First stab at x509 schema

elastic · Mar 20, 2020 · a54d51f · a54d51f
1 parent 2657c72
commit a54d51f
Show file tree

Hide file tree

Showing 10 changed files with 1,360 additions and 0 deletions.
diff --git a/code/go/ecs/x509.go b/code/go/ecs/x509.go
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
@@ -2217,6 +2217,12 @@ example: `1001`
 // ===============================================================
 
 
+| <<ecs-x509,file.x509.*>>
+| These fields contain x509 certificate metadata.
+
+// ===============================================================
+
+
 |=====
 
 [[ecs-geo]]
@@ -6834,3 +6840,183 @@ example: `Critical`
 // ===============================================================
 
 |=====
+
+[[ecs-x509]]
+=== x509 Certificate information Fields
+
+These fields contain x509 certificate metadata.
+
+==== x509 Certificate information Field Details
+
+[options="header"]
+|=====
+| Field  | Description | Level
+
+// ===============================================================
+
+| x509.alternative_names
+| List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
+
+type: keyword
+
+
+
+example: `*.elastic.co`
+
+| extended
+
+// ===============================================================
+
+| x509.issuer
+| Distinguished name (DN) of issuing certificate authority.
+
+type: keyword
+
+
+
+example: `C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3`
+
+| extended
+
+// ===============================================================
+
+| x509.not_after
+| Time at which the certificate is first considered valid.
+
+type: date
+
+
+
+example: `2020-07-16 03:15:39+00:00`
+
+| extended
+
+// ===============================================================
+
+| x509.not_before
+| Time at which the certificate is first considered valid.
+
+type: date
+
+
+
+example: `2019-08-16 01:40:25+00:00`
+
+| extended
+
+// ===============================================================
+
+| x509.public_key_algorithm
+| Algorithm used to generate the public key.
+
+type: keyword
+
+
+
+example: `RSA, ECDSA`
+
+| extended
+
+// ===============================================================
+
+| x509.public_key_curve
+| The curve used by the elliptic curve public key algorithm. This is algorithm specific.
+
+type: keyword
+
+
+
+example: `nistp521`
+
+| extended
+
+// ===============================================================
+
+| x509.public_key_exponent
+| Exponent used to derive the public key. This is algorithm specific.
+
+type: long
+
+
+
+example: `65537`
+
+| extended
+
+// ===============================================================
+
+| x509.public_key_size
+| The size of the public key space in bits.
+
+type: long
+
+
+
+example: `2048`
+
+| extended
+
+// ===============================================================
+
+| x509.serial_number
+| Unique serial number issued by the certificate authority.
+
+type: keyword
+
+
+
+example: `55:fb:b9:c7:de:bf:09:80:9d:12:cc:aa`
+
+| extended
+
+// ===============================================================
+
+| x509.signature_algorithm
+| Identifier for certificate signature algorithm. Recommend using names found in Go Lang Crypto library (https://golang.org/src/crypto/x509/x509.go).
+
+type: keyword
+
+
+
+example: `SHA256-RSA`
+
+| extended
+
+// ===============================================================
+
+| x509.subject
+| Distinguished name (DN) of the certificate subject entity.
+
+type: keyword
+
+
+
+example: `C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net`
+
+| extended
+
+// ===============================================================
+
+| x509.version_number
+| Version of x509 format.
+
+type: long
+
+
+
+example: `3`
+
+| extended
+
+// ===============================================================
+
+|=====
+
+==== Field Reuse
+
+The `x509` fields are expected to be nested at: `file.x509`.
+
+Note also that the `x509` fields are not expected to be used directly at the top level.
+
+
+
diff --git a/docs/fields.asciidoc b/docs/fields.asciidoc
@@ -104,6 +104,8 @@ all fields are defined.
 
 | <<ecs-vulnerability,Vulnerability>> | Fields to describe the vulnerability relevant to an event.
 
+| <<ecs-x509,x509 Certificate information>> | These fields contain x509 certificate metadata.
+
 |=====
 
 include::field-details.asciidoc[]