From 16a60ec7f0eeb1e8fb62687cf5ba3709881fae79 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Wed, 17 Feb 2021 21:53:59 -0600 Subject: [PATCH] Add 2 fields to code_signature (#1269) (#1272) Co-authored-by: Yamin Tian <56367679+Trinity2019@users.noreply.github.com> --- CHANGELOG.next.md | 1 + code/go/ecs/code_signature.go | 10 ++ docs/field-details.asciidoc | 36 +++++ experimental/generated/beats/fields.ecs.yml | 100 ++++++++++++ experimental/generated/csv/fields.csv | 8 + experimental/generated/ecs/ecs_flat.yml | 120 ++++++++++++++ experimental/generated/ecs/ecs_nested.yml | 148 ++++++++++++++++++ .../generated/elasticsearch/7/template.json | 32 ++++ .../elasticsearch/component/dll.json | 8 + .../elasticsearch/component/file.json | 8 + .../elasticsearch/component/process.json | 16 ++ generated/beats/fields.ecs.yml | 100 ++++++++++++ generated/csv/fields.csv | 8 + generated/ecs/ecs_flat.yml | 120 ++++++++++++++ generated/ecs/ecs_nested.yml | 148 ++++++++++++++++++ generated/elasticsearch/6/template.json | 32 ++++ generated/elasticsearch/7/template.json | 32 ++++ generated/elasticsearch/component/dll.json | 8 + generated/elasticsearch/component/file.json | 8 + .../elasticsearch/component/process.json | 16 ++ schemas/code_signature.yml | 22 +++ 21 files changed, 981 insertions(+) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 8fe7df718f..bb9e931c49 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -23,6 +23,7 @@ Thanks, you're awesome :-) --> * Added additional host fields. #1248 * Added `geo.timezone`, `geo.postal_code`, and `geo.continent_code`. #1229 * Extended `pe` fields added to experimental schema. #1256 +* Added `code_signature.team_id`, `code_signature.signing_id`. #1249 #### Improvements diff --git a/code/go/ecs/code_signature.go b/code/go/ecs/code_signature.go index df61c3b935..c13152941d 100644 --- a/code/go/ecs/code_signature.go +++ b/code/go/ecs/code_signature.go @@ -43,4 +43,14 @@ type CodeSignature struct { // validity or trust status. Leave unpopulated if the validity or trust of // the certificate was unchecked. Status string `ecs:"status"` + + // The team identifier used to sign the process. + // This is used to identify the team or vendor of a software product. The + // field is relevant to Apple *OS only. + TeamID string `ecs:"team_id"` + + // The identifier used to sign the process. + // This is used to identify the application manufactured by a software + // vendor. The field is relevant to Apple *OS only. + SigningID string `ecs:"signing_id"` } diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 56ec0e8bbe..18fd6dd687 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -782,6 +782,24 @@ example: `true` // =============================================================== +| +[[field-code-signature-signing-id]] +<> + +| The identifier used to sign the process. + +This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only. + +type: keyword + + + +example: `com.apple.xpc.proxy` + +| extended + +// =============================================================== + | [[field-code-signature-status]] <> @@ -816,6 +834,24 @@ example: `Microsoft Corporation` // =============================================================== +| +[[field-code-signature-team-id]] +<> + +| The team identifier used to sign the process. + +This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only. + +type: keyword + + + +example: `EQHXZ8M8AV` + +| extended + +// =============================================================== + | [[field-code-signature-trusted]] <> diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index bad2a56e1b..1608380522 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -529,6 +529,16 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: signing_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + default_field: false - name: status level: extended type: keyword @@ -547,6 +557,16 @@ description: Subject name of the code signer example: Microsoft Corporation default_field: false + - name: team_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + default_field: false - name: trusted level: extended type: boolean @@ -951,6 +971,16 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: code_signature.signing_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + default_field: false - name: code_signature.status level: extended type: keyword @@ -969,6 +999,16 @@ description: Subject name of the code signer example: Microsoft Corporation default_field: false + - name: code_signature.team_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + default_field: false - name: code_signature.trusted level: extended type: boolean @@ -1846,6 +1886,16 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: code_signature.signing_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + default_field: false - name: code_signature.status level: extended type: keyword @@ -1864,6 +1914,16 @@ description: Subject name of the code signer example: Microsoft Corporation default_field: false + - name: code_signature.team_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + default_field: false - name: code_signature.trusted level: extended type: boolean @@ -4196,6 +4256,16 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: code_signature.signing_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + default_field: false - name: code_signature.status level: extended type: keyword @@ -4214,6 +4284,16 @@ description: Subject name of the code signer example: Microsoft Corporation default_field: false + - name: code_signature.team_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + default_field: false - name: code_signature.trusted level: extended type: boolean @@ -4343,6 +4423,16 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: parent.code_signature.signing_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + default_field: false - name: parent.code_signature.status level: extended type: keyword @@ -4361,6 +4451,16 @@ description: Subject name of the code signer example: Microsoft Corporation default_field: false + - name: parent.code_signature.team_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + default_field: false - name: parent.code_signature.trusted level: extended type: boolean diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 0bde23311a..e21b1815e0 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -106,8 +106,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev+exp,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user. 1.9.0-dev+exp,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. 