Skip to content

Commit

Permalink
Add 2 fields to code_signature (#1269) (#1272)
Browse files Browse the repository at this point in the history
Co-authored-by: Yamin Tian <56367679+Trinity2019@users.noreply.github.com>
  • Loading branch information
ebeahan and Trinity2019 authored Feb 18, 2021
1 parent 9f97ffb commit 16a60ec
Show file tree
Hide file tree
Showing 21 changed files with 981 additions and 0 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ Thanks, you're awesome :-) -->
* Added additional host fields. #1248
* Added `geo.timezone`, `geo.postal_code`, and `geo.continent_code`. #1229
* Extended `pe` fields added to experimental schema. #1256
* Added `code_signature.team_id`, `code_signature.signing_id`. #1249

#### Improvements

Expand Down
10 changes: 10 additions & 0 deletions code/go/ecs/code_signature.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

36 changes: 36 additions & 0 deletions docs/field-details.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -782,6 +782,24 @@ example: `true`

// ===============================================================

|
[[field-code-signature-signing-id]]
<<field-code-signature-signing-id, code_signature.signing_id>>

| The identifier used to sign the process.

This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.

type: keyword



example: `com.apple.xpc.proxy`

| extended

// ===============================================================

|
[[field-code-signature-status]]
<<field-code-signature-status, code_signature.status>>
Expand Down Expand Up @@ -816,6 +834,24 @@ example: `Microsoft Corporation`

// ===============================================================

|
[[field-code-signature-team-id]]
<<field-code-signature-team-id, code_signature.team_id>>

| The team identifier used to sign the process.

This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.

