diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index e1c2fe03cb..2dcd2edb7a 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -22,6 +22,7 @@ Thanks, you're awesome :-) --> * Add architecture and imphash for PE field set. (#763) * Added `agent.build.*` for extended agent version information. (#764) +* Added `x509.*` field set. (#762) * Added more account and project cloud metadata. (#816) #### Improvements diff --git a/code/go/ecs/x509.go b/code/go/ecs/x509.go new file mode 100644 index 0000000000..5aba49e350 --- /dev/null +++ b/code/go/ecs/x509.go @@ -0,0 +1,114 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +import ( + "time" +) + +// This implements the common core fields for x509 certificates. This +// information is likely logged with TLS sessions, digital signatures found in +// executable binaries, S/MIME information in email bodies, or analysis of +// files on disk. When only a single certificate is logged in an event, it +// should be nested under `file`. When hashes of the DER-encoded certificate +// are available, the `hash` data set should be populated as well (e.g. +// `file.hash.sha256`). For events that contain certificate information for +// both sides of the connection, the x509 object could be nested under the +// respective side of the connection information (e.g. `tls.server.x509`). +type X509 struct { + // Version of x509 format. + VersionNumber string `ecs:"version_number"` + + // Unique serial number issued by the certificate authority. For + // consistency, if this value is alphanumeric, it should be formatted + // without colons and uppercase characters. + SerialNumber string `ecs:"serial_number"` + + // Distinguished name (DN) of issuing certificate authority. + IssuerDistinguishedName string `ecs:"issuer.distinguished_name"` + + // List of common name (CN) of issuing certificate authority. + IssuerCommonName string `ecs:"issuer.common_name"` + + // List of organizational units (OU) of issuing certificate authority. + IssuerOrganizationalUnit string `ecs:"issuer.organizational_unit"` + + // List of organizations (O) of issuing certificate authority. + IssuerOrganization string `ecs:"issuer.organization"` + + // List of locality names (L) + IssuerLocality string `ecs:"issuer.locality"` + + // List of state or province names (ST, S, or P) + IssuerStateOrProvince string `ecs:"issuer.state_or_province"` + + // List of country (C) codes + IssuerCountry string `ecs:"issuer.country"` + + // Identifier for certificate signature algorithm. Recommend using names + // found in Go Lang Crypto library (See + // https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). + SignatureAlgorithm string `ecs:"signature_algorithm"` + + // Time at which the certificate is first considered valid. + NotBefore time.Time `ecs:"not_before"` + + // Time at which the certificate is no longer considered valid. + NotAfter time.Time `ecs:"not_after"` + + // Distinguished name (DN) of the certificate subject entity. + SubjectDistinguishedName string `ecs:"subject.distinguished_name"` + + // List of common names (CN) of subject. + SubjectCommonName string `ecs:"subject.common_name"` + + // List of organizational units (OU) of subject. + SubjectOrganizationalUnit string `ecs:"subject.organizational_unit"` + + // List of organizations (O) of subject. + SubjectOrganization string `ecs:"subject.organization"` + + // List of locality names (L) + SubjectLocality string `ecs:"subject.locality"` + + // List of state or province names (ST, S, or P) + SubjectStateOrProvince string `ecs:"subject.state_or_province"` + + // List of country (C) code + SubjectCountry string `ecs:"subject.country"` + + // Algorithm used to generate the public key. + PublicKeyAlgorithm string `ecs:"public_key_algorithm"` + + // The size of the public key space in bits. + PublicKeySize int64 `ecs:"public_key_size"` + + // Exponent used to derive the public key. This is algorithm specific. + PublicKeyExponent int64 `ecs:"public_key_exponent"` + + // The curve used by the elliptic curve public key algorithm. This is + // algorithm specific. + PublicKeyCurve string `ecs:"public_key_curve"` + + // List of subject alternative names (SAN). Name types vary by certificate + // authority and certificate type but commonly contain IP addresses, DNS + // names (and wildcards), and email addresses. + AlternativeNames string `ecs:"alternative_names"` +} diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 55e317b5cb..a1850d65f8 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -2285,6 +2285,12 @@ example: `1001` // =============================================================== +| <> +| This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. When only a single certificate is logged in an event, it should be nested under `file`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). For events that contain certificate information for both sides of the connection, the x509 object could be nested under the respective side of the connection information (e.g. `tls.server.x509`). + +// =============================================================== + + |===== [[ecs-geo]] @@ -6139,6 +6145,35 @@ example: `tls` // =============================================================== +|===== + +==== Field Reuse + + + + +[[ecs-tls-nestings]] +===== Field sets that can be nested under TLS + +[options="header"] +|===== +| Nested fields | Description + +// =============================================================== + + +| <> +| This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. When only a single certificate is logged in an event, it should be nested under `file`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). For events that contain certificate information for both sides of the connection, the x509 object could be nested under the respective side of the connection information (e.g. `tls.server.x509`). + +// =============================================================== + + +| <> +| This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. When only a single certificate is logged in an event, it should be nested under `file`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). For events that contain certificate information for both sides of the connection, the x509 object could be nested under the respective side of the connection information (e.g. `tls.server.x509`). + +// =============================================================== + + |===== [[ecs-tracing]] @@ -6898,3 +6933,378 @@ example: `Critical` // =============================================================== |===== + +[[ecs-x509]] +=== x509 Certificate Fields + +This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. When only a single certificate is logged in an event, it should be nested under `file`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). For events that contain certificate information for both sides of the connection, the x509 object could be nested under the respective side of the connection information (e.g. `tls.server.x509`). + +==== x509 Certificate Field Details + +[options="header"] +|===== +| Field | Description | Level + +// =============================================================== + +| x509.alternative_names +| List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + +type: keyword + + +Note: this field should contain an array of values. + + + +example: `*.elastic.co` + +| extended + +// =============================================================== + +| x509.issuer.common_name +| List of common name (CN) of issuing certificate authority. + +type: keyword + + +Note: this field should contain an array of values. + + + +example: `DigiCert SHA2 High Assurance Server CA` + +| extended + +// =============================================================== + +| x509.issuer.country +| List of country (C) codes + +type: keyword + + +Note: this field should contain an array of values. + + + +example: `US` + +| extended + +// =============================================================== + +| x509.issuer.distinguished_name +| Distinguished name (DN) of issuing certificate authority. + +type: keyword + + + +example: `C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA` + +| extended + +// =============================================================== + +| x509.issuer.locality +| List of locality names (L) + +type: keyword + + +Note: this field should contain an array of values. + + + +example: `Mountain View` + +| extended + +// =============================================================== + +| x509.issuer.organization +| List of organizations (O) of issuing certificate authority. + +type: keyword + + +Note: this field should contain an array of values. + + + +example: `DigiCert Inc` + +| extended + +// =============================================================== + +| x509.issuer.organizational_unit +| List of organizational units (OU) of issuing certificate authority. + +type: keyword + + +Note: this field should contain an array of values. + + + +example: `www.digicert.com` + +| extended + +// =============================================================== + +| x509.issuer.state_or_province +| List of state or province names (ST, S, or P) + +type: keyword + + +Note: this field should contain an array of values. + + + +example: `California` + +| extended + +// =============================================================== + +| x509.not_after +| Time at which the certificate is no longer considered valid. + +type: date + + + +example: `2020-07-16 03:15:39+00:00` + +| extended + +// =============================================================== + +| x509.not_before +| Time at which the certificate is first considered valid. + +type: date + + + +example: `2019-08-16 01:40:25+00:00` + +| extended + +// =============================================================== + +| x509.public_key_algorithm +| Algorithm used to generate the public key. + +type: keyword + + + +example: `RSA` + +| extended + +// =============================================================== + +| x509.public_key_curve +| The curve used by the elliptic curve public key algorithm. This is algorithm specific. + +type: keyword + + + +example: `nistp521` + +| extended + +// =============================================================== + +| x509.public_key_exponent +| Exponent used to derive the public key. This is algorithm specific. + +type: long + + + +example: `65537` + +| extended + +// =============================================================== + +| x509.public_key_size +| The size of the public key space in bits. + +type: long + + + +example: `2048` + +| extended + +// =============================================================== + +| x509.serial_number +| Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + +type: keyword + + + +example: `55FBB9C7DEBF09809D12CCAA` + +| extended + +// =============================================================== + +| x509.signature_algorithm +| Identifier for certificate signature algorithm. Recommend using names found in Go Lang Crypto library (See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). + +type: keyword + + + +example: `SHA256-RSA` + +| extended + +// =============================================================== + +| x509.subject.common_name +| List of common names (CN) of subject. + +type: keyword + + +Note: this field should contain an array of values. + + + +example: `r2.shared.global.fastly.net` + +| extended + +// =============================================================== + +| x509.subject.country +| List of country (C) code + +type: keyword + + +Note: this field should contain an array of values. + + + +example: `US` + +| extended + +// =============================================================== + +| x509.subject.distinguished_name +| Distinguished name (DN) of the certificate subject entity. + +type: keyword + + + +example: `C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net` + +| extended + +// =============================================================== + +| x509.subject.locality +| List of locality names (L) + +type: keyword + + +Note: this field should contain an array of values. + + + +example: `San Francisco` + +| extended + +// =============================================================== + +| x509.subject.organization +| List of organizations (O) of subject. + +type: keyword + + +Note: this field should contain an array of values. + + + +example: `Fastly, Inc.