1.9.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.9.0-dev+exp,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 1.9.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 1.9.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.9.0-dev+exp,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. 1.9.0-dev+exp,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. 1.9.0-dev+exp,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. 1.9.0-dev+exp,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash. @@ -208,8 +210,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev+exp,true,file,file.accessed,date,extended,,,Last time the file was accessed. 1.9.0-dev+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. 1.9.0-dev+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.9.0-dev+exp,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 1.9.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 1.9.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.9.0-dev+exp,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. 1.9.0-dev+exp,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. 1.9.0-dev+exp,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. 1.9.0-dev+exp,true,file,file.created,date,extended,,,File creation time. @@ -457,8 +461,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev+exp,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. 1.9.0-dev+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array. 1.9.0-dev+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.9.0-dev+exp,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 1.9.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 1.9.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.9.0-dev+exp,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. 1.9.0-dev+exp,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. 1.9.0-dev+exp,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. 1.9.0-dev+exp,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. @@ -477,8 +483,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. 1.9.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. 1.9.0-dev+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.9.0-dev+exp,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 1.9.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 1.9.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.9.0-dev+exp,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. 1.9.0-dev+exp,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. 1.9.0-dev+exp,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. 1.9.0-dev+exp,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index ee97af19e6..a166c0bc37 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -1255,6 +1255,21 @@ dll.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +dll.code_signature.signing_id: + dashed_name: dll-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. The + field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: dll.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword dll.code_signature.status: dashed_name: dll-code-signature-status description: 'Additional information about the certificate status. @@ -1283,6 +1298,21 @@ dll.code_signature.subject_name: original_fieldset: code_signature short: Subject name of the code signer type: keyword +dll.code_signature.team_id: + dashed_name: dll-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field is + relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: dll.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword dll.code_signature.trusted: dashed_name: dll-code-signature-trusted description: 'Stores the trust status of the certificate chain. @@ -2954,6 +2984,21 @@ file.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +file.code_signature.signing_id: + dashed_name: file-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. The + field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: file.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword file.code_signature.status: dashed_name: file-code-signature-status description: 'Additional information about the certificate status. @@ -2982,6 +3027,21 @@ file.code_signature.subject_name: original_fieldset: code_signature short: Subject name of the code signer type: keyword +file.code_signature.team_id: + dashed_name: file-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field is + relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: file.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword file.code_signature.trusted: dashed_name: file-code-signature-trusted description: 'Stores the trust status of the certificate chain. @@ -5977,6 +6037,21 @@ process.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +process.code_signature.signing_id: + dashed_name: process-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. The + field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: process.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword process.code_signature.status: dashed_name: process-code-signature-status description: 'Additional information about the certificate status. @@ -6005,6 +6080,21 @@ process.code_signature.subject_name: original_fieldset: code_signature short: Subject name of the code signer type: keyword +process.code_signature.team_id: + dashed_name: process-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field is + relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: process.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword process.code_signature.trusted: dashed_name: process-code-signature-trusted description: 'Stores the trust status of the certificate chain. @@ -6213,6 +6303,21 @@ process.parent.