diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index b618b7394b..cc2d5276c5 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -12,4 +12,4 @@ jobs: with: python-version: '3.x' - run: git fetch --prune --unshallow --tags - - run: make check + - run: make check yamllint diff --git a/Makefile b/Makefile index d6e65d4a45..5aaeebcebd 100644 --- a/Makefile +++ b/Makefile @@ -86,7 +86,7 @@ misspell: fi ./build/misspell/bin/misspell -error README.md CONTRIBUTING.md schemas/* docs/* experimental/schemas/* -# Warn re misspell removal +# Warn re misspell removal .PHONY: misspell_warn misspell_warn: @echo "Warning: due to lack of cross-platform support, misspell is no longer included in this task and may be deprecated in future\n" @@ -110,4 +110,4 @@ build/ve/bin/activate: scripts/requirements.txt scripts/requirements-dev.txt # Check YAML syntax (currently not enforced). .PHONY: yamllint yamllint: ve - build/ve/bin/yamllint schemas/*.yml + build/ve/bin/yamllint -d '{extends: default, rules: {line-length: disable}}' schemas/*.yml diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc index 31273d8c4b..23ae02e99a 100644 --- a/docs/fields/field-details.asciidoc +++ b/docs/fields/field-details.asciidoc @@ -865,6 +865,24 @@ example: `true` // =============================================================== +| +[[field-code-signature-flags]] +<> + +a| beta:[ This field is beta and subject to change. ] + +The flags used to sign the process. + +type: keyword + + + +example: `570522385` + +| extended + +// =============================================================== + | [[field-code-signature-signing-id]] <> @@ -1610,7 +1628,7 @@ example: `co.uk` [[ecs-device]] === Device Fields -Fields that describe a device instance and its characteristics. Data collected for applications and processes running on a (mobile) device can be enriched with these fields to describe the identity, type and other characteristics of the device. +Fields that describe a device instance and its characteristics. Data collected for applications and processes running on a (mobile) device can be enriched with these fields to describe the identity, type and other characteristics of the device. This field group definition is based on the Device namespace of the OpenTelemetry Semantic Conventions (https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/device/). @@ -1629,7 +1647,7 @@ beta::[ These fields are in beta and are subject to change.] [[field-device-id]] <> -a| The unique identifier of a device. The identifier must not change across application sessions but stay fixed for an instance of a (mobile) device. +a| The unique identifier of a device. The identifier must not change across application sessions but stay fixed for an instance of a (mobile) device. On iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor). On Android, this value must be equal to the Firebase Installation ID or a globally unique UUID which is persisted across sessions in your application. @@ -1693,6 +1711,24 @@ example: `Samsung Galaxy S6` // =============================================================== +| +[[field-device-serial-number]] +<> + +a| beta:[ This field is beta and subject to change. ] + +The unique serial number serves as a distinct identifier for each device, aiding in inventory management and device authentication. + +type: keyword + + + +example: `DJGAQS4CW5` + +| core + +// =============================================================== + |===== @@ -4811,6 +4847,24 @@ Note that this fieldset is used for common hashes that may be computed over a ra // =============================================================== +| +[[field-hash-cdhash]] +<> + +a| beta:[ This field is beta and subject to change. ] + +Code directory hash, utilized to uniquely identify and authenticate the integrity of the executable code. + +type: keyword + + + +example: `3783b4052fd474dbe30676b45c329e7a6d44acd9` + +| extended + +// =============================================================== + | [[field-hash-md5]] <> @@ -8685,6 +8739,8 @@ The `process` fields are expected to be nested at: * `process.previous` +* `process.responsible` + * `process.session_leader` * `process.session_leader.parent` @@ -8839,6 +8895,14 @@ Note: this reuse should contain an array of process field set objects. // =============================================================== +| `process.responsible.*` +| <>| beta:[ This field is beta and subject to change.] + +Responsible process in macOS tracks the originating process of an app, key for understanding permissions and hierarchy. + +// =============================================================== + + | `process.saved_group.*` | <> | The saved group (sgid). @@ -9142,7 +9206,7 @@ Note: this field should contain an array of values. [[ecs-risk]] === Risk information Fields -Fields for describing risk score and risk level of entities such as hosts and users. These fields are not allowed to be nested under `event.*`. Please continue to use `event.risk_score` and `event.risk_score_norm` for event risk. +Fields for describing risk score and risk level of entities such as hosts and users. These fields are not allowed to be nested under `event.