From 149a4cc023462acc25c49ae94ad921a813b99ee4 Mon Sep 17 00:00:00 2001 From: Thijs Xhaflaire Date: Wed, 11 Sep 2024 23:28:06 +0200 Subject: [PATCH 1/3] [RFC] Stage 2: Adding Apple Platform specific fields (#2370) Updating the RFC and moving it to stage two. --- docs/fields/field-details.asciidoc | 64 +++++ experimental/generated/beats/fields.ecs.yml | 100 ++++++++ experimental/generated/csv/fields.csv | 14 ++ experimental/generated/ecs/ecs_flat.yml | 183 +++++++++++++++ experimental/generated/ecs/ecs_nested.yml | 219 ++++++++++++++++++ .../composable/component/device.json | 4 + .../composable/component/dll.json | 7 + .../composable/component/email.json | 4 + .../composable/component/file.json | 7 + .../composable/component/process.json | 14 ++ .../composable/component/threat.json | 14 ++ .../elasticsearch/legacy/template.json | 50 ++++ generated/beats/fields.ecs.yml | 100 ++++++++ generated/csv/fields.csv | 14 ++ generated/ecs/ecs_flat.yml | 183 +++++++++++++++ generated/ecs/ecs_nested.yml | 219 ++++++++++++++++++ .../composable/component/device.json | 4 + .../composable/component/dll.json | 7 + .../composable/component/email.json | 4 + .../composable/component/file.json | 7 + .../composable/component/process.json | 14 ++ .../composable/component/threat.json | 14 ++ generated/elasticsearch/legacy/template.json | 50 ++++ ...0044-add-apple-platform-specific-fields.md | 24 +- schemas/code_signature.yml | 9 + schemas/device.yml | 10 +- schemas/hash.yml | 8 + schemas/process.yml | 20 ++ 28 files changed, 1363 insertions(+), 4 deletions(-) diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc index 31273d8c4b..4d7f9f959b 100644 --- a/docs/fields/field-details.asciidoc +++ b/docs/fields/field-details.asciidoc @@ -865,6 +865,24 @@ example: `true` // =============================================================== +| +[[field-code-signature-flags]] +<> + +a| beta:[ This field is beta and subject to change. ] + +The flags used to sign the process. + +type: string + + + +example: `570522385` + +| extended + +// =============================================================== + | [[field-code-signature-signing-id]] <> @@ -1693,6 +1711,24 @@ example: `Samsung Galaxy S6` // =============================================================== +| +[[field-device-serial-number]] +<> + +a| beta:[ This field is beta and subject to change. ] + +The unique serial number serves as a distinct identifier for each device, aiding in inventory management and device authentication. + +type: keyword + + + +example: `DJGAQS4CW5` + +| core + +// =============================================================== + |===== @@ -4811,6 +4847,24 @@ Note that this fieldset is used for common hashes that may be computed over a ra // =============================================================== +| +[[field-hash-cdhash]] +<> + +a| beta:[ This field is beta and subject to change. ] + +Code directory hash, utilized to uniquely identify and authenticate the integrity of the executable code. + +type: keyword + + + +example: `3783b4052fd474dbe30676b45c329e7a6d44acd9` + +| extended + +// =============================================================== + | [[field-hash-md5]] <> @@ -8685,6 +8739,8 @@ The `process` fields are expected to be nested at: * `process.previous` +* `process.responsible` + * `process.session_leader` * `process.session_leader.parent` @@ -8839,6 +8895,14 @@ Note: this reuse should contain an array of process field set objects. // =============================================================== +| `process.responsible.*` +| <>| beta:[ This field is beta and subject to change.] + +Responsible process in macOS tracks the originating process of an app, key for understanding permissions and hierarchy. + +// =============================================================== + + | `process.saved_group.*` | <> | The saved group (sgid). diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index bc95a6db22..f39b2c42e0 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -1227,6 +1227,14 @@ description: The human readable marketing name of the device model. example: Samsung Galaxy S6 default_field: false + - name: serial_number + level: core + type: keyword + ignore_above: 1024 + description: The unique serial number serves as a distinct identifier for each + device, aiding in inventory management and device authentication. + example: DJGAQS4CW5 + default_field: false - name: dll title: DLL group: 2 @@ -1261,6 +1269,12 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: code_signature.flags + level: extended + type: string + description: The flags used to sign the process. + example: 570522385 + default_field: false - name: code_signature.signing_id level: extended type: keyword @@ -1323,6 +1337,14 @@ Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false + - name: hash.cdhash + level: extended + type: keyword + ignore_above: 1024 + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + default_field: false - name: hash.md5 level: extended type: keyword @@ -1760,6 +1782,14 @@ description: Attachment file extension, excluding the leading dot. example: txt default_field: false + - name: attachments.file.hash.cdhash + level: extended + type: keyword + ignore_above: 1024 + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + default_field: false - name: attachments.file.hash.md5 level: extended type: keyword @@ -2405,6 +2435,12 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: code_signature.flags + level: extended + type: string + description: The flags used to sign the process. + example: 570522385 + default_field: false - name: code_signature.signing_id level: extended type: keyword @@ -2789,6 +2825,14 @@ ignore_above: 1024 description: Primary group name of the file. example: alice + - name: hash.cdhash + level: extended + type: keyword + ignore_above: 1024 + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + default_field: false - name: hash.md5 level: extended type: keyword @@ -4745,6 +4789,12 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: code_signature.flags + level: extended + type: string + description: The flags used to sign the process. + example: 570522385 + default_field: false - name: code_signature.signing_id level: extended type: keyword @@ -5774,6 +5824,14 @@ description: The working directory of the process. example: /home/alice default_field: false + - name: hash.cdhash + level: extended + type: keyword + ignore_above: 1024 + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + default_field: false - name: hash.md5 level: extended type: keyword @@ -6055,6 +6113,12 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: parent.code_signature.flags + level: extended + type: string + description: The flags used to sign the process. + example: 570522385 + default_field: false - name: parent.code_signature.signing_id level: extended type: keyword @@ -6466,6 +6530,14 @@ the process exists within.' example: 4242 default_field: false + - name: parent.hash.cdhash + level: extended + type: keyword + ignore_above: 1024 + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + default_field: false - name: parent.hash.md5 level: extended type: keyword @@ -9101,6 +9173,12 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: enrichments.indicator.file.code_signature.flags + level: extended + type: string + description: The flags used to sign the process. + example: 570522385 + default_field: false - name: enrichments.indicator.file.code_signature.signing_id level: extended type: keyword @@ -9492,6 +9570,14 @@ description: Primary group name of the file. example: alice default_field: false + - name: enrichments.indicator.file.hash.cdhash + level: extended + type: keyword + ignore_above: 1024 + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + default_field: false - name: enrichments.indicator.file.hash.md5 level: extended type: keyword @@ -10708,6 +10794,12 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: indicator.file.code_signature.flags + level: extended + type: string + description: The flags used to sign the process. + example: 570522385 + default_field: false - name: indicator.file.code_signature.signing_id level: extended type: keyword @@ -11099,6 +11191,14 @@ description: Primary group name of the file. example: alice default_field: false + - name: indicator.file.hash.cdhash + level: extended + type: keyword + ignore_above: 1024 + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + default_field: false - name: indicator.file.hash.md5 level: extended type: keyword diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 292ac5f917..85f24dce13 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -146,8 +146,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer. 8.12.0-dev+exp,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model. 