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +process.parent.code_signature.signing_id: + dashed_name: process-parent-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. The + field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: process.parent.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword process.parent.code_signature.status: dashed_name: process-parent-code-signature-status description: 'Additional information about the certificate status. @@ -6241,6 +6346,21 @@ process.parent.code_signature.subject_name: original_fieldset: code_signature short: Subject name of the code signer type: keyword +process.parent.code_signature.team_id: + dashed_name: process-parent-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field is + relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: process.parent.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword process.parent.code_signature.trusted: dashed_name: process-parent-code-signature-trusted description: 'Stores the trust status of the certificate chain. diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 4ce5d1a3ea..5c39e8b51f 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -880,6 +880,20 @@ code_signature: normalize: [] short: Boolean to capture if a signature is present. type: boolean + code_signature.signing_id: + dashed_name: code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + short: The identifier used to sign the process. + type: keyword code_signature.status: dashed_name: code-signature-status description: 'Additional information about the certificate status. @@ -906,6 +920,20 @@ code_signature: normalize: [] short: Subject name of the code signer type: keyword + code_signature.team_id: + dashed_name: code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + short: The team identifier used to sign the process. + type: keyword code_signature.trusted: dashed_name: code-signature-trusted description: 'Stores the trust status of the certificate chain. @@ -1601,6 +1629,21 @@ dll: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + dll.code_signature.signing_id: + dashed_name: dll-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: dll.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword dll.code_signature.status: dashed_name: dll-code-signature-status description: 'Additional information about the certificate status. @@ -1629,6 +1672,21 @@ dll: original_fieldset: code_signature short: Subject name of the code signer type: keyword + dll.code_signature.team_id: + dashed_name: dll-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: dll.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword dll.code_signature.trusted: dashed_name: dll-code-signature-trusted description: 'Stores the trust status of the certificate chain. @@ -3403,6 +3461,21 @@ file: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + file.code_signature.signing_id: + dashed_name: file-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: file.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword file.code_signature.status: dashed_name: file-code-signature-status description: 'Additional information about the certificate status. @@ -3431,6 +3504,21 @@ file: original_fieldset: code_signature short: Subject name of the code signer type: keyword + file.code_signature.team_id: + dashed_name: file-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: file.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword file.code_signature.trusted: dashed_name: file-code-signature-trusted description: 'Stores the trust status of the certificate chain. @@ -7462,6 +7550,21 @@ process: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + process.code_signature.signing_id: + dashed_name: process-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: process.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword process.code_signature.status: dashed_name: process-code-signature-status description: 'Additional information about the certificate status. @@ -7490,6 +7593,21 @@ process: original_fieldset: code_signature short: Subject name of the code signer type: keyword + process.code_signature.team_id: + dashed_name: process-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: process.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword process.code_signature.trusted: dashed_name: process-code-signature-trusted description: 'Stores the trust status of the certificate chain. @@ -7698,6 +7816,21 @@ process: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + process.parent.code_signature.signing_id: + dashed_name: process-parent-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: process.parent.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword process.parent.code_signature.status: dashed_name: process-parent-code-signature-status description: 'Additional information about the certificate status. @@ -7726,6 +7859,21 @@ process: original_fieldset: code_signature short: Subject name of the code signer type: keyword + process.parent.code_signature.team_id: + dashed_name: process-parent-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: process.parent.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword process.parent.code_signature.trusted: dashed_name: process-parent-code-signature-trusted description: 'Stores the trust status of the certificate chain. diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json index ae2eb9f34b..0d50f26547 100644 --- a/experimental/generated/elasticsearch/7/template.json +++ b/experimental/generated/elasticsearch/7/template.json @@ -514,6 +514,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -522,6 +526,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, @@ -955,6 +963,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -963,6 +975,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, @@ -2113,6 +2129,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -2121,6 +2141,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, @@ -2201,6 +2225,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -2209,6 +2237,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, diff --git a/experimental/generated/elasticsearch/component/dll.json