*`. Please continue to use `event.risk_score` and `event.risk_score_norm` for event risk. beta::[ These fields are in beta and are subject to change.] diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index bc95a6db22..ee0ecb5e3b 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -1183,9 +1183,9 @@ - name: device title: Device group: 2 - description: 'Fields that describe a device instance and its characteristics. Data - collected for applications and processes running on a (mobile) device can be - enriched with these fields to describe the identity, type and other characteristics + description: 'Fields that describe a device instance and its characteristics. + Data collected for applications and processes running on a (mobile) device can + be enriched with these fields to describe the identity, type and other characteristics of the device. This field group definition is based on the Device namespace of the OpenTelemetry @@ -1197,13 +1197,15 @@ level: extended type: keyword ignore_above: 1024 - description: "The unique identifier of a device. The identifier must not change\ - \ across application sessions but stay fixed for an instance of a (mobile)\ - \ device. \nOn iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor).\ - \ On Android, this value must be equal to the Firebase Installation ID or\ - \ a globally unique UUID which is persisted across sessions in your application.\n\ - For GDPR and data protection law reasons this identifier should not carry\ - \ information that would allow to identify a user." + description: 'The unique identifier of a device. The identifier must not change + across application sessions but stay fixed for an instance of a (mobile) device. + + On iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor). + On Android, this value must be equal to the Firebase Installation ID or a + globally unique UUID which is persisted across sessions in your application. + + For GDPR and data protection law reasons this identifier should not carry + information that would allow to identify a user.' example: 00000000-54b3-e7c7-0000-000046bffd97 default_field: false - name: manufacturer @@ -1227,6 +1229,14 @@ description: The human readable marketing name of the device model. example: Samsung Galaxy S6 default_field: false + - name: serial_number + level: core + type: keyword + ignore_above: 1024 + description: The unique serial number serves as a distinct identifier for each + device, aiding in inventory management and device authentication. + example: DJGAQS4CW5 + default_field: false - name: dll title: DLL group: 2 @@ -1261,6 +1271,13 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: code_signature.flags + level: extended + type: keyword + ignore_above: 1024 + description: The flags used to sign the process. + example: 570522385 + default_field: false - name: code_signature.signing_id level: extended type: keyword @@ -1323,6 +1340,14 @@ Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false + - name: hash.cdhash + level: extended + type: keyword + ignore_above: 1024 + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + default_field: false - name: hash.md5 level: extended type: keyword @@ -1760,6 +1785,14 @@ description: Attachment file extension, excluding the leading dot. example: txt default_field: false + - name: attachments.file.hash.cdhash + level: extended + type: keyword + ignore_above: 1024 + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + default_field: false - name: attachments.file.hash.md5 level: extended type: keyword @@ -2405,6 +2438,13 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: code_signature.flags + level: extended + type: keyword + ignore_above: 1024 + description: The flags used to sign the process. + example: 570522385 + default_field: false - name: code_signature.signing_id level: extended type: keyword @@ -2789,6 +2829,14 @@ ignore_above: 1024 description: Primary group name of the file. example: alice + - name: hash.cdhash + level: extended + type: keyword + ignore_above: 1024 + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + default_field: false - name: hash.md5 level: extended type: keyword @@ -4745,6 +4793,13 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: code_signature.flags + level: extended + type: keyword + ignore_above: 1024 + description: The flags used to sign the process. + example: 570522385 + default_field: false - name: code_signature.signing_id level: extended type: keyword @@ -5774,6 +5829,14 @@ description: The working directory of the process. example: /home/alice default_field: false + - name: hash.cdhash + level: extended + type: keyword + ignore_above: 1024 + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + default_field: false - name: hash.md5 level: extended type: keyword @@ -6055,6 +6118,13 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: parent.code_signature.flags + level: extended + type: keyword + ignore_above: 1024 + description: The flags used to sign the process. + example: 570522385 + default_field: false - name: parent.code_signature.signing_id level: extended type: keyword @@ -6466,6 +6536,14 @@ the process exists within.' example: 4242 default_field: false + - name: parent.hash.cdhash + level: extended + type: keyword + ignore_above: 1024 + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + default_field: false - name: parent.hash.md5 level: extended type: keyword @@ -9101,6 +9179,13 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: enrichments.indicator.file.code_signature.flags + level: extended + type: keyword + ignore_above: 1024 + description: The flags used to sign the process. + example: 570522385 + default_field: false - name: enrichments.indicator.file.code_signature.signing_id level: extended type: keyword @@ -9492,6 +9577,14 @@ description: Primary group name of the file. example: alice default_field: false + - name: enrichments.indicator.file.hash.cdhash + level: extended + type: keyword + ignore_above: 1024 + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + default_field: false - name: enrichments.indicator.file.hash.md5 level: extended type: keyword @@ -10708,6 +10801,13 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: indicator.file.code_signature.flags + level: extended + type: keyword + ignore_above: 1024 + description: The flags used to sign the process. + example: 570522385 + default_field: false - name: indicator.file.code_signature.signing_id level: extended type: keyword @@ -11099,6 +11199,14 @@ description: Primary group name of the file. example: alice default_field: false + - name: indicator.file.hash.cdhash + level: extended + type: keyword + ignore_above: 1024 + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + default_field: false - name: indicator.file.hash.md5 level: extended type: keyword diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 292ac5f917..be5ee33461 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -146,8 +146,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer. 8.12.0-dev+exp,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model. 8.12.0-dev+exp,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model. +8.12.0-dev+exp,true,device,device.serial_number,keyword,core,,DJGAQS4CW5,Serial Number of the device 8.12.0-dev+exp,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +8.12.0-dev+exp,true,dll,dll.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process 8.12.0-dev+exp,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -155,6 +157,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. 8.12.0-dev+exp,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. 8.12.0-dev+exp,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +8.12.0-dev+exp,true,dll,dll.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. 8.12.0-dev+exp,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash. 8.12.0-dev+exp,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash. 8.12.0-dev+exp,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash. @@ -208,6 +211,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to. 8.12.0-dev+exp,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments. 8.12.0-dev+exp,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension. +8.12.0-dev+exp,true,email,email.attachments.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. 8.12.0-dev+exp,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash. 8.12.0-dev+exp,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash. 8.12.0-dev+exp,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash. @@ -276,6 +280,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. 8.12.0-dev+exp,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +8.12.0-dev+exp,true,file,file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process 8.12.0-dev+exp,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -330,6 +335,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. 8.12.0-dev+exp,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. 8.12.0-dev+exp,true,file,file.group,keyword,extended,,alice,Primary group name of the file. +8.12.0-dev+exp,true,file,file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. 8.12.0-dev+exp,true,file,file.hash.md5,keyword,extended,,,MD5 hash. 8.12.0-dev+exp,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash. 8.12.0-dev+exp,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash. @@ -587,6 +593,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array. 8.12.0-dev+exp,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +8.12.0-dev+exp,true,process,process.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process 8.12.0-dev+exp,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -728,6 +735,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,process,process.group_leader.vpid,long,core,,4242,Virtual process id. 8.12.0-dev+exp,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process. 8.12.0-dev+exp,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process. +8.12.0-dev+exp,true,process,process.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. 8.12.0-dev+exp,true,process,process.hash.md5,keyword,extended,,,MD5 hash. 8.12.0-dev+exp,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash. 8.12.0-dev+exp,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash. @@ -767,6 +775,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. 8.12.0-dev+exp,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +8.12.0-dev+exp,true,process,process.parent.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process 8.12.0-dev+exp,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -825,6 +834,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,process,process.parent.group_leader.pid,long,core,,4242,Process id. 8.12.0-dev+exp,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. 8.12.0-dev+exp,true,process,process.parent.group_leader.vpid,long,core,,4242,Virtual process id. +8.12.0-dev+exp,true,process,process.parent.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. 8.12.0-dev+exp,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash. 8.12.0-dev+exp,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash. 8.12.0-dev+exp,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash. @@ -1152,6 +1162,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -1206,6 +1217,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file. +8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash. 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash. 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash. @@ -1369,6 +1381,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. 