- Stage: 2 (Candidate)
- Date: 2024-09-11
This RFC proposes the addition of Apple platform-specific fields to the ECS schema. This enhancement will enable security software vendors to more accurately map out data, particularly for Apple platforms.
The following feelds needs to be considered being added:
| Field | Type | Example | Description |
|---|---|---|---|
| responsible | keyword | Terminal.app | The responsible process on macOS, from an ancestry perspective, is the process that originally launched or spawned a given process. |
| platform_binary | boolean | true | Indicates wethether this process executable is a default platform binary shipped with the operating system. |
| endpoint_security_client | boolean | true | Indicates wethether this process executable is an Endpoint Security client. |
| Field | Type | Example | Description |
|---|---|---|---|
| flags | string | 570522385 | The flags used to sign the process. |
| Field | Type | Example | Description |
|---|---|---|---|
| cdhash | keyword | 3783b4052fd474dbe30676b45c329e7a6d44acd9 | The Code Directory (CD) hash of an executable |
| Field | Type | Example | Description |
|---|---|---|---|
| serial_number | keyword | DJGAQS4CW5 | The unique serial number serves as a distinct identifier for each device, aiding in inventory management and device authentication. |
As the number of Apple endpoints in enterprises grows, having the right fields to map data becomes increasingly valuable. This enables security researchers using Elastic, particularly those focusing on macOS, to query data more effectively by leveraging enriched data sets.
As a developer at Jamf, working on the Elastic integration for Jamf Protect, our goal is to map as many fields as possible, especially as Jamf specializes in Apple platform security. While developing the integration, we've identified some gaps related to mapping events to ECS.
These new fields offer versatile methods. For instance, they facilitate querying process executions by platform binaries or endpoint security clients without requiring specific identifiers. The added hash fields are particularly valuable for tracking the hash of an application bundle alongside the hash of the executable in the directory itself, while the others are self-explanatory.
This data originates from Endpoint Security software operating on a macOS host and can be transmitted through various methods, including an Elastic Agent and as example the use of the Jamf Protect integration, which supports AWS S3 or HTTPs.
As this RFC involves the creation of new fields, no breaking changes are envisaged. Some existing tooling might need updates to factor in the new fieldset's availability, however.
The following are the people that consulted on the contents of this RFC.
- txhaflaire | author
- mjwolf | reviewer
- trisch-me | reviewer
- jamiehynds | subject matter expert
https://developer.apple.com/documentation/endpointsecurity/es_process_t/3228978-is_es_client
https://developer.apple.com/documentation/endpointsecurity/es_process_t/3228979-is_platform_binary
https://developer.apple.com/documentation/endpointsecurity/es_process_t/3334987-codesigning_flags
https://developer.apple.com/documentation/endpointsecurity/es_process_t/3228976-cdhash