b/experimental/generated/elasticsearch/component/dll.json index 5e7702fb92..73857865a8 100644 --- a/experimental/generated/elasticsearch/component/dll.json +++ b/experimental/generated/elasticsearch/component/dll.json @@ -13,6 +13,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -21,6 +25,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, diff --git a/experimental/generated/elasticsearch/component/file.json b/experimental/generated/elasticsearch/component/file.json index 5a5d4de0df..10df6dba11 100644 --- a/experimental/generated/elasticsearch/component/file.json +++ b/experimental/generated/elasticsearch/component/file.json @@ -20,6 +20,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -28,6 +32,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, diff --git a/experimental/generated/elasticsearch/component/process.json b/experimental/generated/elasticsearch/component/process.json index c5747746c8..6433bd60cf 100644 --- a/experimental/generated/elasticsearch/component/process.json +++ b/experimental/generated/elasticsearch/component/process.json @@ -20,6 +20,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -28,6 +32,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, @@ -108,6 +116,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -116,6 +128,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 4e6459e331..4c51a421e6 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -538,6 +538,16 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: signing_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + default_field: false - name: status level: extended type: keyword @@ -556,6 +566,16 @@ description: Subject name of the code signer example: Microsoft Corporation default_field: false + - name: team_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + default_field: false - name: trusted level: extended type: boolean @@ -915,6 +935,16 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: code_signature.signing_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + default_field: false - name: code_signature.status level: extended type: keyword @@ -933,6 +963,16 @@ description: Subject name of the code signer example: Microsoft Corporation default_field: false + - name: code_signature.team_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + default_field: false - name: code_signature.trusted level: extended type: boolean @@ -1606,6 +1646,16 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: code_signature.signing_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + default_field: false - name: code_signature.status level: extended type: keyword @@ -1624,6 +1674,16 @@ description: Subject name of the code signer example: Microsoft Corporation default_field: false + - name: code_signature.team_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + default_field: false - name: code_signature.trusted level: extended type: boolean @@ -3562,6 +3622,16 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: code_signature.signing_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + default_field: false - name: code_signature.status level: extended type: keyword @@ -3580,6 +3650,16 @@ description: Subject name of the code signer example: Microsoft Corporation default_field: false + - name: code_signature.team_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + default_field: false - name: code_signature.trusted level: extended type: boolean @@ -3712,6 +3792,16 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: parent.code_signature.signing_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + default_field: false - name: parent.code_signature.status level: extended type: keyword @@ -3730,6 +3820,16 @@ description: Subject name of the code signer example: Microsoft Corporation default_field: false + - name: parent.code_signature.team_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + default_field: false - name: parent.code_signature.trusted level: extended type: boolean diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 8048de1277..ad9d04f737 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -103,8 +103,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user. 1.9.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. 1.9.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.9.0-dev,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 1.9.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 1.9.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.9.0-dev,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. 1.9.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. 1.9.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. 1.9.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash. @@ -174,8 +176,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed. 1.9.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. 1.9.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.9.0-dev,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 1.9.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 1.9.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.9.0-dev,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. 1.9.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. 1.9.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. 1.9.0-dev,true,file,file.created,date,extended,,,File creation time. @@ -392,8 +396,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. 1.9.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array. 1.9.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.9.0-dev,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 1.9.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 1.9.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.9.0-dev,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. 1.9.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. 1.9.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. 1.9.0-dev,true,process,process.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. @@ -412,8 +418,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.9.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. 