` + +| extended + +// =============================================================== + +| x509.subject.organizational_unit +| List of organizational units (OU) of subject. + +type: keyword + + +Note: this field should contain an array of values. + + + + + +| extended + +// =============================================================== + +| x509.subject.state_or_province +| List of state or province names (ST, S, or P) + +type: keyword + + +Note: this field should contain an array of values. + + + +example: `California` + +| extended + +// =============================================================== + +| x509.version_number +| Version of x509 format. + +type: keyword + + + +example: `3` + +| extended + +// =============================================================== + +|===== + +==== Field Reuse + +The `x509` fields are expected to be nested at: `file.x509`, `tls.client.x509`, `tls.server.x509`. + +Note also that the `x509` fields are not expected to be used directly at the top level. + + + diff --git a/docs/fields.asciidoc b/docs/fields.asciidoc index 3121c4dcd8..ead1723d98 100644 --- a/docs/fields.asciidoc +++ b/docs/fields.asciidoc @@ -102,6 +102,8 @@ all fields are defined. | <> | Fields to describe the vulnerability relevant to an event. +| <> | This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. When only a single certificate is logged in an event, it should be nested under `file`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). For events that contain certificate information for both sides of the connection, the x509 object could be nested under the respective side of the connection information (e.g. `tls.server.x509`). + |===== include::field-details.asciidoc[] diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 4ffd41b041..b3ee222607 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -1711,6 +1711,176 @@ ignore_above: 1024 description: The user ID (UID) or security identifier (SID) of the file owner. example: '1001' + - name: x509.alternative_names + level: extended + type: keyword + ignore_above: 1024 + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' + default_field: false + - name: x509.issuer.common_name + level: extended + type: keyword + ignore_above: 1024 + description: List of common name (CN) of issuing certificate authority. + example: DigiCert SHA2 High Assurance Server CA + default_field: false + - name: x509.issuer.country + level: extended + type: keyword + ignore_above: 1024 + description: List of country (C) codes + example: US + default_field: false + - name: x509.issuer.distinguished_name + level: extended + type: keyword + ignore_above: 1024 + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance + Server CA + default_field: false + - name: x509.issuer.locality + level: extended + type: keyword + ignore_above: 1024 + description: List of locality names (L) + example: Mountain View + default_field: false + - name: x509.issuer.organization + level: extended + type: keyword + ignore_above: 1024 + description: List of organizations (O) of issuing certificate authority. + example: DigiCert Inc + default_field: false + - name: x509.issuer.organizational_unit + level: extended + type: keyword + ignore_above: 1024 + description: List of organizational units (OU) of issuing certificate authority. + example: www.digicert.com + default_field: false + - name: x509.issuer.state_or_province + level: extended + type: keyword + ignore_above: 1024 + description: List of state or province names (ST, S, or P) + example: California + default_field: false + - name: x509.not_after + level: extended + type: date + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + default_field: false + - name: x509.not_before + level: extended + type: date + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + default_field: false + - name: x509.public_key_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: Algorithm used to generate the public key. + example: RSA + default_field: false + - name: x509.public_key_curve + level: extended + type: keyword + ignore_above: 1024 + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 + default_field: false + - name: x509.public_key_exponent + level: extended + type: long + description: Exponent used to derive the public key. This is algorithm specific. + example: 65537 + default_field: false + - name: x509.public_key_size + level: extended + type: long + description: The size of the public key space in bits. + example: 2048 + default_field: false + - name: x509.serial_number + level: extended + type: keyword + ignore_above: 1024 + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + default_field: false + - name: x509.signature_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: Identifier for certificate signature algorithm. Recommend using + names found in Go Lang Crypto library (See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). + example: SHA256-RSA + default_field: false + - name: x509.subject.common_name + level: extended + type: keyword + ignore_above: 1024 + description: List of common names (CN) of subject. + example: r2.shared.global.fastly.net + default_field: false + - name: x509.subject.country + level: extended + type: keyword + ignore_above: 1024 + description: List of country (C) code + example: US + default_field: false + - name: x509.subject.distinguished_name + level: extended + type: keyword + ignore_above: 1024 + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net + default_field: false + - name: x509.subject.locality + level: extended + type: keyword + ignore_above: 1024 + description: List of locality names (L) + example: San Francisco + default_field: false + - name: x509.subject.organization + level: extended + type: keyword + ignore_above: 1024 + description: List of organizations (O) of subject. + example: Fastly, Inc. + default_field: false + - name: x509.subject.organizational_unit + level: extended + type: keyword + ignore_above: 1024 + description: List of organizational units (OU) of subject. + default_field: false + - name: x509.subject.state_or_province + level: extended + type: keyword + ignore_above: 1024 + description: List of state or province names (ST, S, or P) + example: California + default_field: false + - name: x509.version_number + level: extended + type: keyword + ignore_above: 1024 + description: Version of x509 format. + example: 3 + default_field: false - name: geo title: Geo group: 2 @@ -4399,6 +4569,176 @@ - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - '...' default_field: false + - name: client.x509.alternative_names + level: extended + type: keyword + ignore_above: 1024 + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' + default_field: false + - name: client.x509.issuer.common_name + level: extended + type: keyword + ignore_above: 1024 + description: List of common name (CN) of issuing certificate authority. + example: DigiCert SHA2 High Assurance Server CA + default_field: false + - name: client.x509.issuer.country + level: extended + type: keyword + ignore_above: 1024 + description: List of country (C) codes + example: US + default_field: false + - name: client.x509.issuer.distinguished_name + level: extended + type: keyword + ignore_above: 1024 + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance + Server CA + default_field: false + - name: client.x509.issuer.locality + level: extended + type: keyword + ignore_above: 1024 + description: List of locality names (L) + example: Mountain View + default_field: false + - name: client.x509.issuer.organization + level: extended + type: keyword + ignore_above: 1024 + description: List of organizations (O) of issuing certificate authority. + example: DigiCert Inc + default_field: false + - name: client.x509.issuer.organizational_unit + level: extended + type: keyword + ignore_above: 1024 + description: List of organizational units (OU) of issuing certificate authority. + example: www.digicert.com + default_field: false + - name: client.x509.issuer.state_or_province + level: extended + type: keyword + ignore_above: 1024 + description: List of state or province names (ST, S, or P) + example: California + default_field: false + - name: client.x509.not_after + level: extended + type: date + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + default_field: false + - name: client.x509.not_before + level: extended + type: date + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + default_field: false + - name: client.x509.public_key_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: Algorithm used to generate the public key. + example: RSA + default_field: false + - name: client.x509.public_key_curve + level: extended + type: keyword + ignore_above: 1024 + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 + default_field: false + - name: client.x509.public_key_exponent + level: extended + type: long + description: Exponent used to derive the public key. This is algorithm specific. + example: 65537 + default_field: false + - name: client.x509.public_key_size + level: extended + type: long + description: The size of the public key space in bits. + example: 2048 + default_field: false + - name: client.x509.serial_number + level: extended + type: keyword + ignore_above: 1024 + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + default_field: false + - name: client.x509.signature_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: Identifier for certificate signature algorithm. Recommend using + names found in Go Lang Crypto library (See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). + example: SHA256-RSA + default_field: false + - name: client.x509.subject.common_name + level: extended + type: keyword + ignore_above: 1024 + description: List of common names (CN) of subject. + example: r2.shared.global.fastly.net + default_field: false + - name: client.x509.subject.country + level: extended + type: keyword + ignore_above: 1024 + description: List of country (C) code + example: US + default_field: false + - name: client.x509.subject.distinguished_name + level: extended + type: keyword + ignore_above: 1024 + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net + default_field: false + - name: client.x509.subject.locality + level: extended + type: keyword + ignore_above: 1024 + description: List of locality names (L) + example: San Francisco + default_field: false + - name: client.x509.subject.organization + level: extended + type: keyword + ignore_above: 1024 + description: List of organizations (O) of subject. + example: Fastly, Inc. + default_field: false + - name: client.x509.subject.organizational_unit + level: extended + type: keyword + ignore_above: 1024 + description: List of organizational units (OU) of subject. + default_field: false + - name: client.x509.subject.state_or_province + level: extended + type: keyword + ignore_above: 1024 + description: List of state or province names (ST, S, or P) + example: California + default_field: false + - name: client.x509.version_number + level: extended + type: keyword + ignore_above: 1024 + description: Version of x509 format. + example: 3 + default_field: false - name: curve level: extended type: keyword @@ -4511,6 +4851,176 @@ description: Subject of the x.509 certificate presented by the server. example: CN=www.mydomain.com, OU=Infrastructure Team, DC=mydomain, DC=com default_field: false + - name: server.x509.alternative_names + level: extended + type: keyword + ignore_above: 1024 + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' + default_field: false + - name: server.x509.issuer.common_name + level: extended + type: keyword + ignore_above: 1024 + description: List of common name (CN) of issuing certificate authority. + example: DigiCert SHA2 High Assurance Server CA + default_field: false + - name: server.x509.issuer.country + level: extended + type: keyword + ignore_above: 1024 + description: List of country (C) codes + example: US + default_field: false + - name: server.x509.issuer.distinguished_name + level: extended + type: keyword + ignore_above: 1024 + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance + Server CA + default_field: false + - name: server.x509.issuer.locality + level: extended + type: keyword + ignore_above: 1024 + description: List of locality names (L) + example: Mountain View + default_field: false + - name: server.x509.issuer.organization + level: extended + type: keyword + ignore_above: 1024 + description: List of organizations (O) of issuing certificate authority. + example: DigiCert Inc + default_field: false + - name: server.x509.issuer.organizational_unit + level: extended + type: keyword + ignore_above: 1024 + description: List of organizational units (OU) of issuing certificate authority. + example: www.digicert.com + default_field: false + - name: server.x509.issuer.state_or_province + level: extended + type: keyword + ignore_above: 1024 + description: List of state or province names (ST, S, or P) + example: California + default_field: false + - name: server.x509.not_after + level: extended + type: date + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + default_field: false + - name: server.x509.not_before + level: extended + type: date + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + default_field: false + - name: server.x509.public_key_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: Algorithm used to generate the public key. + example: RSA + default_field: false + - name: server.x509.public_key_curve + level: extended + type: keyword + ignore_above: 1024 + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 + default_field: false + - name: server.x509.public_key_exponent + level: extended + type: long + description: Exponent used to derive the public key. This is algorithm specific. + example: 65537 + default_field: false + - name: server.x509.public_key_size + level: extended + type: long + description: The size of the public key space in bits. + example: 2048 + default_field: false + - name: server.x509.serial_number + level: extended + type: keyword + ignore_above: 1024 + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + default_field: false + - name: server.x509.signature_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: Identifier for certificate signature algorithm. Recommend using + names found in Go Lang Crypto library (See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). + example: SHA256-RSA + default_field: false + - name: server.x509.subject.common_name + level: extended + type: keyword + ignore_above: 1024 + description: List of common names (CN) of subject. + example: r2.shared.global.fastly.net + default_field: false + - name: server.x509.subject.country + level: extended + type: keyword + ignore_above: 1024 + description: List of country (C) code + example: US + default_field: false + - name: server.x509.subject.distinguished_name + level: extended + type: keyword + ignore_above: 1024 + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net + default_field: false + - name: server.x509.subject.locality + level: extended + type: keyword + ignore_above: 1024 + description: List of locality names (L) + example: San Francisco + default_field: false + - name: server.x509.subject.organization + level: extended + type: keyword + ignore_above: 1024 + description: List of organizations (O) of subject. + example: Fastly, Inc. + default_field: false + - name: server.x509.subject.organizational_unit + level: extended + type: keyword + ignore_above: 1024 + description: List of organizational units (OU) of subject. + default_field: false + - name: server.x509.subject.state_or_province + level: extended + type: keyword + ignore_above: 1024 + description: List of state or province names (ST, S, or P) + example: California + default_field: false + - name: server.x509.version_number + level: extended + type: keyword + ignore_above: 1024 + description: Version of x509 format. + example: 3 + default_field: false - name: version level: extended type: keyword @@ -5002,3 +5512,187 @@ prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) example: Critical default_field: false + - name: x509 + title: x509 Certificate + group: 2 + description: This implements the common core fields for x509 certificates. This + information is likely logged with TLS sessions, digital signatures found in + executable binaries, S/MIME information in email bodies, or analysis of files + on disk. When only a single certificate is logged in an event, it should be + nested under `file`. When hashes of the DER-encoded certificate are available, + the `hash` data set should be populated as well (e.g. `file.hash.sha256`). For + events that contain certificate information for both sides of the connection, + the x509 object could be nested under the respective side of the connection + information (e.g. `tls.server.x509`). + type: group + fields: + - name: alternative_names + level: extended + type: keyword + ignore_above: 1024 + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' + default_field: false + - name: issuer.common_name + level: extended + type: keyword + ignore_above: 1024 + description: List of common name (CN) of issuing certificate authority. + example: DigiCert SHA2 High Assurance Server CA + default_field: false + - name: issuer.country + level: extended + type: keyword + ignore_above: 1024 + description: List of country (C) codes + example: US + default_field: false + - name: issuer.distinguished_name + level: extended + type: keyword + ignore_above: 1024 + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance + Server CA + default_field: false + - name: issuer.locality + level: extended + type: keyword + ignore_above: 1024 + description: List of locality names (L) + example: Mountain View + default_field: false + - name: issuer.organization + level: extended + type: keyword + ignore_above: 1024 + description: List of organizations (O) of issuing certificate authority. + example: DigiCert Inc + default_field: false + - name: issuer.organizational_unit + level: extended + type: keyword + ignore_above: 1024 + description: List of organizational units (OU) of issuing certificate authority. + example: www.digicert.com + default_field: false + - name: issuer.state_or_province + level: extended + type: keyword + ignore_above: 1024 + description: List of state or province names (ST, S, or P) + example: California + default_field: false + - name: not_after + level: extended + type: date + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + default_field: false + - name: not_before + level: extended + type: date + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + default_field: false + - name: public_key_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: Algorithm used to generate the public key. + example: RSA + default_field: false + - name: public_key_curve + level: extended + type: keyword + ignore_above: 1024 + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 + default_field: false + - name: public_key_exponent + level: extended + type: long + description: Exponent used to derive the public key. This is algorithm specific. + example: 65537 + default_field: false + - name: public_key_size + level: extended + type: long + description: The size of the public key space in bits. + example: 2048 + default_field: false + - name: serial_number + level: extended + type: keyword + ignore_above: 1024 + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + default_field: false + - name: signature_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: Identifier for certificate signature algorithm. Recommend using + names found in Go Lang Crypto library (See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). + example: SHA256-RSA + default_field: false + - name: subject.common_name + level: extended + type: keyword + ignore_above: 1024 + description: List of common names (CN) of subject. + example: r2.shared.global.fastly.net + default_field: false + - name: subject.country + level: extended + type: keyword + ignore_above: 1024 + description: List of country (C) code + example: US + default_field: false + - name: subject.distinguished_name + level: extended + type: keyword + ignore_above: 1024 + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net + default_field: false + - name: subject.locality + level: extended + type: keyword + ignore_above: 1024 + description: List of locality names (L) + example: San Francisco + default_field: false + - name: subject.organization + level: extended + type: keyword + ignore_above: 1024 + description: List of organizations (O) of subject. + example: Fastly, Inc. + default_field: false + - name: subject.organizational_unit + level: extended + type: keyword + ignore_above: 1024 + description: List of organizational units (OU) of subject. + default_field: false + - name: subject.state_or_province + level: extended + type: keyword + ignore_above: 1024 + description: List of state or province names (ST, S, or P) + example: California + default_field: false + - name: version_number + level: extended + type: keyword + ignore_above: 1024 + description: Version of x509 format. + example: 3 + default_field: false diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index a11895d15a..2b3d67c9ee 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -197,6 +197,30 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.6.0-dev,true,file,file.target_path.text,text,extended,,,Target path for symlinks. 1.6.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)." 1.6.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. +1.6.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,"List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses." +1.6.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,DigiCert SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +1.6.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes +1.6.0-dev,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +1.6.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +1.6.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,DigiCert Inc,List of organizations (O) of issuing certificate authority. +1.6.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.digicert.com,List of organizational units (OU) of issuing certificate authority. +1.6.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.6.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. +1.6.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +1.6.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +1.6.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +1.6.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +1.6.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +1.6.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,"Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters." +1.6.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. Recommend using names found in Go Lang Crypto library (See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +1.6.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,r2.shared.global.fastly.net,List of common names (CN) of subject. +1.6.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country (C) code +1.6.0-dev,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net",Distinguished name (DN) of the certificate subject entity. +1.6.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +1.6.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Fastly, Inc.",List of organizations (O) of subject. +1.6.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +1.6.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.6.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format. 1.6.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of. 1.6.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform. 1.6.0-dev,true,group,group.name,keyword,extended,,,Name of the group. @@ -513,6 +537,30 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.6.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,"Also called an SNI, this tells the server which hostname to which the client is attempting to connect. When this value is available, it should get copied to `destination.domain`." 1.6.0-dev,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=mydomain, DC=com",Distinguished name of subject of the x.509 certificate presented by the client. 1.6.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', '...']",Array of ciphers offered by the client during the client hello. +1.6.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,"List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses." +1.6.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,DigiCert SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +1.6.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes +1.6.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +1.6.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +1.6.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,DigiCert Inc,List of organizations (O) of issuing certificate authority. +1.6.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.digicert.com,List of organizational units (OU) of issuing certificate authority. +1.6.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.6.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. +1.6.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +1.6.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +1.6.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +1.6.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +1.6.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +1.6.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,"Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters." +1.6.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. Recommend using names found in Go Lang Crypto library (See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +1.6.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,r2.shared.global.fastly.net,List of common names (CN) of subject. +1.6.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country (C) code +1.6.0-dev,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net",Distinguished name (DN) of the certificate subject entity. +1.6.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +1.6.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Fastly, Inc.",List of organizations (O) of subject. +1.6.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +1.6.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.6.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format. 1.6.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable." 1.6.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. 1.6.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,"String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case." @@ -527,6 +575,30 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.6.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid. 1.6.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid. 1.6.0-dev,true,tls,tls.server.subject,keyword,extended,,"CN=www.mydomain.com, OU=Infrastructure Team, DC=mydomain, DC=com",Subject of the x.509 certificate presented by the server. +1.6.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,"List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses." +1.6.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,DigiCert SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +1.6.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country (C) codes +1.6.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +1.6.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +1.6.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,DigiCert Inc,List of organizations (O) of issuing certificate authority. +1.6.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.digicert.com,List of organizational units (OU) of issuing certificate authority. +1.6.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.6.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. +1.6.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +1.6.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +1.6.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +1.6.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +1.6.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +1.6.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,"Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters." +1.6.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. Recommend using names found in Go Lang Crypto library (See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +1.6.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,r2.shared.global.fastly.net,List of common names (CN) of subject. +1.6.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country (C) code +1.6.0-dev,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net",Distinguished name (DN) of the certificate subject entity. +1.6.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +1.6.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Fastly, Inc.",List of organizations (O) of subject. +1.6.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +1.6.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.6.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format. 1.6.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string. 1.6.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string. 1.6.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index b93b473845..3543bf1465 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -2835,6 +2835,319 @@ file.uid: normalize: [] short: The user ID (UID) or security identifier (SID) of the file owner. type: keyword +file.x509.alternative_names: + dashed_name: file-x509-alternative-names + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names (and + wildcards), and email addresses. + example: '*.elastic.co' + flat_name: file.x509.alternative_names + ignore_above: 1024 + level: extended + name: alternative_names + normalize: + - array + original_fieldset: x509 + short: List of subject alternative names (SAN). Name types vary by certificate authority + and certificate type but commonly contain IP addresses, DNS names (and wildcards), + and email addresses. + short_description: List of subject alternative names (SAN) + type: keyword +file.x509.issuer.common_name: + dashed_name: file-x509-issuer-common-name + description: List of common name (CN) of issuing certificate authority. + example: DigiCert SHA2 High Assurance Server CA + flat_name: file.x509.issuer.common_name + ignore_above: 1024 + level: extended + name: issuer.common_name + normalize: + - array + original_fieldset: x509 + short: List of common name (CN) of issuing certificate authority. + type: keyword +file.x509.issuer.country: + dashed_name: file-x509-issuer-country + description: List of country (C) codes + example: US + flat_name: file.x509.issuer.country + ignore_above: 1024 + level: extended + name: issuer.