8.12.0-dev+exp,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model. +8.12.0-dev+exp,true,device,device.serial_number,keyword,core,,DJGAQS4CW5,Serial Number of the device 8.12.0-dev+exp,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +8.12.0-dev+exp,true,dll,dll.code_signature.flags,string,extended,,570522385,Code signing flags of the process 8.12.0-dev+exp,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -155,6 +157,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. 8.12.0-dev+exp,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. 8.12.0-dev+exp,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +8.12.0-dev+exp,true,dll,dll.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. 8.12.0-dev+exp,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash. 8.12.0-dev+exp,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash. 8.12.0-dev+exp,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash. @@ -208,6 +211,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to. 8.12.0-dev+exp,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments. 8.12.0-dev+exp,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension. +8.12.0-dev+exp,true,email,email.attachments.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. 8.12.0-dev+exp,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash. 8.12.0-dev+exp,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash. 8.12.0-dev+exp,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash. @@ -276,6 +280,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. 8.12.0-dev+exp,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +8.12.0-dev+exp,true,file,file.code_signature.flags,string,extended,,570522385,Code signing flags of the process 8.12.0-dev+exp,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -330,6 +335,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. 8.12.0-dev+exp,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. 8.12.0-dev+exp,true,file,file.group,keyword,extended,,alice,Primary group name of the file. +8.12.0-dev+exp,true,file,file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. 8.12.0-dev+exp,true,file,file.hash.md5,keyword,extended,,,MD5 hash. 8.12.0-dev+exp,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash. 8.12.0-dev+exp,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash. @@ -587,6 +593,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array. 8.12.0-dev+exp,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +8.12.0-dev+exp,true,process,process.code_signature.flags,string,extended,,570522385,Code signing flags of the process 8.12.0-dev+exp,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -728,6 +735,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,process,process.group_leader.vpid,long,core,,4242,Virtual process id. 8.12.0-dev+exp,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process. 8.12.0-dev+exp,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process. +8.12.0-dev+exp,true,process,process.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. 8.12.0-dev+exp,true,process,process.hash.md5,keyword,extended,,,MD5 hash. 8.12.0-dev+exp,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash. 8.12.0-dev+exp,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash. @@ -767,6 +775,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. 8.12.0-dev+exp,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +8.12.0-dev+exp,true,process,process.parent.code_signature.flags,string,extended,,570522385,Code signing flags of the process 8.12.0-dev+exp,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -825,6 +834,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,process,process.parent.group_leader.pid,long,core,,4242,Process id. 8.12.0-dev+exp,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. 8.12.0-dev+exp,true,process,process.parent.group_leader.vpid,long,core,,4242,Virtual process id. +8.12.0-dev+exp,true,process,process.parent.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. 8.12.0-dev+exp,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash. 8.12.0-dev+exp,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash. 8.12.0-dev+exp,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash. @@ -1152,6 +1162,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.flags,string,extended,,570522385,Code signing flags of the process 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -1206,6 +1217,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file. +8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash. 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash. 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash. @@ -1369,6 +1381,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. 8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.flags,string,extended,,570522385,Code signing flags of the process 8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -1423,6 +1436,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. 8.12.0-dev+exp,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. 8.12.0-dev+exp,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file. +8.12.0-dev+exp,true,threat,threat.indicator.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. 8.12.0-dev+exp,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash. 8.12.0-dev+exp,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash. 8.12.0-dev+exp,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 02b972886f..131fbdeb3e 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -1759,6 +1759,19 @@ device.model.name: normalize: [] short: The human readable marketing name of the device model. type: keyword +device.serial_number: + beta: This field is beta and subject to change. + dashed_name: device-serial-number + description: The unique serial number serves as a distinct identifier for each device, + aiding in inventory management and device authentication. + example: DJGAQS4CW5 + flat_name: device.serial_number + ignore_above: 1024 + level: core + name: serial_number + normalize: [] + short: Serial Number of the device + type: keyword dll.code_signature.digest_algorithm: dashed_name: dll-code-signature-digest-algorithm description: 'The hashing algorithm used to sign the process. @@ -1785,6 +1798,18 @@ dll.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +dll.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: dll-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: dll.code_signature.flags + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: string dll.code_signature.signing_id: dashed_name: dll-code-signature-signing-id description: 'The identifier used to sign the process. @@ -1883,6 +1908,20 @@ dll.code_signature.valid: short: Boolean to capture if the digital signature is verified against the binary content. type: boolean +dll.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: dll-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: dll.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword dll.hash.md5: dashed_name: dll-hash-md5 description: MD5 hash. @@ -2566,6 +2605,20 @@ email.attachments.file.extension: normalize: [] short: Attachment file extension. type: keyword +email.attachments.file.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: email-attachments-file-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: email.attachments.file.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword email.attachments.file.hash.md5: dashed_name: email-attachments-file-hash-md5 description: MD5 hash. @@ -3896,6 +3949,18 @@ file.