1.9.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. 1.9.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.9.0-dev,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 1.9.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 1.9.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.9.0-dev,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. 1.9.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. 1.9.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. 1.9.0-dev,true,process,process.parent.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 9057ad0999..d1b62aa903 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -1224,6 +1224,21 @@ dll.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +dll.code_signature.signing_id: + dashed_name: dll-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. The + field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: dll.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword dll.code_signature.status: dashed_name: dll-code-signature-status description: 'Additional information about the certificate status. @@ -1252,6 +1267,21 @@ dll.code_signature.subject_name: original_fieldset: code_signature short: Subject name of the code signer type: keyword +dll.code_signature.team_id: + dashed_name: dll-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field is + relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: dll.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword dll.code_signature.trusted: dashed_name: dll-code-signature-trusted description: 'Stores the trust status of the certificate chain. @@ -2559,6 +2589,21 @@ file.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +file.code_signature.signing_id: + dashed_name: file-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. The + field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: file.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword file.code_signature.status: dashed_name: file-code-signature-status description: 'Additional information about the certificate status. @@ -2587,6 +2632,21 @@ file.code_signature.subject_name: original_fieldset: code_signature short: Subject name of the code signer type: keyword +file.code_signature.team_id: + dashed_name: file-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field is + relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: file.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword file.code_signature.trusted: dashed_name: file-code-signature-trusted description: 'Stores the trust status of the certificate chain. @@ -5233,6 +5293,21 @@ process.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +process.code_signature.signing_id: + dashed_name: process-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. The + field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: process.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword process.code_signature.status: dashed_name: process-code-signature-status description: 'Additional information about the certificate status. @@ -5261,6 +5336,21 @@ process.code_signature.subject_name: original_fieldset: code_signature short: Subject name of the code signer type: keyword +process.code_signature.team_id: + dashed_name: process-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field is + relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: process.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword process.code_signature.trusted: dashed_name: process-code-signature-trusted description: 'Stores the trust status of the certificate chain. @@ -5472,6 +5562,21 @@ process.parent.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +process.parent.code_signature.signing_id: + dashed_name: process-parent-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. The + field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: process.parent.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword process.parent.code_signature.status: dashed_name: process-parent-code-signature-status description: 'Additional information about the certificate status. @@ -5500,6 +5605,21 @@ process.parent.code_signature.subject_name: original_fieldset: code_signature short: Subject name of the code signer type: keyword +process.parent.code_signature.team_id: + dashed_name: process-parent-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field is + relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: process.parent.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword process.parent.code_signature.trusted: dashed_name: process-parent-code-signature-trusted description: 'Stores the trust status of the certificate chain. diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 482bcf618a..24ddb6be63 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -889,6 +889,20 @@ code_signature: normalize: [] short: Boolean to capture if a signature is present. type: boolean + code_signature.signing_id: + dashed_name: code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + short: The identifier used to sign the process. + type: keyword code_signature.status: dashed_name: code-signature-status description: 'Additional information about the certificate status. @@ -915,6 +929,20 @@ code_signature: normalize: [] short: Subject name of the code signer type: keyword + code_signature.team_id: + dashed_name: code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + short: The team identifier used to sign the process. + type: keyword code_signature.trusted: dashed_name: code-signature-trusted description: 'Stores the trust status of the certificate chain. @@ -1548,6 +1576,21 @@ dll: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + dll.code_signature.signing_id: + dashed_name: dll-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: dll.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword dll.code_signature.status: dashed_name: dll-code-signature-status description: 'Additional information about the certificate status. @@ -1576,6 +1619,21 @@ dll: original_fieldset: code_signature short: Subject name of the code signer type: keyword + dll.code_signature.team_id: + dashed_name: dll-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: dll.