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) codes + type: keyword +file.x509.issuer.distinguished_name: + dashed_name: file-x509-issuer-distinguished-name + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance + Server CA + flat_name: file.x509.issuer.distinguished_name + ignore_above: 1024 + level: extended + name: issuer.distinguished_name + normalize: [] + original_fieldset: x509 + short: Distinguished name (DN) of issuing certificate authority. + type: keyword +file.x509.issuer.locality: + dashed_name: file-x509-issuer-locality + description: List of locality names (L) + example: Mountain View + flat_name: file.x509.issuer.locality + ignore_above: 1024 + level: extended + name: issuer.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) + type: keyword +file.x509.issuer.organization: + dashed_name: file-x509-issuer-organization + description: List of organizations (O) of issuing certificate authority. + example: DigiCert Inc + flat_name: file.x509.issuer.organization + ignore_above: 1024 + level: extended + name: issuer.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of issuing certificate authority. + type: keyword +file.x509.issuer.organizational_unit: + dashed_name: file-x509-issuer-organizational-unit + description: List of organizational units (OU) of issuing certificate authority. + example: www.digicert.com + flat_name: file.x509.issuer.organizational_unit + ignore_above: 1024 + level: extended + name: issuer.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of issuing certificate authority. + type: keyword +file.x509.issuer.state_or_province: + dashed_name: file-x509-issuer-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: file.x509.issuer.state_or_province + ignore_above: 1024 + level: extended + name: issuer.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword +file.x509.not_after: + dashed_name: file-x509-not-after + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + flat_name: file.x509.not_after + level: extended + name: not_after + normalize: [] + original_fieldset: x509 + short: Time at which the certificate is no longer considered valid. + type: date +file.x509.not_before: + dashed_name: file-x509-not-before + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + flat_name: file.x509.not_before + level: extended + name: not_before + normalize: [] + original_fieldset: x509 + short: Time at which the certificate is first considered valid. + type: date +file.x509.public_key_algorithm: + dashed_name: file-x509-public-key-algorithm + description: Algorithm used to generate the public key. + example: RSA + flat_name: file.x509.public_key_algorithm + ignore_above: 1024 + level: extended + name: public_key_algorithm + normalize: [] + original_fieldset: x509 + short: Algorithm used to generate the public key. + type: keyword +file.x509.public_key_curve: + dashed_name: file-x509-public-key-curve + description: The curve used by the elliptic curve public key algorithm. This is + algorithm specific. + example: nistp521 + flat_name: file.x509.public_key_curve + ignore_above: 1024 + level: extended + name: public_key_curve + normalize: [] + original_fieldset: x509 + short: The curve used by the elliptic curve public key algorithm. This is algorithm + specific. + type: keyword +file.x509.public_key_exponent: + dashed_name: file-x509-public-key-exponent + description: Exponent used to derive the public key. This is algorithm specific. + doc_values: false + example: 65537 + flat_name: file.x509.public_key_exponent + index: false + level: extended + name: public_key_exponent + normalize: [] + original_fieldset: x509 + short: Exponent used to derive the public key. This is algorithm specific. + type: long +file.x509.public_key_size: + dashed_name: file-x509-public-key-size + description: The size of the public key space in bits. + example: 2048 + flat_name: file.x509.public_key_size + level: extended + name: public_key_size + normalize: [] + original_fieldset: x509 + short: The size of the public key space in bits. + type: long +file.x509.serial_number: + dashed_name: file-x509-serial-number + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + flat_name: file.x509.serial_number + ignore_above: 1024 + level: extended + name: serial_number + normalize: [] + original_fieldset: x509 + short: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + short_description: Unique serial number issued by the certificate authority. + type: keyword +file.x509.signature_algorithm: + dashed_name: file-x509-signature-algorithm + description: Identifier for certificate signature algorithm. Recommend using names + found in Go Lang Crypto library (See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). + example: SHA256-RSA + flat_name: file.x509.signature_algorithm + ignore_above: 1024 + level: extended + name: signature_algorithm + normalize: [] + original_fieldset: x509 + short: Identifier for certificate signature algorithm. Recommend using names found + in Go Lang Crypto library (See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). + type: keyword +file.x509.subject.common_name: + dashed_name: file-x509-subject-common-name + description: List of common names (CN) of subject. + example: r2.shared.global.fastly.net + flat_name: file.x509.subject.common_name + ignore_above: 1024 + level: extended + name: subject.common_name + normalize: + - array + original_fieldset: x509 + short: List of common names (CN) of subject. + type: keyword +file.x509.subject.country: + dashed_name: file-x509-subject-country + description: List of country (C) code + example: US + flat_name: file.x509.subject.country + ignore_above: 1024 + level: extended + name: subject.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) code + type: keyword +file.x509.subject.distinguished_name: + dashed_name: file-x509-subject-distinguished-name + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net + flat_name: file.x509.subject.distinguished_name + ignore_above: 1024 + level: extended + name: subject.distinguished_name + normalize: [] + original_fieldset: x509 + short: Distinguished name (DN) of the certificate subject entity. + type: keyword +file.x509.subject.locality: + dashed_name: file-x509-subject-locality + description: List of locality names (L) + example: San Francisco + flat_name: file.x509.subject.locality + ignore_above: 1024 + level: extended + name: subject.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) + type: keyword +file.x509.subject.organization: + dashed_name: file-x509-subject-organization + description: List of organizations (O) of subject. + example: Fastly, Inc. + flat_name: file.x509.subject.organization + ignore_above: 1024 + level: extended + name: subject.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of subject. + type: keyword +file.x509.subject.organizational_unit: + dashed_name: file-x509-subject-organizational-unit + description: List of organizational units (OU) of subject. + flat_name: file.x509.subject.organizational_unit + ignore_above: 1024 + level: extended + name: subject.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of subject. + type: keyword +file.x509.subject.state_or_province: + dashed_name: file-x509-subject-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: file.x509.subject.state_or_province + ignore_above: 1024 + level: extended + name: subject.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword +file.x509.version_number: + dashed_name: file-x509-version-number + description: Version of x509 format. + example: 3 + flat_name: file.x509.version_number + ignore_above: 1024 + level: extended + name: version_number + normalize: [] + original_fieldset: x509 + short: Version of x509 format. + type: keyword group.domain: dashed_name: group-domain description: 'Name of the directory the group is a member of. @@ -6644,6 +6957,319 @@ tls.client.supported_ciphers: - array short: Array of ciphers offered by the client during the client hello. type: keyword +tls.client.x509.alternative_names: + dashed_name: tls-client-x509-alternative-names + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names (and + wildcards), and email addresses. + example: '*.elastic.co' + flat_name: tls.client.x509.alternative_names + ignore_above: 1024 + level: extended + name: alternative_names + normalize: + - array + original_fieldset: x509 + short: List of subject alternative names (SAN). Name types vary by certificate authority + and certificate type but commonly contain IP addresses, DNS names (and wildcards), + and email addresses. + short_description: List of subject alternative names (SAN) + type: keyword +tls.client.x509.issuer.common_name: + dashed_name: tls-client-x509-issuer-common-name + description: List of common name (CN) of issuing certificate authority. + example: DigiCert SHA2 High Assurance Server CA + flat_name: tls.client.x509.issuer.common_name + ignore_above: 1024 + level: extended + name: issuer.common_name + normalize: + - array + original_fieldset: x509 + short: List of common name (CN) of issuing certificate authority. + type: keyword +tls.client.x509.issuer.country: + dashed_name: tls-client-x509-issuer-country + description: List of country (C) codes + example: US + flat_name: tls.client.x509.issuer.country + ignore_above: 1024 + level: extended + name: issuer.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) codes + type: keyword +tls.client.x509.issuer.distinguished_name: + dashed_name: tls-client-x509-issuer-distinguished-name + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance + Server CA + flat_name: tls.client.x509.issuer.distinguished_name + ignore_above: 1024 + level: extended + name: issuer.distinguished_name + normalize: [] + original_fieldset: x509 + short: Distinguished name (DN) of issuing certificate authority. + type: keyword +tls.client.x509.issuer.locality: + dashed_name: tls-client-x509-issuer-locality + description: List of locality names (L) + example: Mountain View + flat_name: tls.client.x509.issuer.locality + ignore_above: 1024 + level: extended + name: issuer.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) + type: keyword +tls.client.x509.issuer.organization: + dashed_name: tls-client-x509-issuer-organization + description: List of organizations (O) of issuing certificate authority. + example: DigiCert Inc + flat_name: tls.client.x509.issuer.organization + ignore_above: 1024 + level: extended + name: issuer.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of issuing certificate authority. + type: keyword +tls.client.x509.issuer.organizational_unit: + dashed_name: tls-client-x509-issuer-organizational-unit + description: List of organizational units (OU) of issuing certificate authority. + example: www.digicert.com + flat_name: tls.client.x509.issuer.organizational_unit + ignore_above: 1024 + level: extended + name: issuer.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of issuing certificate authority. + type: keyword +tls.client.x509.issuer.state_or_province: + dashed_name: tls-client-x509-issuer-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: tls.client.x509.issuer.state_or_province + ignore_above: 1024 + level: extended + name: issuer.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword +tls.client.x509.not_after: + dashed_name: tls-client-x509-not-after + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + flat_name: tls.client.x509.not_after + level: extended + name: not_after + normalize: [] + original_fieldset: x509 + short: Time at which the certificate is no longer considered valid. + type: date +tls.client.x509.not_before: + dashed_name: tls-client-x509-not-before + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + flat_name: tls.client.x509.not_before + level: extended + name: not_before + normalize: [] + original_fieldset: x509 + short: Time at which the certificate is first considered valid. + type: date +tls.client.x509.public_key_algorithm: + dashed_name: tls-client-x509-public-key-algorithm + description: Algorithm used to generate the public key. + example: RSA + flat_name: tls.client.x509.public_key_algorithm + ignore_above: 1024 + level: extended + name: public_key_algorithm + normalize: [] + original_fieldset: x509 + short: Algorithm used to generate the public key. + type: keyword +tls.client.x509.public_key_curve: + dashed_name: tls-client-x509-public-key-curve + description: The curve used by the elliptic curve public key algorithm. This is + algorithm specific. + example: nistp521 + flat_name: tls.client.x509.public_key_curve + ignore_above: 1024 + level: extended + name: public_key_curve + normalize: [] + original_fieldset: x509 + short: The curve used by the elliptic curve public key algorithm. This is algorithm + specific. + type: keyword +tls.client.x509.public_key_exponent: + dashed_name: tls-client-x509-public-key-exponent + description: Exponent used to derive the public key. This is algorithm specific. + doc_values: false + example: 65537 + flat_name: tls.client.x509.public_key_exponent + index: false + level: extended + name: public_key_exponent + normalize: [] + original_fieldset: x509 + short: Exponent used to derive the public key. This is algorithm specific. + type: long +tls.client.x509.public_key_size: + dashed_name: tls-client-x509-public-key-size + description: The size of the public key space in bits. + example: 2048 + flat_name: tls.client.x509.public_key_size + level: extended + name: public_key_size + normalize: [] + original_fieldset: x509 + short: The size of the public key space in bits. + type: long +tls.client.x509.serial_number: + dashed_name: tls-client-x509-serial-number + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + flat_name: tls.client.x509.serial_number + ignore_above: 1024 + level: extended + name: serial_number + normalize: [] + original_fieldset: x509 + short: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + short_description: Unique serial number issued by the certificate authority. + type: keyword +tls.client.x509.signature_algorithm: + dashed_name: tls-client-x509-signature-algorithm + description: Identifier for certificate signature algorithm. Recommend using names + found in Go Lang Crypto library (See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). + example: SHA256-RSA + flat_name: tls.client.x509.signature_algorithm + ignore_above: 1024 + level: extended + name: signature_algorithm + normalize: [] + original_fieldset: x509 + short: Identifier for certificate signature algorithm. Recommend using names found + in Go Lang Crypto library (See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). + type: keyword +tls.client.x509.subject.common_name: + dashed_name: tls-client-x509-subject-common-name + description: List of common names (CN) of subject. + example: r2.shared.global.fastly.net + flat_name: tls.client.x509.subject.common_name + ignore_above: 1024 + level: extended + name: subject.common_name + normalize: + - array + original_fieldset: x509 + short: List of common names (CN) of subject. + type: keyword +tls.client.x509.subject.country: + dashed_name: tls-client-x509-subject-country + description: List of country (C) code + example: US + flat_name: tls.client.x509.subject.country + ignore_above: 1024 + level: extended + name: subject.