From a54d51fbcefe4ba9d9a4116b236c910b225f3a59 Mon Sep 17 00:00:00 2001 From: Derek Ditch Date: Tue, 25 Feb 2020 07:56:52 -0600 Subject: [PATCH] First stab at x509 schema --- code/go/ecs/x509.go | 68 +++++ docs/field-details.asciidoc | 186 ++++++++++++++ docs/fields.asciidoc | 2 + generated/beats/fields.ecs.yml | 172 +++++++++++++ generated/csv/fields.csv | 24 ++ generated/ecs/ecs_flat.yml | 318 +++++++++++++++++++++++ generated/ecs/ecs_nested.yml | 320 ++++++++++++++++++++++++ generated/elasticsearch/6/template.json | 94 +++++++ generated/elasticsearch/7/template.json | 94 +++++++ schemas/x509.yml | 82 ++++++ 10 files changed, 1360 insertions(+) create mode 100644 code/go/ecs/x509.go create mode 100644 schemas/x509.yml diff --git a/code/go/ecs/x509.go b/code/go/ecs/x509.go new file mode 100644 index 0000000000..ad3965d730 --- /dev/null +++ b/code/go/ecs/x509.go @@ -0,0 +1,68 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +import ( + "time" +) + +// These fields contain x509 certificate metadata. +type X509 struct { + // Version of x509 format. + VersionNumber int64 `ecs:"version_number"` + + // Unique serial number issued by the certificate authority. + SerialNumber string `ecs:"serial_number"` + + // Distinguished name (DN) of issuing certificate authority. + Issuer string `ecs:"issuer"` + + // Identifier for certificate signature algorithm. Recommend using names + // found in Go Lang Crypto library + // (https://golang.org/src/crypto/x509/x509.go). + SignatureAlgorithm string `ecs:"signature_algorithm"` + + // Time at which the certificate is first considered valid. + NotBefore time.Time `ecs:"not_before"` + + // Time at which the certificate is first considered valid. + NotAfter time.Time `ecs:"not_after"` + + // Distinguished name (DN) of the certificate subject entity. + Subject string `ecs:"subject"` + + // Algorithm used to generate the public key. + PublicKeyAlgorithm string `ecs:"public_key_algorithm"` + + // The size of the public key space in bits. + PublicKeySize int64 `ecs:"public_key_size"` + + // Exponent used to derive the public key. This is algorithm specific. + PublicKeyExponent int64 `ecs:"public_key_exponent"` + + // The curve used by the elliptic curve public key algorithm. This is + // algorithm specific. + PublicKeyCurve string `ecs:"public_key_curve"` + + // List of subject alternative names (SAN). Name types vary by certificate + // authority and certificate type but commonly contain IP addresses, DNS + // names (and wildcards), and email addresses. + AlternativeNames string `ecs:"alternative_names"` +} diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index e5fc2b158a..2fae973509 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -2217,6 +2217,12 @@ example: `1001` // =============================================================== +| <> +| These fields contain x509 certificate metadata. + +// =============================================================== + + |===== [[ecs-geo]] @@ -6834,3 +6840,183 @@ example: `Critical` // =============================================================== |===== + +[[ecs-x509]] +=== x509 Certificate information Fields + +These fields contain x509 certificate metadata. + +==== x509 Certificate information Field Details + +[options="header"] +|===== +| Field | Description | Level + +// =============================================================== + +| x509.alternative_names +| List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + +type: keyword + + + +example: `*.elastic.co` + +| extended + +// =============================================================== + +| x509.issuer +| Distinguished name (DN) of issuing certificate authority. + +type: keyword + + + +example: `C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3` + +| extended + +// =============================================================== + +| x509.not_after +| Time at which the certificate is first considered valid. + +type: date + + + +example: `2020-07-16 03:15:39+00:00` + +| extended + +// =============================================================== + +| x509.not_before +| Time at which the certificate is first considered valid. + +type: date + + + +example: `2019-08-16 01:40:25+00:00` + +| extended + +// =============================================================== + +| x509.public_key_algorithm +| Algorithm used to generate the public key. + +type: keyword + + + +example: `RSA, ECDSA` + +| extended + +// =============================================================== + +| x509.public_key_curve +| The curve used by the elliptic curve public key algorithm. This is algorithm specific. + +type: keyword + + + +example: `nistp521` + +| extended + +// =============================================================== + +| x509.public_key_exponent +| Exponent used to derive the public key. This is algorithm specific. + +type: long + + + +example: `65537` + +| extended + +// =============================================================== + +| x509.public_key_size +| The size of the public key space in bits. + +type: long + + + +example: `2048` + +| extended + +// =============================================================== + +| x509.serial_number +| Unique serial number issued by the certificate authority. + +type: keyword + + + +example: `55:fb:b9:c7:de:bf:09:80:9d:12:cc:aa` + +| extended + +// =============================================================== + +| x509.signature_algorithm +| Identifier for certificate signature algorithm. Recommend using names found in Go Lang Crypto library (https://golang.org/src/crypto/x509/x509.go). + +type: keyword + + + +example: `SHA256-RSA` + +| extended + +// =============================================================== + +| x509.subject +| Distinguished name (DN) of the certificate subject entity. + +type: keyword + + + +example: `C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net` + +| extended + +// =============================================================== + +| x509.version_number +| Version of x509 format. + +type: long + + + +example: `3` + +| extended + +// =============================================================== + +|===== + +==== Field Reuse + +The `x509` fields are expected to be nested at: `file.x509`. + +Note also that the `x509` fields are not expected to be used directly at the top level. + + + diff --git a/docs/fields.asciidoc b/docs/fields.asciidoc index 3486218007..fa187f5fad 100644 --- a/docs/fields.asciidoc +++ b/docs/fields.asciidoc @@ -104,6 +104,8 @@ all fields are defined. | <> | Fields to describe the vulnerability relevant to an event. +| <> | These fields contain x509 certificate metadata. + |===== include::field-details.asciidoc[] diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 32a605920b..8d19ca3963 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -1640,6 +1640,89 @@ ignore_above: 1024 description: The user ID (UID) or security identifier (SID) of the file owner. example: '1001' + - name: x509.alternative_names + level: extended + type: keyword + ignore_above: 1024 + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' + default_field: false + - name: x509.issuer + level: extended + type: keyword + ignore_above: 1024 + description: Distinguished name (DN) of issuing certificate authority. + example: C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3 + default_field: false + - name: x509.not_after + level: extended + type: date + description: Time at which the certificate is first considered valid. + example: 2020-07-16 03:15:39+00:00 + default_field: false + - name: x509.not_before + level: extended + type: date + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + default_field: false + - name: x509.public_key_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: Algorithm used to generate the public key. + example: RSA, ECDSA + default_field: false + - name: x509.public_key_curve + level: extended + type: keyword + ignore_above: 1024 + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 + default_field: false + - name: x509.public_key_exponent + level: extended + type: long + description: Exponent used to derive the public key. This is algorithm specific. + example: 65537 + default_field: false + - name: x509.public_key_size + level: extended + type: long + description: The size of the public key space in bits. + example: 2048 + default_field: false + - name: x509.serial_number + level: extended + type: keyword + ignore_above: 1024 + description: Unique serial number issued by the certificate authority. + example: 55:fb:b9:c7:de:bf:09:80:9d:12:cc:aa + default_field: false + - name: x509.signature_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: Identifier for certificate signature algorithm. Recommend using + names found in Go Lang Crypto library (https://golang.org/src/crypto/x509/x509.go). + example: SHA256-RSA + default_field: false + - name: x509.subject + level: extended + type: keyword + ignore_above: 1024 + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net + default_field: false + - name: x509.version_number + level: extended + type: long + description: Version of x509 format. + example: 3 + default_field: false - name: geo title: Geo group: 2 @@ -4954,3 +5037,92 @@ prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) example: Critical default_field: false + - name: x509 + title: x509 Certificate information + group: 2 + description: These fields contain x509 certificate metadata. + type: group + fields: + - name: alternative_names + level: extended + type: keyword + ignore_above: 1024 + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' + default_field: false + - name: issuer + level: extended + type: keyword + ignore_above: 1024 + description: Distinguished name (DN) of issuing certificate authority. + example: C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3 + default_field: false + - name: not_after + level: extended + type: date + description: Time at which the certificate is first considered valid. + example: 2020-07-16 03:15:39+00:00 + default_field: false + - name: not_before + level: extended + type: date + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + default_field: false + - name: public_key_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: Algorithm used to generate the public key. + example: RSA, ECDSA + default_field: false + - name: public_key_curve + level: extended + type: keyword + ignore_above: 1024 + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 + default_field: false + - name: public_key_exponent + level: extended + type: long + description: Exponent used to derive the public key. This is algorithm specific. + example: 65537 + default_field: false + - name: public_key_size + level: extended + type: long + description: The size of the public key space in bits. + example: 2048 + default_field: false + - name: serial_number + level: extended + type: keyword + ignore_above: 1024 + description: Unique serial number issued by the certificate authority. + example: 55:fb:b9:c7:de:bf:09:80:9d:12:cc:aa + default_field: false + - name: signature_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: Identifier for certificate signature algorithm. Recommend using + names found in Go Lang Crypto library (https://golang.org/src/crypto/x509/x509.go). + example: SHA256-RSA + default_field: false + - name: subject + level: extended + type: keyword + ignore_above: 1024 + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net + default_field: false + - name: version_number + level: extended + type: long + description: Version of x509 format. + example: 3 + default_field: false diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index a3475e1eec..79c76213db 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -197,6 +197,18 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.6.0-dev,true,file,file.target_path.text,text,extended,,,Target path for symlinks. 1.6.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)." 1.6.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. +1.6.0-dev,true,file,file.x509.alternative_names,keyword,extended,,*.elastic.co,"List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses." +1.6.0-dev,true,file,file.x509.issuer,keyword,extended,,"C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3",Distinguished name (DN) of issuing certificate authority. +1.6.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is first considered valid. +1.6.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +1.6.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,"RSA, ECDSA",Algorithm used to generate the public key. +1.6.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +1.6.0-dev,true,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +1.6.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +1.6.0-dev,true,file,file.x509.serial_number,keyword,extended,,55:fb:b9:c7:de:bf:09:80:9d:12:cc:aa,Unique serial number issued by the certificate authority. +1.6.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. Recommend using names found in Go Lang Crypto library (https://golang.org/src/crypto/x509/x509.go). +1.6.0-dev,true,file,file.x509.subject,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net",Distinguished name (DN) of the certificate subject entity. +1.6.0-dev,true,file,file.x509.version_number,long,extended,,3,Version of x509 format. 1.6.0-dev,true,geo,geo.city_name,keyword,core,,Montreal,City name. 1.6.0-dev,true,geo,geo.continent_name,keyword,core,,North America,Name of the continent. 1.6.0-dev,true,geo,geo.country_iso_code,keyword,core,,CA,Country ISO code. @@ -617,3 +629,15 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.6.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score. 1.6.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version. 1.6.