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +file.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: file-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: file.code_signature.flags + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: string file.code_signature.signing_id: dashed_name: file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -4555,6 +4620,20 @@ file.group: normalize: [] short: Primary group name of the file. type: keyword +file.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: file-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: file.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword file.hash.md5: dashed_name: file-hash-md5 description: MD5 hash. @@ -7700,6 +7779,18 @@ process.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +process.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: process-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: process.code_signature.flags + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: string process.code_signature.signing_id: dashed_name: process-code-signature-signing-id description: 'The identifier used to sign the process. @@ -9372,6 +9463,20 @@ process.group_leader.working_directory: original_fieldset: process short: The working directory of the process. type: keyword +process.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: process-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: process.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword process.hash.md5: dashed_name: process-hash-md5 description: MD5 hash. @@ -9843,6 +9948,18 @@ process.parent.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +process.parent.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: process-parent-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: process.parent.code_signature.flags + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: string process.parent.code_signature.signing_id: dashed_name: process-parent-code-signature-signing-id description: 'The identifier used to sign the process. @@ -10543,6 +10660,20 @@ process.parent.group_leader.vpid: original_fieldset: process short: Virtual process id. type: long +process.parent.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: process-parent-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: process.parent.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword process.parent.hash.md5: dashed_name: process-parent-hash-md5 description: MD5 hash. @@ -14643,6 +14774,18 @@ threat.enrichments.indicator.file.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +threat.enrichments.indicator.file.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-file-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: threat.enrichments.indicator.file.code_signature.flags + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: string threat.enrichments.indicator.file.code_signature.signing_id: dashed_name: threat-enrichments-indicator-file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -15311,6 +15454,20 @@ threat.enrichments.indicator.file.group: original_fieldset: file short: Primary group name of the file. type: keyword +threat.enrichments.indicator.file.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-file-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: threat.enrichments.indicator.file.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword threat.enrichments.indicator.file.hash.md5: dashed_name: threat-enrichments-indicator-file-hash-md5 description: MD5 hash. @@ -17353,6 +17510,18 @@ threat.indicator.file.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +threat.indicator.file.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-file-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: threat.indicator.file.code_signature.flags + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: string threat.indicator.file.code_signature.signing_id: dashed_name: threat-indicator-file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -18021,6 +18190,20 @@ threat.indicator.file.group: original_fieldset: file short: Primary group name of the file. type: keyword +threat.indicator.file.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-file-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: threat.indicator.file.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword threat.indicator.file.hash.md5: dashed_name: threat-indicator-file-hash-md5 description: MD5 hash. diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index f600ab293a..c7bb8e8af7 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -1320,6 +1320,17 @@ code_signature: normalize: [] short: Boolean to capture if a signature is present. type: boolean + code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: code_signature.flags + level: extended + name: flags + normalize: [] + short: Code signing flags of the process + type: string code_signature.signing_id: dashed_name: code-signature-signing-id description: 'The identifier used to sign the process. @@ -2211,6 +2222,19 @@ device: normalize: [] short: The human readable marketing name of the device model. type: keyword + device.serial_number: + beta: This field is beta and subject to change. + dashed_name: device-serial-number + description: The unique serial number serves as a distinct identifier for each + device, aiding in inventory management and device authentication. + example: DJGAQS4CW5 + flat_name: device.serial_number + ignore_above: 1024 + level: core + name: serial_number + normalize: [] + short: Serial Number of the device + type: keyword group: 2 name: device prefix: device. @@ -2258,6 +2282,18 @@ dll: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + dll.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: dll-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: dll.code_signature.flags + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: string dll.code_signature.signing_id: dashed_name: dll-code-signature-signing-id description: 'The identifier used to sign the process. @@ -2356,6 +2392,20 @@ dll: short: Boolean to capture if the digital signature is verified against the binary content. type: boolean + dll.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: dll-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: dll.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword dll.hash.md5: dashed_name: dll-hash-md5 description: MD5 hash. @@ -3518,6 +3568,20 @@ email: normalize: [] short: Attachment file extension. type: keyword + email.attachments.file.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: email-attachments-file-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: email.attachments.file.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword email.attachments.file.hash.md5: dashed_name: email-attachments-file-hash-md5 description: MD5 hash. @@ -4929,6 +4993,18 @@ file: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + file.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: file-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: file.code_signature.flags + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: string file.code_signature.signing_id: dashed_name: file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -5589,6 +5665,20 @@ file: normalize: [] short: Primary group name of the file. type: keyword + file.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: file-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: file.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword file.hash.md5: dashed_name: file-hash-md5 description: MD5 hash. @@ -6886,6 +6976,19 @@ hash: range of generic bytes. Entity-specific hashes such as ja3 or imphash are placed in the fieldsets to which they relate (tls and pe, respectively).' fields: + hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + short: The Code Directory (CD) hash of an executable. + type: keyword hash.md5: dashed_name: hash-md5 description: MD5 hash. @@ -9909,6 +10012,18 @@ process: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + process.