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) code + type: keyword +tls.client.x509.subject.distinguished_name: + dashed_name: tls-client-x509-subject-distinguished-name + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net + flat_name: tls.client.x509.subject.distinguished_name + ignore_above: 1024 + level: extended + name: subject.distinguished_name + normalize: [] + original_fieldset: x509 + short: Distinguished name (DN) of the certificate subject entity. + type: keyword +tls.client.x509.subject.locality: + dashed_name: tls-client-x509-subject-locality + description: List of locality names (L) + example: San Francisco + flat_name: tls.client.x509.subject.locality + ignore_above: 1024 + level: extended + name: subject.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) + type: keyword +tls.client.x509.subject.organization: + dashed_name: tls-client-x509-subject-organization + description: List of organizations (O) of subject. + example: Fastly, Inc. + flat_name: tls.client.x509.subject.organization + ignore_above: 1024 + level: extended + name: subject.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of subject. + type: keyword +tls.client.x509.subject.organizational_unit: + dashed_name: tls-client-x509-subject-organizational-unit + description: List of organizational units (OU) of subject. + flat_name: tls.client.x509.subject.organizational_unit + ignore_above: 1024 + level: extended + name: subject.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of subject. + type: keyword +tls.client.x509.subject.state_or_province: + dashed_name: tls-client-x509-subject-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: tls.client.x509.subject.state_or_province + ignore_above: 1024 + level: extended + name: subject.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword +tls.client.x509.version_number: + dashed_name: tls-client-x509-version-number + description: Version of x509 format. + example: 3 + flat_name: tls.client.x509.version_number + ignore_above: 1024 + level: extended + name: version_number + normalize: [] + original_fieldset: x509 + short: Version of x509 format. + type: keyword tls.curve: dashed_name: tls-curve description: String indicating the curve used for the given cipher, when applicable. @@ -6825,6 +7451,319 @@ tls.server.subject: normalize: [] short: Subject of the x.509 certificate presented by the server. type: keyword +tls.server.x509.alternative_names: + dashed_name: tls-server-x509-alternative-names + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names (and + wildcards), and email addresses. + example: '*.elastic.co' + flat_name: tls.server.x509.alternative_names + ignore_above: 1024 + level: extended + name: alternative_names + normalize: + - array + original_fieldset: x509 + short: List of subject alternative names (SAN). Name types vary by certificate authority + and certificate type but commonly contain IP addresses, DNS names (and wildcards), + and email addresses. + short_description: List of subject alternative names (SAN) + type: keyword +tls.server.x509.issuer.common_name: + dashed_name: tls-server-x509-issuer-common-name + description: List of common name (CN) of issuing certificate authority. + example: DigiCert SHA2 High Assurance Server CA + flat_name: tls.server.x509.issuer.common_name + ignore_above: 1024 + level: extended + name: issuer.common_name + normalize: + - array + original_fieldset: x509 + short: List of common name (CN) of issuing certificate authority. + type: keyword +tls.server.x509.issuer.country: + dashed_name: tls-server-x509-issuer-country + description: List of country (C) codes + example: US + flat_name: tls.server.x509.issuer.country + ignore_above: 1024 + level: extended + name: issuer.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) codes + type: keyword +tls.server.x509.issuer.distinguished_name: + dashed_name: tls-server-x509-issuer-distinguished-name + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance + Server CA + flat_name: tls.server.x509.issuer.distinguished_name + ignore_above: 1024 + level: extended + name: issuer.distinguished_name + normalize: [] + original_fieldset: x509 + short: Distinguished name (DN) of issuing certificate authority. + type: keyword +tls.server.x509.issuer.locality: + dashed_name: tls-server-x509-issuer-locality + description: List of locality names (L) + example: Mountain View + flat_name: tls.server.x509.issuer.locality + ignore_above: 1024 + level: extended + name: issuer.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) + type: keyword +tls.server.x509.issuer.organization: + dashed_name: tls-server-x509-issuer-organization + description: List of organizations (O) of issuing certificate authority. + example: DigiCert Inc + flat_name: tls.server.x509.issuer.organization + ignore_above: 1024 + level: extended + name: issuer.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of issuing certificate authority. + type: keyword +tls.server.x509.issuer.organizational_unit: + dashed_name: tls-server-x509-issuer-organizational-unit + description: List of organizational units (OU) of issuing certificate authority. + example: www.digicert.com + flat_name: tls.server.x509.issuer.organizational_unit + ignore_above: 1024 + level: extended + name: issuer.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of issuing certificate authority. + type: keyword +tls.server.x509.issuer.state_or_province: + dashed_name: tls-server-x509-issuer-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: tls.server.x509.issuer.state_or_province + ignore_above: 1024 + level: extended + name: issuer.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword +tls.server.x509.not_after: + dashed_name: tls-server-x509-not-after + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + flat_name: tls.server.x509.not_after + level: extended + name: not_after + normalize: [] + original_fieldset: x509 + short: Time at which the certificate is no longer considered valid. + type: date +tls.server.x509.not_before: + dashed_name: tls-server-x509-not-before + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + flat_name: tls.server.x509.not_before + level: extended + name: not_before + normalize: [] + original_fieldset: x509 + short: Time at which the certificate is first considered valid. + type: date +tls.server.x509.public_key_algorithm: + dashed_name: tls-server-x509-public-key-algorithm + description: Algorithm used to generate the public key. + example: RSA + flat_name: tls.server.x509.public_key_algorithm + ignore_above: 1024 + level: extended + name: public_key_algorithm + normalize: [] + original_fieldset: x509 + short: Algorithm used to generate the public key. + type: keyword +tls.server.x509.public_key_curve: + dashed_name: tls-server-x509-public-key-curve + description: The curve used by the elliptic curve public key algorithm. This is + algorithm specific. + example: nistp521 + flat_name: tls.server.x509.public_key_curve + ignore_above: 1024 + level: extended + name: public_key_curve + normalize: [] + original_fieldset: x509 + short: The curve used by the elliptic curve public key algorithm. This is algorithm + specific. + type: keyword +tls.server.x509.public_key_exponent: + dashed_name: tls-server-x509-public-key-exponent + description: Exponent used to derive the public key. This is algorithm specific. + doc_values: false + example: 65537 + flat_name: tls.server.x509.public_key_exponent + index: false + level: extended + name: public_key_exponent + normalize: [] + original_fieldset: x509 + short: Exponent used to derive the public key. This is algorithm specific. + type: long +tls.server.x509.public_key_size: + dashed_name: tls-server-x509-public-key-size + description: The size of the public key space in bits. + example: 2048 + flat_name: tls.server.x509.public_key_size + level: extended + name: public_key_size + normalize: [] + original_fieldset: x509 + short: The size of the public key space in bits. + type: long +tls.server.x509.serial_number: + dashed_name: tls-server-x509-serial-number + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + flat_name: tls.server.x509.serial_number + ignore_above: 1024 + level: extended + name: serial_number + normalize: [] + original_fieldset: x509 + short: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + short_description: Unique serial number issued by the certificate authority. + type: keyword +tls.server.x509.signature_algorithm: + dashed_name: tls-server-x509-signature-algorithm + description: Identifier for certificate signature algorithm. Recommend using names + found in Go Lang Crypto library (See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). + example: SHA256-RSA + flat_name: tls.server.x509.signature_algorithm + ignore_above: 1024 + level: extended + name: signature_algorithm + normalize: [] + original_fieldset: x509 + short: Identifier for certificate signature algorithm. Recommend using names found + in Go Lang Crypto library (See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). + type: keyword +tls.server.x509.subject.common_name: + dashed_name: tls-server-x509-subject-common-name + description: List of common names (CN) of subject. + example: r2.shared.global.fastly.net + flat_name: tls.server.x509.subject.common_name + ignore_above: 1024 + level: extended + name: subject.common_name + normalize: + - array + original_fieldset: x509 + short: List of common names (CN) of subject. + type: keyword +tls.server.x509.subject.country: + dashed_name: tls-server-x509-subject-country + description: List of country (C) code + example: US + flat_name: tls.server.x509.subject.country + ignore_above: 1024 + level: extended + name: subject.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) code + type: keyword +tls.server.x509.subject.distinguished_name: + dashed_name: tls-server-x509-subject-distinguished-name + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net + flat_name: tls.server.x509.subject.distinguished_name + ignore_above: 1024 + level: extended + name: subject.distinguished_name + normalize: [] + original_fieldset: x509 + short: Distinguished name (DN) of the certificate subject entity. + type: keyword +tls.server.x509.subject.locality: + dashed_name: tls-server-x509-subject-locality + description: List of locality names (L) + example: San Francisco + flat_name: tls.server.x509.subject.locality + ignore_above: 1024 + level: extended + name: subject.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) + type: keyword +tls.server.x509.subject.organization: + dashed_name: tls-server-x509-subject-organization + description: List of organizations (O) of subject. + example: Fastly, Inc. + flat_name: tls.server.x509.subject.organization + ignore_above: 1024 + level: extended + name: subject.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of subject. + type: keyword +tls.server.x509.subject.organizational_unit: + dashed_name: tls-server-x509-subject-organizational-unit + description: List of organizational units (OU) of subject. + flat_name: tls.server.x509.subject.organizational_unit + ignore_above: 1024 + level: extended + name: subject.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of subject. + type: keyword +tls.server.x509.subject.state_or_province: + dashed_name: tls-server-x509-subject-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: tls.server.x509.subject.state_or_province + ignore_above: 1024 + level: extended + name: subject.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword +tls.server.x509.version_number: + dashed_name: tls-server-x509-version-number + description: Version of x509 format. + example: 3 + flat_name: tls.server.x509.version_number + ignore_above: 1024 + level: extended + name: version_number + normalize: [] + original_fieldset: x509 + short: Version of x509 format. + type: keyword tls.version: dashed_name: tls-version description: Numeric part of the version parsed from the original string. diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 78f06089c9..c30f346d6c 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -3214,12 +3214,326 @@ file: normalize: [] short: The user ID (UID) or security identifier (SID) of the file owner. type: keyword + x509.alternative_names: + dashed_name: file-x509-alternative-names + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' + flat_name: file.x509.alternative_names + ignore_above: 1024 + level: extended + name: alternative_names + normalize: + - array + original_fieldset: x509 + short: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + short_description: List of subject alternative names (SAN) + type: keyword + x509.issuer.common_name: + dashed_name: file-x509-issuer-common-name + description: List of common name (CN) of issuing certificate authority. + example: DigiCert SHA2 High Assurance Server CA + flat_name: file.x509.issuer.common_name + ignore_above: 1024 + level: extended + name: issuer.common_name + normalize: + - array + original_fieldset: x509 + short: List of common name (CN) of issuing certificate authority. + type: keyword + x509.issuer.country: + dashed_name: file-x509-issuer-country + description: List of country (C) codes + example: US + flat_name: file.x509.issuer.country + ignore_above: 1024 + level: extended + name: issuer.