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability. +1.6.0-dev,true,x509,x509.alternative_names,keyword,extended,,*.elastic.co,"List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses." +1.6.0-dev,true,x509,x509.issuer,keyword,extended,,"C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3",Distinguished name (DN) of issuing certificate authority. +1.6.0-dev,true,x509,x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is first considered valid. +1.6.0-dev,true,x509,x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +1.6.0-dev,true,x509,x509.public_key_algorithm,keyword,extended,,"RSA, ECDSA",Algorithm used to generate the public key. +1.6.0-dev,true,x509,x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +1.6.0-dev,true,x509,x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +1.6.0-dev,true,x509,x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +1.6.0-dev,true,x509,x509.serial_number,keyword,extended,,55:fb:b9:c7:de:bf:09:80:9d:12:cc:aa,Unique serial number issued by the certificate authority. +1.6.0-dev,true,x509,x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. Recommend using names found in Go Lang Crypto library (https://golang.org/src/crypto/x509/x509.go). +1.6.0-dev,true,x509,x509.subject,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net",Distinguished name (DN) of the certificate subject entity. +1.6.0-dev,true,x509,x509.version_number,long,extended,,3,Version of x509 format. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index c208c747ca..a991a2e723 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -3011,6 +3011,165 @@ file.uid: order: 10 short: The user ID (UID) or security identifier (SID) of the file owner. type: keyword +file.x509.alternative_names: + dashed_name: file-x509-alternative-names + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names (and + wildcards), and email addresses. + example: '*.elastic.co' + flat_name: file.x509.alternative_names + ignore_above: 1024 + level: extended + name: alternative_names + normalize: [] + order: 11 + original_fieldset: x509 + short: List of subject alternative names (SAN). Name types vary by certificate authority + and certificate type but commonly contain IP addresses, DNS names (and wildcards), + and email addresses. + type: keyword +file.x509.issuer: + dashed_name: file-x509-issuer + description: Distinguished name (DN) of issuing certificate authority. + example: C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3 + flat_name: file.x509.issuer + ignore_above: 1024 + level: extended + name: issuer + normalize: [] + order: 2 + original_fieldset: x509 + short: Distinguished name (DN) of issuing certificate authority. + type: keyword +file.x509.not_after: + dashed_name: file-x509-not-after + description: Time at which the certificate is first considered valid. + example: 2020-07-16 03:15:39+00:00 + flat_name: file.x509.not_after + level: extended + name: not_after + normalize: [] + order: 5 + original_fieldset: x509 + short: Time at which the certificate is first considered valid. + type: date +file.x509.not_before: + dashed_name: file-x509-not-before + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + flat_name: file.x509.not_before + level: extended + name: not_before + normalize: [] + order: 4 + original_fieldset: x509 + short: Time at which the certificate is first considered valid. + type: date +file.x509.public_key_algorithm: + dashed_name: file-x509-public-key-algorithm + description: Algorithm used to generate the public key. + example: RSA, ECDSA + flat_name: file.x509.public_key_algorithm + ignore_above: 1024 + level: extended + name: public_key_algorithm + normalize: [] + order: 7 + original_fieldset: x509 + short: Algorithm used to generate the public key. + type: keyword +file.x509.public_key_curve: + dashed_name: file-x509-public-key-curve + description: The curve used by the elliptic curve public key algorithm. This is + algorithm specific. + example: nistp521 + flat_name: file.x509.public_key_curve + ignore_above: 1024 + level: extended + name: public_key_curve + normalize: [] + order: 10 + original_fieldset: x509 + short: The curve used by the elliptic curve public key algorithm. This is algorithm + specific. + type: keyword +file.x509.public_key_exponent: + dashed_name: file-x509-public-key-exponent + description: Exponent used to derive the public key. This is algorithm specific. + example: 65537 + flat_name: file.x509.public_key_exponent + level: extended + name: public_key_exponent + normalize: [] + order: 9 + original_fieldset: x509 + short: Exponent used to derive the public key. This is algorithm specific. + type: long +file.x509.public_key_size: + dashed_name: file-x509-public-key-size + description: The size of the public key space in bits. + example: 2048 + flat_name: file.x509.public_key_size + level: extended + name: public_key_size + normalize: [] + order: 8 + original_fieldset: x509 + short: The size of the public key space in bits. + type: long +file.x509.serial_number: + dashed_name: file-x509-serial-number + description: Unique serial number issued by the certificate authority. + example: 55:fb:b9:c7:de:bf:09:80:9d:12:cc:aa + flat_name: file.x509.serial_number + ignore_above: 1024 + level: extended + name: serial_number + normalize: [] + order: 1 + original_fieldset: x509 + short: Unique serial number issued by the certificate authority. + type: keyword +file.x509.signature_algorithm: + dashed_name: file-x509-signature-algorithm + description: Identifier for certificate signature algorithm. Recommend using names + found in Go Lang Crypto library (https://golang.org/src/crypto/x509/x509.go). + example: SHA256-RSA + flat_name: file.x509.signature_algorithm + ignore_above: 1024 + level: extended + name: signature_algorithm + normalize: [] + order: 3 + original_fieldset: x509 + short: Identifier for certificate signature algorithm. Recommend using names found + in Go Lang Crypto library (https://golang.org/src/crypto/x509/x509.go). + type: keyword +file.x509.subject: + dashed_name: file-x509-subject + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net + flat_name: file.x509.subject + ignore_above: 1024 + level: extended + name: subject + normalize: [] + order: 6 + original_fieldset: x509 + short: Distinguished name (DN) of the certificate subject entity. + type: keyword +file.x509.version_number: + dashed_name: file-x509-version-number + description: Version of x509 format. + example: 3 + flat_name: file.x509.version_number + level: extended + name: version_number + normalize: [] + order: 0 + original_fieldset: x509 + short: Version of x509 format. + type: long geo.city_name: dashed_name: geo-city-name description: City name. @@ -8435,3 +8594,162 @@ vulnerability.severity: order: 11 short: Severity of the vulnerability. type: keyword +x509.alternative_names: + dashed_name: x509-alternative-names + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names (and + wildcards), and email addresses. + example: '*.elastic.co' + flat_name: x509.alternative_names + ignore_above: 1024 + level: extended + name: alternative_names + normalize: [] + order: 11 + original_fieldset: x509 + short: List of subject alternative names (SAN). Name types vary by certificate authority + and certificate type but commonly contain IP addresses, DNS names (and wildcards), + and email addresses. + type: keyword +x509.issuer: + dashed_name: x509-issuer + description: Distinguished name (DN) of issuing certificate authority. + example: C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3 + flat_name: x509.issuer + ignore_above: 1024 + level: extended + name: issuer + normalize: [] + order: 2 + original_fieldset: x509 + short: Distinguished name (DN) of issuing certificate authority. + type: keyword +x509.not_after: + dashed_name: x509-not-after + description: Time at which the certificate is first considered valid. + example: 2020-07-16 03:15:39+00:00 + flat_name: x509.not_after + level: extended + name: not_after + normalize: [] + order: 5 + original_fieldset: x509 + short: Time at which the certificate is first considered valid. + type: date +x509.not_before: + dashed_name: x509-not-before + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + flat_name: x509.not_before + level: extended + name: not_before + normalize: [] + order: 4 + original_fieldset: x509 + short: Time at which the certificate is first considered valid. + type: date +x509.public_key_algorithm: + dashed_name: x509-public-key-algorithm + description: Algorithm used to generate the public key. + example: RSA, ECDSA + flat_name: x509.public_key_algorithm + ignore_above: 1024 + level: extended + name: public_key_algorithm + normalize: [] + order: 7 + original_fieldset: x509 + short: Algorithm used to generate the public key. + type: keyword +x509.public_key_curve: + dashed_name: x509-public-key-curve + description: The curve used by the elliptic curve public key algorithm. This is + algorithm specific. + example: nistp521 + flat_name: x509.public_key_curve + ignore_above: 1024 + level: extended + name: public_key_curve + normalize: [] + order: 10 + original_fieldset: x509 + short: The curve used by the elliptic curve public key algorithm. This is algorithm + specific. + type: keyword +x509.public_key_exponent: + dashed_name: x509-public-key-exponent + description: Exponent used to derive the public key. This is algorithm specific. + example: 65537 + flat_name: x509.public_key_exponent + level: extended + name: public_key_exponent + normalize: [] + order: 9 + original_fieldset: x509 + short: Exponent used to derive the public key. This is algorithm specific. + type: long +x509.public_key_size: + dashed_name: x509-public-key-size + description: The size of the public key space in bits. + example: 2048 + flat_name: x509.public_key_size + level: extended + name: public_key_size + normalize: [] + order: 8 + original_fieldset: x509 + short: The size of the public key space in