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: process-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: process.code_signature.flags + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: string process.code_signature.signing_id: dashed_name: process-code-signature-signing-id description: 'The identifier used to sign the process. @@ -11582,6 +11697,20 @@ process: original_fieldset: process short: The working directory of the process. type: keyword + process.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: process-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: process.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword process.hash.md5: dashed_name: process-hash-md5 description: MD5 hash. @@ -12057,6 +12186,18 @@ process: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + process.parent.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: process-parent-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: process.parent.code_signature.flags + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: string process.parent.code_signature.signing_id: dashed_name: process-parent-code-signature-signing-id description: 'The identifier used to sign the process. @@ -12758,6 +12899,20 @@ process: original_fieldset: process short: Virtual process id. type: long + process.parent.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: process-parent-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: process.parent.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword process.parent.hash.md5: dashed_name: process-parent-hash-md5 description: MD5 hash. @@ -14947,6 +15102,7 @@ process: - process.previous - process.real_group - process.real_user + - process.responsible - process.saved_group - process.saved_user - process.session_leader @@ -15008,6 +15164,12 @@ process: - array short_override: An array of previous executions for the process, including the initial fork. Only executable and args are set. + - as: responsible + at: process + beta: This field is beta and subject to change. + full: process.responsible + short_override: Responsible process in macOS tracks the originating process + of an app, key for understanding permissions and hierarchy. top_level: true reused_here: - full: process.group @@ -15105,6 +15267,11 @@ process: schema_name: process short: An array of previous executions for the process, including the initial fork. Only executable and args are set. + - beta: This field is beta and subject to change. + full: process.responsible + schema_name: process + short: Responsible process in macOS tracks the originating process of an app, + key for understanding permissions and hierarchy. short: These fields contain information about a process. title: Process type: group @@ -17307,6 +17474,18 @@ threat: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + threat.enrichments.indicator.file.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-file-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: threat.enrichments.indicator.file.code_signature.flags + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: string threat.enrichments.indicator.file.code_signature.signing_id: dashed_name: threat-enrichments-indicator-file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -17976,6 +18155,20 @@ threat: original_fieldset: file short: Primary group name of the file. type: keyword + threat.enrichments.indicator.file.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-file-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: threat.enrichments.indicator.file.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword threat.enrichments.indicator.file.hash.md5: dashed_name: threat-enrichments-indicator-file-hash-md5 description: MD5 hash. @@ -20023,6 +20216,18 @@ threat: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + threat.indicator.file.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-file-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: threat.indicator.file.code_signature.flags + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: string threat.indicator.file.code_signature.signing_id: dashed_name: threat-indicator-file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -20692,6 +20897,20 @@ threat: original_fieldset: file short: Primary group name of the file. type: keyword + threat.indicator.file.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-file-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: threat.indicator.file.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword threat.indicator.file.hash.md5: dashed_name: threat-indicator-file-hash-md5 description: MD5 hash. diff --git a/experimental/generated/elasticsearch/composable/component/device.json b/experimental/generated/elasticsearch/composable/component/device.json index cf66d72b06..215d046175 100644 --- a/experimental/generated/elasticsearch/composable/component/device.json +++ b/experimental/generated/elasticsearch/composable/component/device.json @@ -27,6 +27,10 @@ "type": "keyword" } } + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" } } } diff --git a/experimental/generated/elasticsearch/composable/component/dll.json b/experimental/generated/elasticsearch/composable/component/dll.json index 2de113a6ea..55e2246263 100644 --- a/experimental/generated/elasticsearch/composable/component/dll.json +++ b/experimental/generated/elasticsearch/composable/component/dll.json @@ -17,6 +17,9 @@ "exists": { "type": "boolean" }, + "flags": { + "type": "string" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -46,6 +49,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" diff --git a/experimental/generated/elasticsearch/composable/component/email.json b/experimental/generated/elasticsearch/composable/component/email.json index 83863c9c0c..5de733e5f7 100644 --- a/experimental/generated/elasticsearch/composable/component/email.json +++ b/experimental/generated/elasticsearch/composable/component/email.json @@ -18,6 +18,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" diff --git a/experimental/generated/elasticsearch/composable/component/file.json b/experimental/generated/elasticsearch/composable/component/file.json index a04643e7d9..adb9d1d8ec 100644 --- a/experimental/generated/elasticsearch/composable/component/file.json +++ b/experimental/generated/elasticsearch/composable/component/file.json @@ -24,6 +24,9 @@ "exists": { "type": "boolean" }, + "flags": { + "type": "string" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -233,6 +236,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" diff --git a/experimental/generated/elasticsearch/composable/component/process.json b/experimental/generated/elasticsearch/composable/component/process.json index f4dd52c1ce..de0be5f249 100644 --- a/experimental/generated/elasticsearch/composable/component/process.json +++ b/experimental/generated/elasticsearch/composable/component/process.json @@ -24,6 +24,9 @@ "exists": { "type": "boolean" }, + "flags": { + "type": "string" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -674,6 +677,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -824,6 +831,9 @@ "exists": { "type": "boolean" }, + "flags": { + "type": "string" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -1055,6 +1065,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" diff --git a/experimental/generated/elasticsearch/composable/component/threat.json b/experimental/generated/elasticsearch/composable/component/threat.json index 7f002d5bb7..cdcbbd7ae6 100644 --- a/experimental/generated/elasticsearch/composable/component/threat.json +++ b/experimental/generated/elasticsearch/composable/component/threat.json @@ -66,6 +66,9 @@ "exists": { "type": "boolean" }, + "flags": { + "type": "string" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -275,6 +278,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -987,6 +994,9 @@ "exists": { "type": "boolean" }, + "flags": { + "type": "string" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -1196,6 +1206,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json index 18386e190c..6b9172fe34 100644 --- a/experimental/generated/elasticsearch/legacy/template.json +++ b/experimental/generated/elasticsearch/legacy/template.json @@ -782,6 +782,10 @@ "type": "keyword" } } + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -796,6 +800,9 @@ "exists": { "type": "boolean" }, + "flags": { + "type": "string" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -825,6 +832,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -1050,6 +1061,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -1360,6 +1375,9 @@ "exists": { "type": "boolean" }, + "flags": { + "type": "string" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -1569,6 +1587,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -2745,6 +2767,9 @@ "exists": { "type": "boolean" }, + "flags": { + "type": "string" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -3395,6 +3420,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -3545,6 +3574,9 @@ "exists": { "type": "boolean" }, + "flags": { + "type": "string" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -3776,6 +3808,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -5283,6 +5319,9 @@ "exists": { "type": "boolean" }, + "flags": { + "type": "string" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -5492,6 +5531,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -6204,6 +6247,9 @@ "exists": { "type": "boolean" }, + "flags": { + "type": "string" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -6413,6 +6459,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index fa0007884b..bbe911f6ce 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -1177,6 +1177,14 @@ description: The human readable marketing name of the device model. example: Samsung Galaxy S6 default_field: false + - name: serial_number + level: core + type: keyword + ignore_above: 1024 + description: The unique serial number serves as a distinct identifier for each + device, aiding in inventory management and device authentication. + example: DJGAQS4CW5 + default_field: false - name: dll title: DLL group: 2 @@ -1211,6 +1219,12 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: code_signature.flags + level: extended + type: string + description: The flags used to sign the process. + example: 570522385 + default_field: false - name: code_signature.signing_id level: extended type: keyword @@ -1273,6 +1287,14 @@ Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false + - name: hash.cdhash + level: extended + type: keyword + ignore_above: 1024 + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + default_field: false - name: hash.md5 level: extended type: keyword @@ -1710,6 +1732,14 @@ description: Attachment file extension, excluding the leading dot. example: txt default_field: false + - name: attachments.file.hash.cdhash + level: extended + type: keyword + ignore_above: 1024 + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + default_field: false - name: attachments.file.hash.md5 level: extended type: keyword @@ -2355,6 +2385,12 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: code_signature.flags + level: extended + type: string + description: The flags used to sign the process. + example: 570522385 + default_field: false - name: code_signature.signing_id level: extended type: keyword @@ -2739,6 +2775,14 @@ ignore_above: 1024 description: Primary group name of the file. example: alice + - name: hash.cdhash + level: extended + type: keyword + ignore_above: 1024 + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + default_field: false - name: hash.md5 level: extended type: keyword @@ -4695,6 +4739,12 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: code_signature.flags + level: extended + type: string + description: The flags used to sign the process. + example: 570522385 + default_field: false - name: code_signature.signing_id level: extended type: keyword @@ -5724,6 +5774,14 @@ description: The working directory of the process. example: /home/alice default_field: false + - name: hash.cdhash + level: extended + type: keyword + ignore_above: 1024 + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + default_field: false - name: hash.md5 level: extended type: keyword @@ -6005,6 +6063,12 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: parent.code_signature.flags + level: extended + type: string + description: The flags used to sign the process. + example: 570522385 + default_field: false - name: parent.code_signature.signing_id level: extended type: keyword @@ -6416,6 +6480,14 @@ the process exists within.' example: 4242 default_field: false + - name: parent.hash.cdhash + level: extended + type: keyword + ignore_above: 1024 + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + default_field: false - name: parent.hash.md5 level: extended type: keyword @@ -9051,6 +9123,12 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: enrichments.indicator.file.code_signature.flags + level: extended + type: string + description: The flags used to sign the process. + example: 570522385 + default_field: false - name: enrichments.indicator.file.code_signature.signing_id level: extended type: keyword @@ -9442,6 +9520,14 @@ description: Primary group name of the file. example: alice default_field: false + - name: enrichments.indicator.file.hash.cdhash + level: extended + type: keyword + ignore_above: 1024 + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + default_field: false - name: enrichments.indicator.file.hash.md5 level: extended type: keyword @@ -10658,6 +10744,12 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: indicator.file.code_signature.flags + level: extended + type: string + description: The flags used to sign the process. + example: 570522385 + default_field: false - name: indicator.file.code_signature.signing_id level: extended type: keyword @@ -11049,6 +11141,14 @@ description: Primary group name of the file. example: alice default_field: false + - name: indicator.file.hash.cdhash + level: extended + type: keyword + ignore_above: 1024 + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + default_field: false - name: indicator.file.hash.md5 level: extended type: keyword diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index c31a8de31c..a7210ad73b 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -139,8 +139,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer. 8.12.0-dev,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model. 8.12.0-dev,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model. +8.12.0-dev,true,device,device.serial_number,keyword,core,,DJGAQS4CW5,Serial Number of the device 8.12.0-dev,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +8.12.0-dev,true,dll,dll.code_signature.flags,string,extended,,570522385,Code signing flags of the process 8.12.0-dev,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -148,6 +150,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. 8.12.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. 8.12.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +8.12.0-dev,true,dll,dll.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. 8.12.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash. 8.12.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash. 8.12.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash. @@ -201,6 +204,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to. 8.12.0-dev,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments. 8.12.0-dev,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension. +8.12.0-dev,true,email,email.attachments.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. 8.12.0-dev,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash. 8.12.0-dev,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash. 8.12.0-dev,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash. @@ -269,6 +273,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. 8.12.0-dev,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +8.12.0-dev,true,file,file.code_signature.flags,string,extended,,570522385,Code signing flags of the process 8.12.0-dev,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -323,6 +328,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. 