type: keyword



example: `EQHXZ8M8AV`

| extended

// ===============================================================

|
[[field-code-signature-trusted]]
<<field-code-signature-trusted, code_signature.trusted>>
Expand Down
100 changes: 100 additions & 0 deletions experimental/generated/beats/fields.ecs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -529,6 +529,16 @@
description: Boolean to capture if a signature is present.
example: 'true'
default_field: false
- name: signing_id
level: extended
type: keyword
ignore_above: 1024
description: 'The identifier used to sign the process.
This is used to identify the application manufactured by a software vendor.
The field is relevant to Apple *OS only.'
example: com.apple.xpc.proxy
default_field: false
- name: status
level: extended
type: keyword
Expand All @@ -547,6 +557,16 @@
description: Subject name of the code signer
example: Microsoft Corporation
default_field: false
- name: team_id
level: extended
type: keyword
ignore_above: 1024
description: 'The team identifier used to sign the process.
This is used to identify the team or vendor of a software product. The field
is relevant to Apple *OS only.'
example: EQHXZ8M8AV
default_field: false
- name: trusted
level: extended
type: boolean
Expand Down Expand Up @@ -951,6 +971,16 @@
description: Boolean to capture if a signature is present.
example: 'true'
default_field: false
- name: code_signature.signing_id
level: extended
type: keyword
ignore_above: 1024
description: 'The identifier used to sign the process.
This is used to identify the application manufactured by a software vendor.
The field is relevant to Apple *OS only.'
example: com.apple.xpc.proxy
default_field: false
- name: code_signature.status
level: extended
type: keyword
Expand All @@ -969,6 +999,16 @@
description: Subject name of the code signer
example: Microsoft Corporation
default_field: false
- name: code_signature.team_id
level: extended
type: keyword
ignore_above: 1024
description: 'The team identifier used to sign the process.
This is used to identify the team or vendor of a software product. The field
is relevant to Apple *OS only.'
example: EQHXZ8M8AV
default_field: false
- name: code_signature.trusted
level: extended
type: boolean
Expand Down Expand Up @@ -1846,6 +1886,16 @@
description: Boolean to capture if a signature is present.
example: 'true'
default_field: false
- name: code_signature.signing_id
level: extended
type: keyword
ignore_above: 1024
description: 'The identifier used to sign the process.
This is used to identify the application manufactured by a software vendor.
The field is relevant to Apple *OS only.'
example: com.apple.xpc.proxy
default_field: false
- name: code_signature.status
level: extended
type: keyword
Expand All @@ -1864,6 +1914,16 @@
description: Subject name of the code signer
example: Microsoft Corporation
default_field: false
- name: code_signature.team_id
level: extended
type: keyword
ignore_above: 1024
description: 'The team identifier used to sign the process.
This is used to identify the team or vendor of a software product. The field
is relevant to Apple *OS only.'
example: EQHXZ8M8AV
default_field: false
- name: code_signature.trusted
level: extended
type: boolean
Expand Down Expand Up @@ -4196,6 +4256,16 @@
description: Boolean to capture if a signature is present.
example: 'true'
default_field: false
- name: code_signature.signing_id
level: extended
type: keyword
ignore_above: 1024
description: 'The identifier used to sign the process.
This is used to identify the application manufactured by a software vendor.
The field is relevant to Apple *OS only.'
example: com.apple.xpc.proxy
default_field: false
- name: code_signature.status
level: extended
type: keyword
Expand All @@ -4214,6 +4284,16 @@
description: Subject name of the code signer
example: Microsoft Corporation
default_field: false
- name: code_signature.team_id
level: extended
type: keyword
ignore_above: 1024
description: 'The team identifier used to sign the process.
This is used to identify the team or vendor of a software product. The field
is relevant to Apple *OS only.'
example: EQHXZ8M8AV
default_field: false
- name: code_signature.trusted
level: extended
type: boolean
Expand Down Expand Up @@ -4343,6 +4423,16 @@
description: Boolean to capture if a signature is present.
example: 'true'
default_field: false
- name: parent.code_signature.signing_id
level: extended
type: keyword
ignore_above: 1024
description: 'The identifier used to sign the process.
This is used to identify the application manufactured by a software vendor.
The field is relevant to Apple *OS only.'
example: com.apple.xpc.proxy
default_field: false
- name: parent.code_signature.status
level: extended
type: keyword
Expand All @@ -4361,6 +4451,16 @@
description: Subject name of the code signer
example: Microsoft Corporation
default_field: false
- name: parent.code_signature.team_id
level: extended
type: keyword
ignore_above: 1024
description: 'The team identifier used to sign the process.
This is used to identify the team or vendor of a software product. The field
is relevant to Apple *OS only.'
example: EQHXZ8M8AV
default_field: false
- name: parent.code_signature.trusted
level: extended
type: boolean
Expand Down
8 changes: 8 additions & 0 deletions experimental/generated/csv/fields.csv
Original file line number Diff line number Diff line change
Expand Up @@ -106,8 +106,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
1.9.0-dev+exp,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user.
1.9.0-dev+exp,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
1.9.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
1.9.0-dev+exp,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
1.9.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
1.9.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
1.9.0-dev+exp,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
1.9.0-dev+exp,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
1.9.0-dev+exp,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
1.9.0-dev+exp,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
Expand Down Expand Up @@ -208,8 +210,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
1.9.0-dev+exp,true,file,file.accessed,date,extended,,,Last time the file was accessed.
1.9.0-dev+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
1.9.0-dev+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
1.9.0-dev+exp,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
1.9.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
1.9.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
1.9.0-dev+exp,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
1.9.0-dev+exp,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
1.9.0-dev+exp,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
1.9.0-dev+exp,true,file,file.created,date,extended,,,File creation time.
Expand Down Expand Up @@ -457,8 +461,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
1.9.0-dev+exp,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
1.9.0-dev+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array.
1.9.0-dev+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
1.9.0-dev+exp,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
1.9.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
1.9.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
1.9.0-dev+exp,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
1.9.0-dev+exp,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
1.9.0-dev+exp,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
1.9.0-dev+exp,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
Expand All @@ -477,8 +483,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
1.9.0-dev+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
1.9.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
1.9.0-dev+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
1.9.0-dev+exp,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
1.9.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
1.9.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
1.9.0-dev+exp,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
1.9.0-dev+exp,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
1.9.0-dev+exp,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
1.9.0-dev+exp,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
Expand Down
Loading

0 comments on commit 16a60ec

Please sign in to comment.