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) codes + type: keyword + x509.issuer.distinguished_name: + dashed_name: file-x509-issuer-distinguished-name + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance + Server CA + flat_name: file.x509.issuer.distinguished_name + ignore_above: 1024 + level: extended + name: issuer.distinguished_name + normalize: [] + original_fieldset: x509 + short: Distinguished name (DN) of issuing certificate authority. + type: keyword + x509.issuer.locality: + dashed_name: file-x509-issuer-locality + description: List of locality names (L) + example: Mountain View + flat_name: file.x509.issuer.locality + ignore_above: 1024 + level: extended + name: issuer.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) + type: keyword + x509.issuer.organization: + dashed_name: file-x509-issuer-organization + description: List of organizations (O) of issuing certificate authority. + example: DigiCert Inc + flat_name: file.x509.issuer.organization + ignore_above: 1024 + level: extended + name: issuer.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of issuing certificate authority. + type: keyword + x509.issuer.organizational_unit: + dashed_name: file-x509-issuer-organizational-unit + description: List of organizational units (OU) of issuing certificate authority. + example: www.digicert.com + flat_name: file.x509.issuer.organizational_unit + ignore_above: 1024 + level: extended + name: issuer.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of issuing certificate authority. + type: keyword + x509.issuer.state_or_province: + dashed_name: file-x509-issuer-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: file.x509.issuer.state_or_province + ignore_above: 1024 + level: extended + name: issuer.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword + x509.not_after: + dashed_name: file-x509-not-after + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + flat_name: file.x509.not_after + level: extended + name: not_after + normalize: [] + original_fieldset: x509 + short: Time at which the certificate is no longer considered valid. + type: date + x509.not_before: + dashed_name: file-x509-not-before + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + flat_name: file.x509.not_before + level: extended + name: not_before + normalize: [] + original_fieldset: x509 + short: Time at which the certificate is first considered valid. + type: date + x509.public_key_algorithm: + dashed_name: file-x509-public-key-algorithm + description: Algorithm used to generate the public key. + example: RSA + flat_name: file.x509.public_key_algorithm + ignore_above: 1024 + level: extended + name: public_key_algorithm + normalize: [] + original_fieldset: x509 + short: Algorithm used to generate the public key. + type: keyword + x509.public_key_curve: + dashed_name: file-x509-public-key-curve + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 + flat_name: file.x509.public_key_curve + ignore_above: 1024 + level: extended + name: public_key_curve + normalize: [] + original_fieldset: x509 + short: The curve used by the elliptic curve public key algorithm. This is algorithm + specific. + type: keyword + x509.public_key_exponent: + dashed_name: file-x509-public-key-exponent + description: Exponent used to derive the public key. This is algorithm specific. + doc_values: false + example: 65537 + flat_name: file.x509.public_key_exponent + index: false + level: extended + name: public_key_exponent + normalize: [] + original_fieldset: x509 + short: Exponent used to derive the public key. This is algorithm specific. + type: long + x509.public_key_size: + dashed_name: file-x509-public-key-size + description: The size of the public key space in bits. + example: 2048 + flat_name: file.x509.public_key_size + level: extended + name: public_key_size + normalize: [] + original_fieldset: x509 + short: The size of the public key space in bits. + type: long + x509.serial_number: + dashed_name: file-x509-serial-number + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + flat_name: file.x509.serial_number + ignore_above: 1024 + level: extended + name: serial_number + normalize: [] + original_fieldset: x509 + short: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + short_description: Unique serial number issued by the certificate authority. + type: keyword + x509.signature_algorithm: + dashed_name: file-x509-signature-algorithm + description: Identifier for certificate signature algorithm. Recommend using + names found in Go Lang Crypto library (See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). + example: SHA256-RSA + flat_name: file.x509.signature_algorithm + ignore_above: 1024 + level: extended + name: signature_algorithm + normalize: [] + original_fieldset: x509 + short: Identifier for certificate signature algorithm. Recommend using names + found in Go Lang Crypto library (See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). + type: keyword + x509.subject.common_name: + dashed_name: file-x509-subject-common-name + description: List of common names (CN) of subject. + example: r2.shared.global.fastly.net + flat_name: file.x509.subject.common_name + ignore_above: 1024 + level: extended + name: subject.common_name + normalize: + - array + original_fieldset: x509 + short: List of common names (CN) of subject. + type: keyword + x509.subject.country: + dashed_name: file-x509-subject-country + description: List of country (C) code + example: US + flat_name: file.x509.subject.country + ignore_above: 1024 + level: extended + name: subject.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) code + type: keyword + x509.subject.distinguished_name: + dashed_name: file-x509-subject-distinguished-name + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net + flat_name: file.x509.subject.distinguished_name + ignore_above: 1024 + level: extended + name: subject.distinguished_name + normalize: [] + original_fieldset: x509 + short: Distinguished name (DN) of the certificate subject entity. + type: keyword + x509.subject.locality: + dashed_name: file-x509-subject-locality + description: List of locality names (L) + example: San Francisco + flat_name: file.x509.subject.locality + ignore_above: 1024 + level: extended + name: subject.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) + type: keyword + x509.subject.organization: + dashed_name: file-x509-subject-organization + description: List of organizations (O) of subject. + example: Fastly, Inc. + flat_name: file.x509.subject.organization + ignore_above: 1024 + level: extended + name: subject.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of subject. + type: keyword + x509.subject.organizational_unit: + dashed_name: file-x509-subject-organizational-unit + description: List of organizational units (OU) of subject. + flat_name: file.x509.subject.organizational_unit + ignore_above: 1024 + level: extended + name: subject.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of subject. + type: keyword + x509.subject.state_or_province: + dashed_name: file-x509-subject-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: file.x509.subject.state_or_province + ignore_above: 1024 + level: extended + name: subject.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword + x509.version_number: + dashed_name: file-x509-version-number + description: Version of x509 format. + example: 3 + flat_name: file.x509.version_number + ignore_above: 1024 + level: extended + name: version_number + normalize: [] + original_fieldset: x509 + short: Version of x509 format. + type: keyword group: 2 name: file nestings: - file.code_signature - file.hash - file.pe + - file.x509 prefix: file. short: Fields describing files. title: File @@ -7683,6 +7997,319 @@ tls: - array short: Array of ciphers offered by the client during the client hello. type: keyword + client.x509.alternative_names: + dashed_name: tls-client-x509-alternative-names + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' + flat_name: tls.client.x509.alternative_names + ignore_above: 1024 + level: extended + name: alternative_names + normalize: + - array + original_fieldset: x509 + short: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + short_description: List of subject alternative names (SAN) + type: keyword + client.x509.issuer.common_name: + dashed_name: tls-client-x509-issuer-common-name + description: List of common name (CN) of issuing certificate authority. + example: DigiCert SHA2 High Assurance Server CA + flat_name: tls.client.x509.issuer.common_name + ignore_above: 1024 + level: extended + name: issuer.common_name + normalize: + - array + original_fieldset: x509 + short: List of common name (CN) of issuing certificate authority. + type: keyword + client.x509.issuer.country: + dashed_name: tls-client-x509-issuer-country + description: List of country (C) codes + example: US + flat_name: tls.client.x509.issuer.country + ignore_above: 1024 + level: extended + name: issuer.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) codes + type: keyword + client.x509.issuer.distinguished_name: + dashed_name: tls-client-x509-issuer-distinguished-name + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance + Server CA + flat_name: tls.client.x509.issuer.distinguished_name + ignore_above: 1024 + level: extended + name: issuer.distinguished_name + normalize: [] + original_fieldset: x509 + short: Distinguished name (DN) of issuing certificate authority. + type: keyword + client.x509.issuer.locality: + dashed_name: tls-client-x509-issuer-locality + description: List of locality names (L) + example: Mountain View + flat_name: tls.client.x509.issuer.locality + ignore_above: 1024 + level: extended + name: issuer.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) + type: keyword + client.x509.issuer.organization: + dashed_name: tls-client-x509-issuer-organization + description: List of organizations (O) of issuing certificate authority. + example: DigiCert Inc + flat_name: tls.client.x509.issuer.organization + ignore_above: 1024 + level: extended + name: issuer.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of issuing certificate authority. + type: keyword + client.x509.issuer.organizational_unit: + dashed_name: tls-client-x509-issuer-organizational-unit + description: List of organizational units (OU) of issuing certificate authority. + example: www.digicert.com + flat_name: tls.client.x509.issuer.organizational_unit + ignore_above: 1024 + level: extended + name: issuer.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of issuing certificate authority. + type: keyword + client.x509.issuer.state_or_province: + dashed_name: tls-client-x509-issuer-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: tls.client.x509.issuer.state_or_province + ignore_above: 1024 + level: extended + name: issuer.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword + client.x509.not_after: + dashed_name: tls-client-x509-not-after + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + flat_name: tls.client.x509.not_after + level: extended + name: not_after + normalize: [] + original_fieldset: x509 + short: Time at which the certificate is no longer considered valid. + type: date + client.x509.not_before: + dashed_name: tls-client-x509-not-before + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + flat_name: tls.client.x509.not_before + level: extended + name: not_before + normalize: [] + original_fieldset: x509 + short: Time at which the certificate is first considered valid. + type: date + client.x509.public_key_algorithm: + dashed_name: tls-client-x509-public-key-algorithm + description: Algorithm used to generate the public key. + example: RSA + flat_name: tls.client.x509.public_key_algorithm + ignore_above: 1024 + level: extended + name: public_key_algorithm + normalize: [] + original_fieldset: x509 + short: Algorithm used to generate the public key. + type: keyword + client.x509.public_key_curve: + dashed_name: tls-client-x509-public-key-curve + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 + flat_name: tls.client.x509.public_key_curve + ignore_above: 1024 + level: extended + name: public_key_curve + normalize: [] + original_fieldset: x509 + short: The curve used by the elliptic curve public key algorithm. This is algorithm + specific. + type: keyword + client.x509.public_key_exponent: + dashed_name: tls-client-x509-public-key-exponent + description: Exponent used to derive the public key. This is algorithm specific. + doc_values: false + example: 65537 + flat_name: tls.client.x509.public_key_exponent + index: false + level: extended + name: public_key_exponent + normalize: [] + original_fieldset: x509 + short: Exponent used to derive the public key. This is algorithm specific. + type: long + client.x509.public_key_size: + dashed_name: tls-client-x509-public-key-size + description: The size of the public key space in bits. + example: 2048 + flat_name: tls.client.x509.public_key_size + level: extended + name: public_key_size + normalize: [] + original_fieldset: x509 + short: The size of the public key space in bits. + type: long + client.x509.serial_number: + dashed_name: tls-client-x509-serial-number + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + flat_name: tls.client.x509.serial_number + ignore_above: 1024 + level: extended + name: serial_number + normalize: [] + original_fieldset: x509 + short: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + short_description: Unique serial number issued by the certificate authority. + type: keyword + client.x509.signature_algorithm: + dashed_name: tls-client-x509-signature-algorithm + description: Identifier for certificate signature algorithm. Recommend using + names found in Go Lang Crypto library (See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). + example: SHA256-RSA + flat_name: tls.client.x509.signature_algorithm + ignore_above: 1024 + level: extended + name: signature_algorithm + normalize: [] + original_fieldset: x509 + short: Identifier for certificate signature algorithm. Recommend using names + found in Go Lang Crypto library (See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). + type: keyword + client.x509.subject.common_name: + dashed_name: tls-client-x509-subject-common-name + description: List of common names (CN) of subject. + example: r2.shared.global.fastly.net + flat_name: tls.client.x509.subject.common_name + ignore_above: 1024 + level: extended + name: subject.common_name + normalize: + - array + original_fieldset: x509 + short: List of common names (CN) of subject. + type: keyword + client.x509.subject.country: + dashed_name: tls-client-x509-subject-country + description: List of country (C) code + example: US + flat_name: tls.client.x509.subject.country + ignore_above: 1024 + level: extended + name: subject.