8.12.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. 8.12.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file. +8.12.0-dev,true,file,file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. 8.12.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash. 8.12.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash. 8.12.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash. @@ -580,6 +586,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array. 8.12.0-dev,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +8.12.0-dev,true,process,process.code_signature.flags,string,extended,,570522385,Code signing flags of the process 8.12.0-dev,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -721,6 +728,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,process,process.group_leader.vpid,long,core,,4242,Virtual process id. 8.12.0-dev,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process. 8.12.0-dev,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process. +8.12.0-dev,true,process,process.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. 8.12.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash. 8.12.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash. 8.12.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash. @@ -760,6 +768,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. 8.12.0-dev,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +8.12.0-dev,true,process,process.parent.code_signature.flags,string,extended,,570522385,Code signing flags of the process 8.12.0-dev,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -818,6 +827,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,process,process.parent.group_leader.pid,long,core,,4242,Process id. 8.12.0-dev,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. 8.12.0-dev,true,process,process.parent.group_leader.vpid,long,core,,4242,Virtual process id. +8.12.0-dev,true,process,process.parent.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. 8.12.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash. 8.12.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash. 8.12.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash. @@ -1145,6 +1155,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. 8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.flags,string,extended,,570522385,Code signing flags of the process 8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -1199,6 +1210,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. 8.12.0-dev,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. 8.12.0-dev,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file. +8.12.0-dev,true,threat,threat.enrichments.indicator.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. 8.12.0-dev,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash. 8.12.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash. 8.12.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash. @@ -1362,6 +1374,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. 8.12.0-dev,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +8.12.0-dev,true,threat,threat.indicator.file.code_signature.flags,string,extended,,570522385,Code signing flags of the process 8.12.0-dev,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -1416,6 +1429,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. 8.12.0-dev,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. 8.12.0-dev,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file. +8.12.0-dev,true,threat,threat.indicator.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. 8.12.0-dev,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash. 8.12.0-dev,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash. 8.12.0-dev,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 2022bddaf4..28f3e7d65c 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -1690,6 +1690,19 @@ device.model.name: normalize: [] short: The human readable marketing name of the device model. type: keyword +device.serial_number: + beta: This field is beta and subject to change. + dashed_name: device-serial-number + description: The unique serial number serves as a distinct identifier for each device, + aiding in inventory management and device authentication. + example: DJGAQS4CW5 + flat_name: device.serial_number + ignore_above: 1024 + level: core + name: serial_number + normalize: [] + short: Serial Number of the device + type: keyword dll.code_signature.digest_algorithm: dashed_name: dll-code-signature-digest-algorithm description: 'The hashing algorithm used to sign the process. @@ -1716,6 +1729,18 @@ dll.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +dll.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: dll-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: dll.code_signature.flags + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: string dll.code_signature.signing_id: dashed_name: dll-code-signature-signing-id description: 'The identifier used to sign the process. @@ -1814,6 +1839,20 @@ dll.code_signature.valid: short: Boolean to capture if the digital signature is verified against the binary content. type: boolean +dll.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: dll-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: dll.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword dll.hash.md5: dashed_name: dll-hash-md5 description: MD5 hash. @@ -2497,6 +2536,20 @@ email.attachments.file.extension: normalize: [] short: Attachment file extension. type: keyword +email.attachments.file.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: email-attachments-file-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: email.attachments.file.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword email.attachments.file.hash.md5: dashed_name: email-attachments-file-hash-md5 description: MD5 hash. @@ -3827,6 +3880,18 @@ file.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +file.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: file-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: file.code_signature.flags + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: string file.code_signature.signing_id: dashed_name: file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -4486,6 +4551,20 @@ file.group: normalize: [] short: Primary group name of the file. type: keyword +file.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: file-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: file.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword file.hash.md5: dashed_name: file-hash-md5 description: MD5 hash. @@ -7631,6 +7710,18 @@ process.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +process.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: process-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: process.code_signature.flags + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: string process.code_signature.signing_id: dashed_name: process-code-signature-signing-id description: 'The identifier used to sign the process. @@ -9303,6 +9394,20 @@ process.group_leader.working_directory: original_fieldset: process short: The working directory of the process. type: keyword +process.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: process-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: process.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword process.hash.md5: dashed_name: process-hash-md5 description: MD5 hash. @@ -9774,6 +9879,18 @@ process.parent.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +process.parent.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: process-parent-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: process.parent.code_signature.flags + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: string process.parent.code_signature.signing_id: dashed_name: process-parent-code-signature-signing-id description: 'The identifier used to sign the process. @@ -10474,6 +10591,20 @@ process.parent.group_leader.vpid: original_fieldset: process short: Virtual process id. type: long +process.parent.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: process-parent-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: process.parent.