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword dll.code_signature.trusted: dashed_name: dll-code-signature-trusted description: 'Stores the trust status of the certificate chain. @@ -2985,6 +3043,21 @@ file: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + file.code_signature.signing_id: + dashed_name: file-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: file.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword file.code_signature.status: dashed_name: file-code-signature-status description: 'Additional information about the certificate status. @@ -3013,6 +3086,21 @@ file: original_fieldset: code_signature short: Subject name of the code signer type: keyword + file.code_signature.team_id: + dashed_name: file-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: file.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword file.code_signature.trusted: dashed_name: file-code-signature-trusted description: 'Stores the trust status of the certificate chain. @@ -6357,6 +6445,21 @@ process: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + process.code_signature.signing_id: + dashed_name: process-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: process.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword process.code_signature.status: dashed_name: process-code-signature-status description: 'Additional information about the certificate status. @@ -6385,6 +6488,21 @@ process: original_fieldset: code_signature short: Subject name of the code signer type: keyword + process.code_signature.team_id: + dashed_name: process-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: process.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword process.code_signature.trusted: dashed_name: process-code-signature-trusted description: 'Stores the trust status of the certificate chain. @@ -6596,6 +6714,21 @@ process: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + process.parent.code_signature.signing_id: + dashed_name: process-parent-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: process.parent.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword process.parent.code_signature.status: dashed_name: process-parent-code-signature-status description: 'Additional information about the certificate status. @@ -6624,6 +6757,21 @@ process: original_fieldset: code_signature short: Subject name of the code signer type: keyword + process.parent.code_signature.team_id: + dashed_name: process-parent-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: process.parent.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword process.parent.code_signature.trusted: dashed_name: process-parent-code-signature-trusted description: 'Stores the trust status of the certificate chain. diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index b126de6d78..02dc242340 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -517,6 +517,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -525,6 +529,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, @@ -829,6 +837,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -837,6 +849,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, @@ -1873,6 +1889,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -1881,6 +1901,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, @@ -1964,6 +1988,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -1972,6 +2000,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index f70782f320..43a7d275c6 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -516,6 +516,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -524,6 +528,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, @@ -828,6 +836,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -836,6 +848,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, @@ -1872,6 +1888,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -1880,6 +1900,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, @@ -1963,6 +1987,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -1971,6 +1999,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, diff --git a/generated/elasticsearch/component/dll.json b/generated/elasticsearch/component/dll.json index 00e5bc3428..29a41ba873 100644 --- a/generated/elasticsearch/component/dll.json +++ b/generated/elasticsearch/component/dll.json @@ -13,6 +13,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -21,6 +25,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, diff --git a/generated/elasticsearch/component/file.json b/generated/elasticsearch/component/file.json index ddabf1bb60..fa355f9f35 100644 --- a/generated/elasticsearch/component/file.json +++ b/generated/elasticsearch/component/file.json @@ -20,6 +20,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -28,6 +32,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, diff --git a/generated/elasticsearch/component/process.json b/generated/elasticsearch/component/process.json index 4983b405b0..42f1df4ba3 100644 --- a/generated/elasticsearch/component/process.json +++ b/generated/elasticsearch/component/process.json @@ -20,6 +20,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -28,6 +32,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, @@ -111,6 +119,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -119,6 +131,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, diff --git a/schemas/code_signature.yml b/schemas/code_signature.yml index 1b22434eb1..e86cf88827 100644 --- a/schemas/code_signature.yml +++ b/schemas/code_signature.yml @@ -57,3 +57,25 @@ This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. example: ERROR_UNTRUSTED_ROOT + + - name: team_id + level: extended + type: keyword + short: The team identifier used to sign the process. + description: > + The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. + The field is relevant to Apple *OS only. + example: EQHXZ8M8AV + + - name: signing_id + level: extended + type: keyword + short: The identifier used to sign the process. + description: > + The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only. + example: com.apple.xpc.proxy