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) code + type: keyword + client.x509.subject.distinguished_name: + dashed_name: tls-client-x509-subject-distinguished-name + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net + flat_name: tls.client.x509.subject.distinguished_name + ignore_above: 1024 + level: extended + name: subject.distinguished_name + normalize: [] + original_fieldset: x509 + short: Distinguished name (DN) of the certificate subject entity. + type: keyword + client.x509.subject.locality: + dashed_name: tls-client-x509-subject-locality + description: List of locality names (L) + example: San Francisco + flat_name: tls.client.x509.subject.locality + ignore_above: 1024 + level: extended + name: subject.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) + type: keyword + client.x509.subject.organization: + dashed_name: tls-client-x509-subject-organization + description: List of organizations (O) of subject. + example: Fastly, Inc. + flat_name: tls.client.x509.subject.organization + ignore_above: 1024 + level: extended + name: subject.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of subject. + type: keyword + client.x509.subject.organizational_unit: + dashed_name: tls-client-x509-subject-organizational-unit + description: List of organizational units (OU) of subject. + flat_name: tls.client.x509.subject.organizational_unit + ignore_above: 1024 + level: extended + name: subject.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of subject. + type: keyword + client.x509.subject.state_or_province: + dashed_name: tls-client-x509-subject-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: tls.client.x509.subject.state_or_province + ignore_above: 1024 + level: extended + name: subject.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword + client.x509.version_number: + dashed_name: tls-client-x509-version-number + description: Version of x509 format. + example: 3 + flat_name: tls.client.x509.version_number + ignore_above: 1024 + level: extended + name: version_number + normalize: [] + original_fieldset: x509 + short: Version of x509 format. + type: keyword curve: dashed_name: tls-curve description: String indicating the curve used for the given cipher, when applicable. @@ -7867,6 +8494,319 @@ tls: normalize: [] short: Subject of the x.509 certificate presented by the server. type: keyword + server.x509.alternative_names: + dashed_name: tls-server-x509-alternative-names + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' + flat_name: tls.server.x509.alternative_names + ignore_above: 1024 + level: extended + name: alternative_names + normalize: + - array + original_fieldset: x509 + short: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + short_description: List of subject alternative names (SAN) + type: keyword + server.x509.issuer.common_name: + dashed_name: tls-server-x509-issuer-common-name + description: List of common name (CN) of issuing certificate authority. + example: DigiCert SHA2 High Assurance Server CA + flat_name: tls.server.x509.issuer.common_name + ignore_above: 1024 + level: extended + name: issuer.common_name + normalize: + - array + original_fieldset: x509 + short: List of common name (CN) of issuing certificate authority. + type: keyword + server.x509.issuer.country: + dashed_name: tls-server-x509-issuer-country + description: List of country (C) codes + example: US + flat_name: tls.server.x509.issuer.country + ignore_above: 1024 + level: extended + name: issuer.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) codes + type: keyword + server.x509.issuer.distinguished_name: + dashed_name: tls-server-x509-issuer-distinguished-name + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance + Server CA + flat_name: tls.server.x509.issuer.distinguished_name + ignore_above: 1024 + level: extended + name: issuer.distinguished_name + normalize: [] + original_fieldset: x509 + short: Distinguished name (DN) of issuing certificate authority. + type: keyword + server.x509.issuer.locality: + dashed_name: tls-server-x509-issuer-locality + description: List of locality names (L) + example: Mountain View + flat_name: tls.server.x509.issuer.locality + ignore_above: 1024 + level: extended + name: issuer.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) + type: keyword + server.x509.issuer.organization: + dashed_name: tls-server-x509-issuer-organization + description: List of organizations (O) of issuing certificate authority. + example: DigiCert Inc + flat_name: tls.server.x509.issuer.organization + ignore_above: 1024 + level: extended + name: issuer.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of issuing certificate authority. + type: keyword + server.x509.issuer.organizational_unit: + dashed_name: tls-server-x509-issuer-organizational-unit + description: List of organizational units (OU) of issuing certificate authority. + example: www.digicert.com + flat_name: tls.server.x509.issuer.organizational_unit + ignore_above: 1024 + level: extended + name: issuer.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of issuing certificate authority. + type: keyword + server.x509.issuer.state_or_province: + dashed_name: tls-server-x509-issuer-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: tls.server.x509.issuer.state_or_province + ignore_above: 1024 + level: extended + name: issuer.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword + server.x509.not_after: + dashed_name: tls-server-x509-not-after + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + flat_name: tls.server.x509.not_after + level: extended + name: not_after + normalize: [] + original_fieldset: x509 + short: Time at which the certificate is no longer considered valid. + type: date + server.x509.not_before: + dashed_name: tls-server-x509-not-before + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + flat_name: tls.server.x509.not_before + level: extended + name: not_before + normalize: [] + original_fieldset: x509 + short: Time at which the certificate is first considered valid. + type: date + server.x509.public_key_algorithm: + dashed_name: tls-server-x509-public-key-algorithm + description: Algorithm used to generate the public key. + example: RSA + flat_name: tls.server.x509.public_key_algorithm + ignore_above: 1024 + level: extended + name: public_key_algorithm + normalize: [] + original_fieldset: x509 + short: Algorithm used to generate the public key. + type: keyword + server.x509.public_key_curve: + dashed_name: tls-server-x509-public-key-curve + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 + flat_name: tls.server.x509.public_key_curve + ignore_above: 1024 + level: extended + name: public_key_curve + normalize: [] + original_fieldset: x509 + short: The curve used by the elliptic curve public key algorithm. This is algorithm + specific. + type: keyword + server.x509.public_key_exponent: + dashed_name: tls-server-x509-public-key-exponent + description: Exponent used to derive the public key. This is algorithm specific. + doc_values: false + example: 65537 + flat_name: tls.server.x509.public_key_exponent + index: false + level: extended + name: public_key_exponent + normalize: [] + original_fieldset: x509 + short: Exponent used to derive the public key. This is algorithm specific. + type: long + server.x509.public_key_size: + dashed_name: tls-server-x509-public-key-size + description: The size of the public key space in bits. + example: 2048 + flat_name: tls.server.x509.public_key_size + level: extended + name: public_key_size + normalize: [] + original_fieldset: x509 + short: The size of the public key space in bits. + type: long + server.x509.serial_number: + dashed_name: tls-server-x509-serial-number + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + flat_name: tls.server.x509.serial_number + ignore_above: 1024 + level: extended + name: serial_number + normalize: [] + original_fieldset: x509 + short: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + short_description: Unique serial number issued by the certificate authority. + type: keyword + server.x509.signature_algorithm: + dashed_name: tls-server-x509-signature-algorithm + description: Identifier for certificate signature algorithm. Recommend using + names found in Go Lang Crypto library (See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). + example: SHA256-RSA + flat_name: tls.server.x509.signature_algorithm + ignore_above: 1024 + level: extended + name: signature_algorithm + normalize: [] + original_fieldset: x509 + short: Identifier for certificate signature algorithm. Recommend using names + found in Go Lang Crypto library (See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). + type: keyword + server.x509.subject.common_name: + dashed_name: tls-server-x509-subject-common-name + description: List of common names (CN) of subject. + example: r2.shared.global.fastly.net + flat_name: tls.server.x509.subject.common_name + ignore_above: 1024 + level: extended + name: subject.common_name + normalize: + - array + original_fieldset: x509 + short: List of common names (CN) of subject. + type: keyword + server.x509.subject.country: + dashed_name: tls-server-x509-subject-country + description: List of country (C) code + example: US + flat_name: tls.server.x509.subject.country + ignore_above: 1024 + level: extended + name: subject.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) code + type: keyword + server.x509.subject.distinguished_name: + dashed_name: tls-server-x509-subject-distinguished-name + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net + flat_name: tls.server.x509.subject.distinguished_name + ignore_above: 1024 + level: extended + name: subject.distinguished_name + normalize: [] + original_fieldset: x509 + short: Distinguished name (DN) of the certificate subject entity. + type: keyword + server.x509.subject.locality: + dashed_name: tls-server-x509-subject-locality + description: List of locality names (L) + example: San Francisco + flat_name: tls.server.x509.subject.locality + ignore_above: 1024 + level: extended + name: subject.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) + type: keyword + server.x509.subject.organization: + dashed_name: tls-server-x509-subject-organization + description: List of organizations (O) of subject. + example: Fastly, Inc. + flat_name: tls.server.x509.subject.organization + ignore_above: 1024 + level: extended + name: subject.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of subject. + type: keyword + server.x509.subject.organizational_unit: + dashed_name: tls-server-x509-subject-organizational-unit + description: List of organizational units (OU) of subject. + flat_name: tls.server.x509.subject.organizational_unit + ignore_above: 1024 + level: extended + name: subject.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of subject. + type: keyword + server.x509.subject.state_or_province: + dashed_name: tls-server-x509-subject-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: tls.server.x509.subject.state_or_province + ignore_above: 1024 + level: extended + name: subject.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword + server.x509.version_number: + dashed_name: tls-server-x509-version-number + description: Version of x509 format. + example: 3 + flat_name: tls.server.x509.version_number + ignore_above: 1024 + level: extended + name: version_number + normalize: [] + original_fieldset: x509 + short: Version of x509 format. + type: keyword version: dashed_name: tls-version description: Numeric part of the version parsed from the original string. @@ -7891,6 +8831,9 @@ tls: type: keyword group: 2 name: tls + nestings: + - tls.client.x509 + - tls.server.x509 prefix: tls. short: Fields describing a TLS connection. title: TLS @@ -8652,3 +9595,322 @@ vulnerability: short: Fields to describe the vulnerability relevant to an event. title: Vulnerability type: group +x509: + description: This implements the common core fields for x509 certificates. This + information is likely logged with TLS sessions, digital signatures found in executable + binaries, S/MIME information in email bodies, or analysis of files on disk. When + only a single certificate is logged in an event, it should be nested under `file`. + When hashes of the DER-encoded certificate are available, the `hash` data set + should be populated as well (e.g. `file.hash.sha256`). For events that contain + certificate information for both sides of the connection, the x509 object could + be nested under the respective side of the connection information (e.g. `tls.server.x509`). + fields: + alternative_names: + dashed_name: x509-alternative-names + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' + flat_name: x509.alternative_names + ignore_above: 1024 + level: extended + name: alternative_names + normalize: + - array + short: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + short_description: List of subject alternative names (SAN) + type: keyword + issuer.common_name: + dashed_name: x509-issuer-common-name + description: List of common name (CN) of issuing certificate authority. + example: DigiCert SHA2 High Assurance Server CA + flat_name: x509.issuer.common_name + ignore_above: 1024 + level: extended + name: issuer.common_name + normalize: + - array + short: List of common name (CN) of issuing certificate authority. + type: keyword + issuer.country: + dashed_name: x509-issuer-country + description: List of country (C) codes + example: US + flat_name: x509.issuer.country + ignore_above: 1024 + level: extended + name: issuer.country + normalize: + - array + short: List of country (C) codes + type: keyword + issuer.distinguished_name: + dashed_name: x509-issuer-distinguished-name + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance + Server CA + flat_name: x509.issuer.distinguished_name + ignore_above: 1024 + level: extended + name: issuer.distinguished_name + normalize: [] + short: Distinguished name (DN) of issuing certificate authority. + type: keyword + issuer.locality: + dashed_name: x509-issuer-locality + description: List of locality names (L) + example: Mountain View + flat_name: x509.issuer.locality + ignore_above: 1024 + level: extended + name: issuer.locality + normalize: + - array + short: List of locality names (L) + type: keyword + issuer.organization: + dashed_name: x509-issuer-organization + description: List of organizations (O) of issuing certificate authority. + example: DigiCert Inc + flat_name: x509.issuer.organization + ignore_above: 1024 + level: extended + name: issuer.organization + normalize: + - array + short: List of organizations (O) of issuing certificate authority. + type: keyword + issuer.organizational_unit: + dashed_name: x509-issuer-organizational-unit + description: List of organizational units (OU) of issuing certificate authority. + example: www.digicert.com + flat_name: x509.issuer.organizational_unit + ignore_above: 1024 + level: extended + name: issuer.organizational_unit + normalize: + - array + short: List of organizational units (OU) of issuing certificate authority. + type: keyword + issuer.state_or_province: + dashed_name: x509-issuer-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: x509.issuer.state_or_province + ignore_above: 1024 + level: extended + name: issuer.state_or_province + normalize: + - array + short: List of state or province names (ST, S, or P) + type: keyword + not_after: + dashed_name: x509-not-after + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + flat_name: x509.not_after + level: extended + name: not_after + normalize: [] + short: Time at which the certificate is no longer considered valid. + type: date + not_before: + dashed_name: x509-not-before + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + flat_name: x509.not_before + level: extended + name: not_before + normalize: [] + short: Time at which the certificate is first considered valid. + type: date + public_key_algorithm: + dashed_name: x509-public-key-algorithm + description: Algorithm used to generate the public key. + example: RSA + flat_name: x509.public_key_algorithm + ignore_above: 1024 + level: extended + name: public_key_algorithm + normalize: [] + short: Algorithm used to generate the public key. + type: keyword + public_key_curve: + dashed_name: x509-public-key-curve + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 + flat_name: x509.public_key_curve + ignore_above: 1024 + level: extended + name: public_key_curve + normalize: [] + short: The curve used by the elliptic curve public key algorithm. This is algorithm + specific. + type: keyword + public_key_exponent: + dashed_name: x509-public-key-exponent + description: Exponent used to derive the public key. This is algorithm specific. + doc_values: false + example: 65537 + flat_name: x509.public_key_exponent + index: false + level: extended + name: public_key_exponent + normalize: [] + short: Exponent used to derive the public key. This is algorithm specific. + type: long + public_key_size: + dashed_name: x509-public-key-size + description: The size of the public key space in bits. + example: 2048 + flat_name: x509.public_key_size + level: extended + name: public_key_size + normalize: [] + short: The size of the public key space in bits. + type: long + serial_number: + dashed_name: x509-serial-number + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + flat_name: x509.serial_number + ignore_above: 1024 + level: extended + name: serial_number + normalize: [] + short: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + short_description: Unique serial number issued by the certificate authority. + type: keyword + signature_algorithm: + dashed_name: x509-signature-algorithm + description: Identifier for certificate signature algorithm. Recommend using + names found in Go Lang Crypto library (See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). + example: SHA256-RSA + flat_name: x509.signature_algorithm + ignore_above: 1024 + level: extended + name: signature_algorithm + normalize: [] + short: Identifier for certificate signature algorithm. Recommend using names + found in Go Lang Crypto library (See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). + type: keyword + subject.common_name: + dashed_name: x509-subject-common-name + description: List of common names (CN) of subject. + example: r2.shared.global.fastly.net + flat_name: x509.subject.common_name + ignore_above: 1024 + level: extended + name: subject.common_name + normalize: + - array + short: List of common names (CN) of subject. + type: keyword + subject.country: + dashed_name: x509-subject-country + description: List of country (C) code + example: US + flat_name: x509.subject.country + ignore_above: 1024 + level: extended + name: subject.country + normalize: + - array + short: List of country (C) code + type: keyword + subject.distinguished_name: + dashed_name: x509-subject-distinguished-name + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net + flat_name: x509.subject.distinguished_name + ignore_above: 1024 + level: extended + name: subject.distinguished_name + normalize: [] + short: Distinguished name (DN) of the certificate subject entity. + type: keyword + subject.locality: + dashed_name: x509-subject-locality + description: List of locality names (L) + example: San Francisco + flat_name: x509.subject.locality + ignore_above: 1024 + level: extended + name: subject.locality + normalize: + - array + short: List of locality names (L) + type: keyword + subject.organization: + dashed_name: x509-subject-organization + description: List of organizations (O) of subject. + example: Fastly, Inc. + flat_name: x509.subject.organization + ignore_above: 1024 + level: extended + name: subject.organization + normalize: + - array + short: List of organizations (O) of subject. + type: keyword + subject.organizational_unit: + dashed_name: x509-subject-organizational-unit + description: List of organizational units (OU) of subject. + flat_name: x509.subject.organizational_unit + ignore_above: 1024 + level: extended + name: subject.organizational_unit + normalize: + - array + short: List of organizational units (OU) of subject. + type: keyword + subject.state_or_province: + dashed_name: x509-subject-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: x509.subject.state_or_province + ignore_above: 1024 + level: extended + name: subject.state_or_province + normalize: + - array + short: List of state or province names (ST, S, or P) + type: keyword + version_number: + dashed_name: x509-version-number + description: Version of x509 format. + example: 3 + flat_name: x509.version_number + ignore_above: 1024 + level: extended + name: version_number + normalize: [] + short: Version of x509 format. + type: keyword + group: 2 + name: x509 + prefix: x509. + reusable: + expected: + - file + - tls.client + - tls.server + top_level: false + short: This implements the common core fields for x509 certificates. This information + is likely logged with TLS sessions, digital signatures found in executable binaries, + S/MIME information in email bodies, or analysis of files on disk. When only a + single certificate is logged in an event, it should be nested under `file`. When + hashes of the DER-encoded certificate are available, the `hash` data set should + be populated as well (e.g. `file.hash.sha256`). For events that contain certificate + information for both sides of the connection, the x509 object could be nested + under the respective side of the connection information (e.g. `tls.server.x509`). + short_description: These fields contain x509 certificate metadata. + title: x509 Certificate + type: group diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index fa4972d346..d5f033b22e 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -924,6 +924,112 @@ "uid": { "ignore_above": 1024, "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, @@ -2451,6 +2557,112 @@ "supported_ciphers": { "ignore_above": 1024, "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, @@ -2511,6 +2723,112 @@ "subject": { "ignore_above": 1024, "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index a536f27e71..f756237e21 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -923,6 +923,112 @@ "uid": { "ignore_above": 1024, "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, @@ -2450,6 +2556,112 @@ "supported_ciphers": { "ignore_above": 1024, "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, @@ -2510,6 +2722,112 @@ "subject": { "ignore_above": 1024, "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, diff --git a/schemas/x509.yml b/schemas/x509.yml new file mode 100644 index 0000000000..07571747a6 --- /dev/null +++ b/schemas/x509.yml @@ -0,0 +1,193 @@ +--- +- name: x509 + title: x509 Certificate + group: 2 + short_description: These fields contain x509 certificate metadata. + description: > + This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, + digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. + When only a single certificate is logged in an event, it should be nested under `file`. When hashes of the DER-encoded + certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). For events that + contain certificate information for both sides of the connection, the x509 object could be nested under the respective + side of the connection information (e.g. `tls.server.x509`). + type: group + reusable: + top_level: false + expected: + - file + - tls.client + - tls.server + fields: + - name: version_number + level: extended + type: keyword + description: Version of x509 format. + example: 3 + + - name: serial_number + level: extended + type: keyword + short_description: Unique serial number issued by the certificate authority. + description: > + Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be + formatted without colons and uppercase characters. + example: 55FBB9C7DEBF09809D12CCAA + + - name: issuer.distinguished_name + level: extended + type: keyword + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA + + - name: issuer.common_name + level: extended + type: keyword + normalize: + - array + description: List of common name (CN) of issuing certificate authority. + example: DigiCert SHA2 High Assurance Server CA + + - name: issuer.organizational_unit + level: extended + type: keyword + normalize: + - array + description: List of organizational units (OU) of issuing certificate authority. + example: www.digicert.com + + - name: issuer.organization + level: extended + type: keyword + normalize: + - array + description: List of organizations (O) of issuing certificate authority. + example: DigiCert Inc + + - name: issuer.locality + level: extended + type: keyword + normalize: + - array + description: List of locality names (L) + example: Mountain View + + - name: issuer.state_or_province + level: extended + type: keyword + normalize: + - array + description: List of state or province names (ST, S, or P) + example: California + + - name: issuer.country + level: extended + type: keyword + normalize: + - array + description: List of country (C) codes + example: US + + - name: signature_algorithm + level: extended + type: keyword + description: Identifier for certificate signature algorithm. Recommend using names found in Go Lang Crypto library (See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). + example: SHA256-RSA + + - name: not_before + level: extended + type: date + description: Time at which the certificate is first considered valid. + example: 2019-08-16T01:40:25Z + + - name: not_after + level: extended + type: date + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16T03:15:39Z + + - name: subject.distinguished_name + level: extended + type: keyword + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net + + - name: subject.common_name + level: extended + type: keyword + normalize: + - array + description: List of common names (CN) of subject. + example: r2.shared.global.fastly.net + + - name: subject.organizational_unit + level: extended + type: keyword + normalize: + - array + description: List of organizational units (OU) of subject. + + - name: subject.organization + level: extended + type: keyword + normalize: + - array + description: List of organizations (O) of subject. + example: Fastly, Inc. + + - name: subject.locality + level: extended + type: keyword + normalize: + - array + description: List of locality names (L) + example: San Francisco + + - name: subject.state_or_province + level: extended + type: keyword + normalize: + - array + description: List of state or province names (ST, S, or P) + example: California + + - name: subject.country + level: extended + type: keyword + normalize: + - array + description: List of country (C) code + example: US + + - name: public_key_algorithm + level: extended + type: keyword + description: Algorithm used to generate the public key. + example: RSA + + - name: public_key_size + level: extended + type: long + description: The size of the public key space in bits. + example: 2048 + + - name: public_key_exponent + level: extended + type: long + index: false + description: Exponent used to derive the public key. This is algorithm specific. + example: 65537 + + - name: public_key_curve + level: extended + type: keyword + description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. + example: nistp521 + + - name: alternative_names + level: extended + type: keyword + normalize: + - array + short_description: List of subject alternative names (SAN) + description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + example: "*.elastic.co"