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword process.parent.hash.md5: dashed_name: process-parent-hash-md5 description: MD5 hash. @@ -14574,6 +14705,18 @@ threat.enrichments.indicator.file.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +threat.enrichments.indicator.file.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-file-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: threat.enrichments.indicator.file.code_signature.flags + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: string threat.enrichments.indicator.file.code_signature.signing_id: dashed_name: threat-enrichments-indicator-file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -15242,6 +15385,20 @@ threat.enrichments.indicator.file.group: original_fieldset: file short: Primary group name of the file. type: keyword +threat.enrichments.indicator.file.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-file-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: threat.enrichments.indicator.file.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword threat.enrichments.indicator.file.hash.md5: dashed_name: threat-enrichments-indicator-file-hash-md5 description: MD5 hash. @@ -17284,6 +17441,18 @@ threat.indicator.file.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +threat.indicator.file.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-file-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: threat.indicator.file.code_signature.flags + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: string threat.indicator.file.code_signature.signing_id: dashed_name: threat-indicator-file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -17952,6 +18121,20 @@ threat.indicator.file.group: original_fieldset: file short: Primary group name of the file. type: keyword +threat.indicator.file.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-file-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: threat.indicator.file.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword threat.indicator.file.hash.md5: dashed_name: threat-indicator-file-hash-md5 description: MD5 hash. diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 8057eeed15..fe512c7afd 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -1240,6 +1240,17 @@ code_signature: normalize: [] short: Boolean to capture if a signature is present. type: boolean + code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: code_signature.flags + level: extended + name: flags + normalize: [] + short: Code signing flags of the process + type: string code_signature.signing_id: dashed_name: code-signature-signing-id description: 'The identifier used to sign the process. @@ -2131,6 +2142,19 @@ device: normalize: [] short: The human readable marketing name of the device model. type: keyword + device.serial_number: + beta: This field is beta and subject to change. + dashed_name: device-serial-number + description: The unique serial number serves as a distinct identifier for each + device, aiding in inventory management and device authentication. + example: DJGAQS4CW5 + flat_name: device.serial_number + ignore_above: 1024 + level: core + name: serial_number + normalize: [] + short: Serial Number of the device + type: keyword group: 2 name: device prefix: device. @@ -2178,6 +2202,18 @@ dll: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + dll.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: dll-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: dll.code_signature.flags + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: string dll.code_signature.signing_id: dashed_name: dll-code-signature-signing-id description: 'The identifier used to sign the process. @@ -2276,6 +2312,20 @@ dll: short: Boolean to capture if the digital signature is verified against the binary content. type: boolean + dll.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: dll-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: dll.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword dll.hash.md5: dashed_name: dll-hash-md5 description: MD5 hash. @@ -3438,6 +3488,20 @@ email: normalize: [] short: Attachment file extension. type: keyword + email.attachments.file.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: email-attachments-file-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: email.attachments.file.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword email.attachments.file.hash.md5: dashed_name: email-attachments-file-hash-md5 description: MD5 hash. @@ -4849,6 +4913,18 @@ file: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + file.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: file-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: file.code_signature.flags + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: string file.code_signature.signing_id: dashed_name: file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -5509,6 +5585,20 @@ file: normalize: [] short: Primary group name of the file. type: keyword + file.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: file-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: file.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword file.hash.md5: dashed_name: file-hash-md5 description: MD5 hash. @@ -6806,6 +6896,19 @@ hash: range of generic bytes. Entity-specific hashes such as ja3 or imphash are placed in the fieldsets to which they relate (tls and pe, respectively).' fields: + hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + short: The Code Directory (CD) hash of an executable. + type: keyword hash.md5: dashed_name: hash-md5 description: MD5 hash. @@ -9829,6 +9932,18 @@ process: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + process.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: process-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: process.code_signature.flags + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: string process.code_signature.signing_id: dashed_name: process-code-signature-signing-id description: 'The identifier used to sign the process. @@ -11502,6 +11617,20 @@ process: original_fieldset: process short: The working directory of the process. type: keyword + process.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: process-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: process.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword process.hash.md5: dashed_name: process-hash-md5 description: MD5 hash. @@ -11977,6 +12106,18 @@ process: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + process.parent.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: process-parent-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: process.parent.code_signature.flags + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: string process.parent.code_signature.signing_id: dashed_name: process-parent-code-signature-signing-id description: 'The identifier used to sign the process. @@ -12678,6 +12819,20 @@ process: original_fieldset: process short: Virtual process id. type: long + process.parent.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: process-parent-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: process.parent.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword process.parent.hash.md5: dashed_name: process-parent-hash-md5 description: MD5 hash. @@ -14867,6 +15022,7 @@ process: - process.previous - process.real_group - process.real_user + - process.responsible - process.saved_group - process.saved_user - process.session_leader @@ -14928,6 +15084,12 @@ process: - array short_override: An array of previous executions for the process, including the initial fork. Only executable and args are set. + - as: responsible + at: process + beta: This field is beta and subject to change. + full: process.responsible + short_override: Responsible process in macOS tracks the originating process + of an app, key for understanding permissions and hierarchy. top_level: true reused_here: - full: process.group @@ -15025,6 +15187,11 @@ process: schema_name: process short: An array of previous executions for the process, including the initial fork. Only executable and args are set. + - beta: This field is beta and subject to change. + full: process.responsible + schema_name: process + short: Responsible process in macOS tracks the originating process of an app, + key for understanding permissions and hierarchy. short: These fields contain information about a process. title: Process type: group @@ -17227,6 +17394,18 @@ threat: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + threat.enrichments.indicator.file.