerts/macos/macos_malware_alert.yaml b/custom_documentation/src/endpoint/data_stream/alerts/macos/macos_malware_alert.yaml
@@ -55,6 +55,10 @@ fields:
   - file.Ext.malware_signature.primary.signature.hash.sha256
   - file.Ext.malware_signature.primary.signature.id
   - file.Ext.malware_signature.primary.signature.name
+  - file.Ext.malware_signature.secondary.matches
+  - file.Ext.malware_signature.secondary.signature.hash.sha256
+  - file.Ext.malware_signature.secondary.signature.id
+  - file.Ext.malware_signature.secondary.signature.name
   - file.Ext.malware_signature.version
   - file.Ext.quarantine_message
   - file.Ext.quarantine_path

diff --git a/custom_schemas/custom_malware_signature.yml b/custom_schemas/custom_malware_signature.yml
@@ -65,3 +65,33 @@
       type: nested
       enabled: false
       description: Additional matching details if available.
+
+    - name: secondary.matches
+      level: custom
+      type: keyword
+      enabled: false
+      description: The second matching details.
+
+    - name: secondary.signature.id
+      level: custom
+      type: keyword
+      enabled: false
+      description: The id of the second yara rule matched.
+
+    - name: secondary.signature.name
+      level: custom
+      type: keyword
+      enabled: false
+      description: The name of the second yara rule matched.
+
+    - name: secondary.signature.hash
+      level: custom
+      type: nested
+      enabled: false
+      description: hash of second file matching signature.
+
+    - name: secondary.signature.hash.sha256
+      level: custom
+      type: keyword
+      enabled: false
+      description: sha256 hash of second file matching signature.
diff --git a/package/endpoint/data_stream/api/fields/fields.yml b/package/endpoint/data_stream/api/fields/fields.yml
@@ -154,6 +154,40 @@
       description: Additional matching details if available.
       enabled: false
       default_field: false
+    - name: process.Ext.memory_region.malware_signature.secondary.matches
+      level: custom
+      type: keyword
+      ignore_above: 1024
+      description: The second matching details.
+      enabled: false
+      default_field: false
+    - name: process.Ext.memory_region.malware_signature.secondary.signature.hash
+      level: custom
+      type: nested
+      description: hash of second file matching signature.
+      enabled: false
+      default_field: false
+    - name: process.Ext.memory_region.malware_signature.secondary.signature.hash.sha256
+      level: custom
+      type: keyword
+      ignore_above: 1024
+      description: sha256 hash of second file matching signature.
+      enabled: false
+      default_field: false
+    - name: process.Ext.memory_region.malware_signature.secondary.signature.id
+      level: custom
+      type: keyword
+      ignore_above: 1024
+      description: The id of the second yara rule matched.
+      enabled: false
+      default_field: false
+    - name: process.Ext.memory_region.malware_signature.secondary.signature.name
+      level: custom
+      type: keyword
+      ignore_above: 1024
+      description: The name of the second yara rule matched.
+      enabled: false
+      default_field: false
     - name: process.Ext.memory_region.malware_signature.version
       level: custom
       type: keyword
@@ -1678,6 +1712,40 @@
       description: Additional matching details if available.
       enabled: false
       default_field: false
+    - name: Ext.memory_region.malware_signature.secondary.matches
+      level: custom
+      type: keyword
+      ignore_above: 1024
+      description: The second matching details.
+      enabled: false
+      default_field: false
+    - name: Ext.memory_region.malware_signature.secondary.signature.hash
+      level: custom
+      type: nested
+      description: hash of second file matching signature.
+      enabled: false
+      default_field: false
+    - name: Ext.memory_region.malware_signature.secondary.signature.hash.sha256
+      level: custom
+      type: keyword
+      ignore_above: 1024
+      description: sha256 hash of second file matching signature.
+      enabled: false
+      default_field: false
+    - name: Ext.memory_region.malware_signature.secondary.signature.id
+      level: custom
+      type: keyword
+      ignore_above: 1024
+      description: The id of the second yara rule matched.
+      enabled: false
+      default_field: false
+    - name: Ext.memory_region.malware_signature.secondary.signature.name
+      level: custom
+      type: keyword
+      ignore_above: 1024
+      description: The name of the second yara rule matched.
+      enabled: false
+      default_field: false
     - name: Ext.memory_region.malware_signature.version
       level: custom
       type: keyword

diff --git a/schemas/v1/api/api.yaml b/schemas/v1/api/api.yaml