8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process 8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -1423,6 +1436,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. 8.12.0-dev+exp,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. 8.12.0-dev+exp,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file. +8.12.0-dev+exp,true,threat,threat.indicator.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. 8.12.0-dev+exp,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash. 8.12.0-dev+exp,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash. 8.12.0-dev+exp,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 02b972886f..e529df5f93 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -1711,13 +1711,15 @@ destination.user.roles: type: keyword device.id: dashed_name: device-id - description: "The unique identifier of a device. The identifier must not change\ - \ across application sessions but stay fixed for an instance of a (mobile) device.\ - \ \nOn iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor).\ - \ On Android, this value must be equal to the Firebase Installation ID or a globally\ - \ unique UUID which is persisted across sessions in your application.\nFor GDPR\ - \ and data protection law reasons this identifier should not carry information\ - \ that would allow to identify a user." + description: 'The unique identifier of a device. The identifier must not change + across application sessions but stay fixed for an instance of a (mobile) device. + + On iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor). + On Android, this value must be equal to the Firebase Installation ID or a globally + unique UUID which is persisted across sessions in your application. + + For GDPR and data protection law reasons this identifier should not carry information + that would allow to identify a user.' example: 00000000-54b3-e7c7-0000-000046bffd97 flat_name: device.id ignore_above: 1024 @@ -1759,6 +1761,19 @@ device.model.name: normalize: [] short: The human readable marketing name of the device model. type: keyword +device.serial_number: + beta: This field is beta and subject to change. + dashed_name: device-serial-number + description: The unique serial number serves as a distinct identifier for each device, + aiding in inventory management and device authentication. + example: DJGAQS4CW5 + flat_name: device.serial_number + ignore_above: 1024 + level: core + name: serial_number + normalize: [] + short: Serial Number of the device + type: keyword dll.code_signature.digest_algorithm: dashed_name: dll-code-signature-digest-algorithm description: 'The hashing algorithm used to sign the process. @@ -1785,6 +1800,19 @@ dll.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +dll.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: dll-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: dll.code_signature.flags + ignore_above: 1024 + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: keyword dll.code_signature.signing_id: dashed_name: dll-code-signature-signing-id description: 'The identifier used to sign the process. @@ -1883,6 +1911,20 @@ dll.code_signature.valid: short: Boolean to capture if the digital signature is verified against the binary content. type: boolean +dll.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: dll-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: dll.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword dll.hash.md5: dashed_name: dll-hash-md5 description: MD5 hash. @@ -2566,6 +2608,20 @@ email.attachments.file.extension: normalize: [] short: Attachment file extension. type: keyword +email.attachments.file.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: email-attachments-file-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: email.attachments.file.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword email.attachments.file.hash.md5: dashed_name: email-attachments-file-hash-md5 description: MD5 hash. @@ -3896,6 +3952,19 @@ file.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +file.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: file-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: file.code_signature.flags + ignore_above: 1024 + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: keyword file.code_signature.signing_id: dashed_name: file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -4555,6 +4624,20 @@ file.group: normalize: [] short: Primary group name of the file. type: keyword +file.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: file-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: file.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword file.hash.md5: dashed_name: file-hash-md5 description: MD5 hash. @@ -7700,6 +7783,19 @@ process.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +process.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: process-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: process.code_signature.flags + ignore_above: 1024 + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: keyword process.code_signature.signing_id: dashed_name: process-code-signature-signing-id description: 'The identifier used to sign the process. @@ -9372,6 +9468,20 @@ process.group_leader.working_directory: original_fieldset: process short: The working directory of the process. type: keyword +process.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: process-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: process.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword process.hash.md5: dashed_name: process-hash-md5 description: MD5 hash. @@ -9843,6 +9953,19 @@ process.parent.