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-file-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: threat.enrichments.indicator.file.code_signature.flags + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: string threat.enrichments.indicator.file.code_signature.signing_id: dashed_name: threat-enrichments-indicator-file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -17896,6 +18075,20 @@ threat: original_fieldset: file short: Primary group name of the file. type: keyword + threat.enrichments.indicator.file.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-file-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: threat.enrichments.indicator.file.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword threat.enrichments.indicator.file.hash.md5: dashed_name: threat-enrichments-indicator-file-hash-md5 description: MD5 hash. @@ -19943,6 +20136,18 @@ threat: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + threat.indicator.file.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-file-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: threat.indicator.file.code_signature.flags + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: string threat.indicator.file.code_signature.signing_id: dashed_name: threat-indicator-file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -20612,6 +20817,20 @@ threat: original_fieldset: file short: Primary group name of the file. type: keyword + threat.indicator.file.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-file-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: threat.indicator.file.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword threat.indicator.file.hash.md5: dashed_name: threat-indicator-file-hash-md5 description: MD5 hash. diff --git a/generated/elasticsearch/composable/component/device.json b/generated/elasticsearch/composable/component/device.json index e03f268c86..741cf82323 100644 --- a/generated/elasticsearch/composable/component/device.json +++ b/generated/elasticsearch/composable/component/device.json @@ -27,6 +27,10 @@ "type": "keyword" } } + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" } } } diff --git a/generated/elasticsearch/composable/component/dll.json b/generated/elasticsearch/composable/component/dll.json index d3561dd742..b5f52995c5 100644 --- a/generated/elasticsearch/composable/component/dll.json +++ b/generated/elasticsearch/composable/component/dll.json @@ -17,6 +17,9 @@ "exists": { "type": "boolean" }, + "flags": { + "type": "string" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -46,6 +49,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/elasticsearch/composable/component/email.json b/generated/elasticsearch/composable/component/email.json index 94e8c70084..4046e33558 100644 --- a/generated/elasticsearch/composable/component/email.json +++ b/generated/elasticsearch/composable/component/email.json @@ -18,6 +18,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/elasticsearch/composable/component/file.json b/generated/elasticsearch/composable/component/file.json index d055adf323..cc12f10be1 100644 --- a/generated/elasticsearch/composable/component/file.json +++ b/generated/elasticsearch/composable/component/file.json @@ -24,6 +24,9 @@ "exists": { "type": "boolean" }, + "flags": { + "type": "string" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -233,6 +236,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/elasticsearch/composable/component/process.json b/generated/elasticsearch/composable/component/process.json index 6cc1382d11..610ff74848 100644 --- a/generated/elasticsearch/composable/component/process.json +++ b/generated/elasticsearch/composable/component/process.json @@ -24,6 +24,9 @@ "exists": { "type": "boolean" }, + "flags": { + "type": "string" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -674,6 +677,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -824,6 +831,9 @@ "exists": { "type": "boolean" }, + "flags": { + "type": "string" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -1055,6 +1065,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/elasticsearch/composable/component/threat.json b/generated/elasticsearch/composable/component/threat.json index 17d9b1e77f..c9030c4167 100644 --- a/generated/elasticsearch/composable/component/threat.json +++ b/generated/elasticsearch/composable/component/threat.json @@ -66,6 +66,9 @@ "exists": { "type": "boolean" }, + "flags": { + "type": "string" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -275,6 +278,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -987,6 +994,9 @@ "exists": { "type": "boolean" }, + "flags": { + "type": "string" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -1196,6 +1206,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json index a6b67033e2..6725cae44d 100644 --- a/generated/elasticsearch/legacy/template.json +++ b/generated/elasticsearch/legacy/template.json @@ -740,6 +740,10 @@ "type": "keyword" } } + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -754,6 +758,9 @@ "exists": { "type": "boolean" }, + "flags": { + "type": "string" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -783,6 +790,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -1008,6 +1019,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -1318,6 +1333,9 @@ "exists": { "type": "boolean" }, + "flags": { + "type": "string" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -1527,6 +1545,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -2703,6 +2725,9 @@ "exists": { "type": "boolean" }, + "flags": { + "type": "string" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -3353,6 +3378,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -3503,6 +3532,9 @@ "exists": { "type": "boolean" }, + "flags": { + "type": "string" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -3734,6 +3766,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -5241,6 +5277,9 @@ "exists": { "type": "boolean" }, + "flags": { + "type": "string" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -5450,6 +5489,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -6162,6 +6205,9 @@ "exists": { "type": "boolean" }, + "flags": { + "type": "string" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -6371,6 +6417,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" diff --git a/rfcs/text/0044-add-apple-platform-specific-fields.md b/rfcs/text/0044-add-apple-platform-specific-fields.md index 68d0da3214..1c58a32b94 100644 --- a/rfcs/text/0044-add-apple-platform-specific-fields.md +++ b/rfcs/text/0044-add-apple-platform-specific-fields.md @@ -1,8 +1,8 @@ # 0044: Apple Platform specific fields -- Stage: **0 (strawperson)** -- Date: **2024-08-13** +- Stage: **2 (Candidate)** +- Date: **2024-09-11** ### Summary @@ -60,7 +60,11 @@ Stage 2: Included a real world example source document. Ideally this example com Stage 3: Add more real world example source documents so we have at least 2 total, but ideally 3. Format as described in stage 2. --> - +https://developer.apple.com/documentation/endpointsecurity/es_process_t/3228978-is_es_client + +https://developer.apple.com/documentation/endpointsecurity/es_process_t/3228979-is_platform_binary + +https://developer.apple.com/documentation/endpointsecurity/es_process_t/3684982-responsible_audit_token + +https://developer.apple.com/documentation/endpointsecurity/es_process_t/3334987-codesigning_flags + +https://developer.apple.com/documentation/endpointsecurity/es_process_t/3228976-cdhash + ### RFC Pull Requests * Stage 0: https://github.com/elastic/ecs/pull/2338 +* Stage 2: https://github.com/elastic/ecs/pull/2370