bits. + type: long +x509.serial_number: + dashed_name: x509-serial-number + description: Unique serial number issued by the certificate authority. + example: 55:fb:b9:c7:de:bf:09:80:9d:12:cc:aa + flat_name: x509.serial_number + ignore_above: 1024 + level: extended + name: serial_number + normalize: [] + order: 1 + original_fieldset: x509 + short: Unique serial number issued by the certificate authority. + type: keyword +x509.signature_algorithm: + dashed_name: x509-signature-algorithm + description: Identifier for certificate signature algorithm. Recommend using names + found in Go Lang Crypto library (https://golang.org/src/crypto/x509/x509.go). + example: SHA256-RSA + flat_name: x509.signature_algorithm + ignore_above: 1024 + level: extended + name: signature_algorithm + normalize: [] + order: 3 + original_fieldset: x509 + short: Identifier for certificate signature algorithm. Recommend using names found + in Go Lang Crypto library (https://golang.org/src/crypto/x509/x509.go). + type: keyword +x509.subject: + dashed_name: x509-subject + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net + flat_name: x509.subject + ignore_above: 1024 + level: extended + name: subject + normalize: [] + order: 6 + original_fieldset: x509 + short: Distinguished name (DN) of the certificate subject entity. + type: keyword +x509.version_number: + dashed_name: x509-version-number + description: Version of x509 format. + example: 3 + flat_name: x509.version_number + level: extended + name: version_number + normalize: [] + order: 0 + original_fieldset: x509 + short: Version of x509 format. + type: long diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 4a265b9433..6822aeb2a7 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -3293,12 +3293,172 @@ file: order: 10 short: The user ID (UID) or security identifier (SID) of the file owner. type: keyword + x509.alternative_names: + dashed_name: file-x509-alternative-names + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' + flat_name: file.x509.alternative_names + ignore_above: 1024 + level: extended + name: alternative_names + normalize: [] + order: 11 + original_fieldset: x509 + short: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + type: keyword + x509.issuer: + dashed_name: file-x509-issuer + description: Distinguished name (DN) of issuing certificate authority. + example: C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3 + flat_name: file.x509.issuer + ignore_above: 1024 + level: extended + name: issuer + normalize: [] + order: 2 + original_fieldset: x509 + short: Distinguished name (DN) of issuing certificate authority. + type: keyword + x509.not_after: + dashed_name: file-x509-not-after + description: Time at which the certificate is first considered valid. + example: 2020-07-16 03:15:39+00:00 + flat_name: file.x509.not_after + level: extended + name: not_after + normalize: [] + order: 5 + original_fieldset: x509 + short: Time at which the certificate is first considered valid. + type: date + x509.not_before: + dashed_name: file-x509-not-before + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + flat_name: file.x509.not_before + level: extended + name: not_before + normalize: [] + order: 4 + original_fieldset: x509 + short: Time at which the certificate is first considered valid. + type: date + x509.public_key_algorithm: + dashed_name: file-x509-public-key-algorithm + description: Algorithm used to generate the public key. + example: RSA, ECDSA + flat_name: file.x509.public_key_algorithm + ignore_above: 1024 + level: extended + name: public_key_algorithm + normalize: [] + order: 7 + original_fieldset: x509 + short: Algorithm used to generate the public key. + type: keyword + x509.public_key_curve: + dashed_name: file-x509-public-key-curve + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 + flat_name: file.x509.public_key_curve + ignore_above: 1024 + level: extended + name: public_key_curve + normalize: [] + order: 10 + original_fieldset: x509 + short: The curve used by the elliptic curve public key algorithm. This is algorithm + specific. + type: keyword + x509.public_key_exponent: + dashed_name: file-x509-public-key-exponent + description: Exponent used to derive the public key. This is algorithm specific. + example: 65537 + flat_name: file.x509.public_key_exponent + level: extended + name: public_key_exponent + normalize: [] + order: 9 + original_fieldset: x509 + short: Exponent used to derive the public key. This is algorithm specific. + type: long + x509.public_key_size: + dashed_name: file-x509-public-key-size + description: The size of the public key space in bits. + example: 2048 + flat_name: file.x509.public_key_size + level: extended + name: public_key_size + normalize: [] + order: 8 + original_fieldset: x509 + short: The size of the public key space in bits. + type: long + x509.serial_number: + dashed_name: file-x509-serial-number + description: Unique serial number issued by the certificate authority. + example: 55:fb:b9:c7:de:bf:09:80:9d:12:cc:aa + flat_name: file.x509.serial_number + ignore_above: 1024 + level: extended + name: serial_number + normalize: [] + order: 1 + original_fieldset: x509 + short: Unique serial number issued by the certificate authority. + type: keyword + x509.signature_algorithm: + dashed_name: file-x509-signature-algorithm + description: Identifier for certificate signature algorithm. Recommend using + names found in Go Lang Crypto library (https://golang.org/src/crypto/x509/x509.go). + example: SHA256-RSA + flat_name: file.x509.signature_algorithm + ignore_above: 1024 + level: extended + name: signature_algorithm + normalize: [] + order: 3 + original_fieldset: x509 + short: Identifier for certificate signature algorithm. Recommend using names + found in Go Lang Crypto library (https://golang.org/src/crypto/x509/x509.go). + type: keyword + x509.subject: + dashed_name: file-x509-subject + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net + flat_name: file.x509.subject + ignore_above: 1024 + level: extended + name: subject + normalize: [] + order: 6 + original_fieldset: x509 + short: Distinguished name (DN) of the certificate subject entity. + type: keyword + x509.version_number: + dashed_name: file-x509-version-number + description: Version of x509 format. + example: 3 + flat_name: file.x509.version_number + level: extended + name: version_number + normalize: [] + order: 0 + original_fieldset: x509 + short: Version of x509 format. + type: long group: 2 name: file nestings: - code_signature - hash - pe + - x509 prefix: file. short: Fields describing files. title: File @@ -9135,3 +9295,163 @@ vulnerability: short: Fields to describe the vulnerability relevant to an event. title: Vulnerability type: group +x509: + description: These fields contain x509 certificate metadata. + fields: + alternative_names: + dashed_name: x509-alternative-names + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' + flat_name: x509.alternative_names + ignore_above: 1024 + level: extended + name: alternative_names + normalize: [] + order: 11 + short: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + type: keyword + issuer: + dashed_name: x509-issuer + description: Distinguished name (DN) of issuing certificate authority. + example: C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3 + flat_name: x509.issuer + ignore_above: 1024 + level: extended + name: issuer + normalize: [] + order: 2 + short: Distinguished name (DN) of issuing certificate authority. + type: keyword + not_after: + dashed_name: x509-not-after + description: Time at which the certificate is first considered valid. + example: 2020-07-16 03:15:39+00:00 + flat_name: x509.not_after + level: extended + name: not_after + normalize: [] + order: 5 + short: Time at which the certificate is first considered valid. + type: date + not_before: + dashed_name: x509-not-before + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + flat_name: x509.not_before + level: extended + name: not_before + normalize: [] + order: 4 + short: Time at which the certificate is first considered valid. + type: date + public_key_algorithm: + dashed_name: x509-public-key-algorithm + description: Algorithm used to generate the public key. + example: RSA, ECDSA + flat_name: x509.public_key_algorithm + ignore_above: 1024 + level: extended + name: public_key_algorithm + normalize: [] + order: 7 + short: Algorithm used to generate the public key. + type: keyword + public_key_curve: + dashed_name: x509-public-key-curve + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 + flat_name: x509.public_key_curve + ignore_above: 1024 + level: extended + name: public_key_curve + normalize: [] + order: 10 + short: The curve used by the elliptic curve public key algorithm. This is algorithm + specific. + type: keyword + public_key_exponent: + dashed_name: x509-public-key-exponent + description: Exponent used to derive the public key. This is algorithm specific. + example: 65537 + flat_name: x509.public_key_exponent + level: extended + name: public_key_exponent + normalize: [] + order: 9 + short: Exponent used to derive the public key. This is algorithm specific. + type: long + public_key_size: + dashed_name: x509-public-key-size + description: The size of the public key space in bits. + example: 2048 + flat_name: x509.public_key_size + level: extended + name: public_key_size + normalize: [] + order: 8 + short: The size of the public key space in bits. + type: long + serial_number: + dashed_name: x509-serial-number + description: Unique serial number issued by the certificate authority. + example: 55:fb:b9:c7:de:bf:09:80:9d:12:cc:aa + flat_name: x509.serial_number + ignore_above: 1024 + level: extended + name: serial_number + normalize: [] + order: 1 + short: Unique serial number issued by the certificate authority. + type: keyword + signature_algorithm: + dashed_name: x509-signature-algorithm + description: Identifier for certificate signature algorithm. Recommend using + names found in Go Lang Crypto library (https://golang.org/src/crypto/x509/x509.go). + example: SHA256-RSA + flat_name: x509.signature_algorithm + ignore_above: 1024 + level: extended + name: signature_algorithm + normalize: [] + order: 3 + short: Identifier for certificate signature algorithm. Recommend using names + found in Go Lang Crypto library (https://golang.org/src/crypto/x509/x509.go). + type: keyword + subject: + dashed_name: x509-subject + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net + flat_name: x509.subject + ignore_above: 1024 + level: extended + name: subject + normalize: [] + order: 6 + short: Distinguished name (DN) of the certificate subject entity. + type: keyword + version_number: + dashed_name: x509-version-number + description: Version of x509 format. + example: 3 + flat_name: x509.version_number + level: extended + name: version_number + normalize: [] + order: 0 + short: Version of x509 format. + type: long + group: 2 + name: x509 + prefix: x509. + reusable: + expected: + - file + top_level: false + short: These fields contain x509 certificate metadata. + title: x509 Certificate information + type: group diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index 0691d11a79..8ca6bb7d69 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -926,6 +926,53 @@ "uid": { "ignore_above": 1024, "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_number": { + "type": "long" + } + } } } }, @@ -2965,6 +3012,53 @@ "type": "keyword" } } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_number": { + "type": "long" + } + } } } } diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index c12cc8fe78..feedb45d4c 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -925,6 +925,53 @@ "uid": { "ignore_above": 1024, "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_number": { + "type": "long" + } + } } } }, @@ -2964,6 +3011,53 @@ "type": "keyword" } } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_number": { + "type": "long" + } + } } } }, diff --git a/schemas/x509.yml b/schemas/x509.yml new file mode 100644 index 0000000000..feb33829f6 --- /dev/null +++ b/schemas/x509.yml @@ -0,0 +1,82 @@ +--- +- name: x509 + title: x509 Certificate information + group: 2 + description: These fields contain x509 certificate metadata. + type: group + reusable: + top_level: false + expected: + - file + fields: + - name: version_number + level: extended + type: long + description: Version of x509 format. + example: 3 + + - name: serial_number + level: extended + type: keyword + description: Unique serial number issued by the certificate authority. + example: 55:fb:b9:c7:de:bf:09:80:9d:12:cc:aa + + - name: issuer + level: extended + type: keyword + description: Distinguished name (DN) of issuing certificate authority. + example: C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3 + + - name: signature_algorithm + level: extended + type: keyword + description: Identifier for certificate signature algorithm. Recommend using names found in Go Lang Crypto library (https://golang.org/src/crypto/x509/x509.go). + example: SHA256-RSA + + - name: not_before + level: extended + type: date + description: Time at which the certificate is first considered valid. + example: 2019-08-16T01:40:25Z + + - name: not_after + level: extended + type: date + description: Time at which the certificate is first considered valid. + example: 2020-07-16T03:15:39Z + + - name: subject + level: extended + type: keyword + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net + + - name: public_key_algorithm + level: extended + type: keyword + description: Algorithm used to generate the public key. + example: RSA, ECDSA + + - name: public_key_size + level: extended + type: long + description: The size of the public key space in bits. + example: 2048 + + - name: public_key_exponent + level: extended + type: long + description: Exponent used to derive the public key. This is algorithm specific. + example: 65537 + + - name: public_key_curve + level: extended + type: keyword + description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. + example: nistp521 + + - name: alternative_names + level: extended + type: keyword + description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + example: "*.elastic.co"