Add 2 fields to code_signature (elastic#1269) (elastic#1272)

Co-authored-by: Yamin Tian <[email protected]>
ebeahan · Feb 18, 2021 · 16a60ec · 16a60ec
1 parent 9f97ffb
commit 16a60ec
Show file tree

Hide file tree

Showing 21 changed files with 981 additions and 0 deletions.
diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
@@ -23,6 +23,7 @@ Thanks, you're awesome :-) -->
 * Added additional host fields. #1248
 * Added `geo.timezone`, `geo.postal_code`, and `geo.continent_code`. #1229
 * Extended `pe` fields added to experimental schema. #1256
+* Added `code_signature.team_id`, `code_signature.signing_id`. #1249
 
 #### Improvements
 

diff --git a/code/go/ecs/code_signature.go b/code/go/ecs/code_signature.go
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
@@ -782,6 +782,24 @@ example: `true`
 
 // ===============================================================
 
+|
+[[field-code-signature-signing-id]]
+<<field-code-signature-signing-id, code_signature.signing_id>>
+
+| The identifier used to sign the process.
+
+This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
+
+type: keyword
+
+
+
+example: `com.apple.xpc.proxy`
+
+| extended
+
+// ===============================================================
+
 |
 [[field-code-signature-status]]
 <<field-code-signature-status, code_signature.status>>
@@ -816,6 +834,24 @@ example: `Microsoft Corporation`
 
 // ===============================================================
 
+|
+[[field-code-signature-team-id]]
+<<field-code-signature-team-id, code_signature.team_id>>
+
+| The team identifier used to sign the process.
+
+This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
+
+type: keyword
+
+
+
+example: `EQHXZ8M8AV`
+
+| extended
+
+// ===============================================================
+
 |
 [[field-code-signature-trusted]]
 <<field-code-signature-trusted, code_signature.trusted>>

diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
@@ -529,6 +529,16 @@
       description: Boolean to capture if a signature is present.
       example: 'true'
       default_field: false
+    - name: signing_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      default_field: false
     - name: status
       level: extended
       type: keyword
@@ -547,6 +557,16 @@
       description: Subject name of the code signer
       example: Microsoft Corporation
       default_field: false
+    - name: team_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      default_field: false
     - name: trusted
       level: extended
       type: boolean
@@ -951,6 +971,16 @@
       description: Boolean to capture if a signature is present.
       example: 'true'
       default_field: false
+    - name: code_signature.signing_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      default_field: false
     - name: code_signature.status
       level: extended
       type: keyword
@@ -969,6 +999,16 @@
       description: Subject name of the code signer
       example: Microsoft Corporation
       default_field: false
+    - name: code_signature.team_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      default_field: false
     - name: code_signature.trusted
       level: extended
       type: boolean
@@ -1846,6 +1886,16 @@
       description: Boolean to capture if a signature is present.
       example: 'true'
       default_field: false
+    - name: code_signature.signing_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      default_field: false
     - name: code_signature.status
       level: extended
       type: keyword
@@ -1864,6 +1914,16 @@
       description: Subject name of the code signer
       example: Microsoft Corporation
       default_field: false
+    - name: code_signature.team_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      default_field: false
     - name: code_signature.trusted
       level: extended
       type: boolean
@@ -4196,6 +4256,16 @@
       description: Boolean to capture if a signature is present.
       example: 'true'
       default_field: false
+    - name: code_signature.signing_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      default_field: false
     - name: code_signature.status
       level: extended
       type: keyword
@@ -4214,6 +4284,16 @@
       description: Subject name of the code signer
       example: Microsoft Corporation
       default_field: false
+    - name: code_signature.team_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      default_field: false
     - name: code_signature.trusted
       level: extended
       type: boolean
@@ -4343,6 +4423,16 @@
       description: Boolean to capture if a signature is present.
       example: 'true'
       default_field: false
+    - name: parent.code_signature.signing_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The identifier used to sign the process.
+
+        This is used to identify the application manufactured by a software vendor.
+        The field is relevant to Apple *OS only.'
+      example: com.apple.xpc.proxy
+      default_field: false
     - name: parent.code_signature.status
       level: extended
       type: keyword
@@ -4361,6 +4451,16 @@
       description: Subject name of the code signer
       example: Microsoft Corporation
       default_field: false
+    - name: parent.code_signature.team_id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The team identifier used to sign the process.
+
+        This is used to identify the team or vendor of a software product. The field
+        is relevant to Apple *OS only.'
+      example: EQHXZ8M8AV
+      default_field: false
     - name: parent.code_signature.trusted
       level: extended
       type: boolean

diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
@@ -106,8 +106,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev+exp,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user.
 1.9.0-dev+exp,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 1.9.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.9.0-dev+exp,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
 1.9.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 1.9.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.9.0-dev+exp,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
 1.9.0-dev+exp,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
 1.9.0-dev+exp,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
 1.9.0-dev+exp,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash.
@@ -208,8 +210,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev+exp,true,file,file.accessed,date,extended,,,Last time the file was accessed.
 1.9.0-dev+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
 1.9.0-dev+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.9.0-dev+exp,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
 1.9.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 1.9.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.9.0-dev+exp,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
 1.9.0-dev+exp,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
 1.9.0-dev+exp,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
 1.9.0-dev+exp,true,file,file.created,date,extended,,,File creation time.
@@ -457,8 +461,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev+exp,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
 1.9.0-dev+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array.
 1.9.0-dev+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.9.0-dev+exp,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
 1.9.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 1.9.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.9.0-dev+exp,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
 1.9.0-dev+exp,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
 1.9.0-dev+exp,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
 1.9.0-dev+exp,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
@@ -477,8 +483,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.9.0-dev+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
 1.9.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
 1.9.0-dev+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
+1.9.0-dev+exp,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
 1.9.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 1.9.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
+1.9.0-dev+exp,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
 1.9.0-dev+exp,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
 1.9.0-dev+exp,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
 1.9.0-dev+exp,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.