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +process.parent.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: process-parent-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: process.parent.code_signature.flags + ignore_above: 1024 + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: keyword process.parent.code_signature.signing_id: dashed_name: process-parent-code-signature-signing-id description: 'The identifier used to sign the process. @@ -10543,6 +10666,20 @@ process.parent.group_leader.vpid: original_fieldset: process short: Virtual process id. type: long +process.parent.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: process-parent-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: process.parent.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword process.parent.hash.md5: dashed_name: process-parent-hash-md5 description: MD5 hash. @@ -14643,6 +14780,19 @@ threat.enrichments.indicator.file.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +threat.enrichments.indicator.file.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-file-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: threat.enrichments.indicator.file.code_signature.flags + ignore_above: 1024 + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: keyword threat.enrichments.indicator.file.code_signature.signing_id: dashed_name: threat-enrichments-indicator-file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -15311,6 +15461,20 @@ threat.enrichments.indicator.file.group: original_fieldset: file short: Primary group name of the file. type: keyword +threat.enrichments.indicator.file.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-file-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: threat.enrichments.indicator.file.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword threat.enrichments.indicator.file.hash.md5: dashed_name: threat-enrichments-indicator-file-hash-md5 description: MD5 hash. @@ -17353,6 +17517,19 @@ threat.indicator.file.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +threat.indicator.file.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-file-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: threat.indicator.file.code_signature.flags + ignore_above: 1024 + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: keyword threat.indicator.file.code_signature.signing_id: dashed_name: threat-indicator-file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -18021,6 +18198,20 @@ threat.indicator.file.group: original_fieldset: file short: Primary group name of the file. type: keyword +threat.indicator.file.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-file-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: threat.indicator.file.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword threat.indicator.file.hash.md5: dashed_name: threat-indicator-file-hash-md5 description: MD5 hash. diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index f600ab293a..f4a2844515 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -1320,6 +1320,18 @@ code_signature: normalize: [] short: Boolean to capture if a signature is present. type: boolean + code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: code_signature.flags + ignore_above: 1024 + level: extended + name: flags + normalize: [] + short: Code signing flags of the process + type: keyword code_signature.signing_id: dashed_name: code-signature-signing-id description: 'The identifier used to sign the process. @@ -2153,7 +2165,7 @@ destination: type: group device: beta: These fields are in beta and are subject to change. - description: 'Fields that describe a device instance and its characteristics. Data + description: 'Fields that describe a device instance and its characteristics. Data collected for applications and processes running on a (mobile) device can be enriched with these fields to describe the identity, type and other characteristics of the device. @@ -2163,13 +2175,15 @@ device: fields: device.id: dashed_name: device-id - description: "The unique identifier of a device. The identifier must not change\ - \ across application sessions but stay fixed for an instance of a (mobile)\ - \ device. \nOn iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor).\ - \ On Android, this value must be equal to the Firebase Installation ID or\ - \ a globally unique UUID which is persisted across sessions in your application.\n\ - For GDPR and data protection law reasons this identifier should not carry\ - \ information that would allow to identify a user." + description: 'The unique identifier of a device. The identifier must not change + across application sessions but stay fixed for an instance of a (mobile) device. + + On iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor). + On Android, this value must be equal to the Firebase Installation ID or a + globally unique UUID which is persisted across sessions in your application. + + For GDPR and data protection law reasons this identifier should not carry + information that would allow to identify a user.' example: 00000000-54b3-e7c7-0000-000046bffd97 flat_name: device.id ignore_above: 1024 @@ -2211,6 +2225,19 @@ device: normalize: [] short: The human readable marketing name of the device model. type: keyword + device.serial_number: + beta: This field is beta and subject to change. + dashed_name: device-serial-number + description: The unique serial number serves as a distinct identifier for each + device, aiding in inventory management and device authentication. + example: DJGAQS4CW5 + flat_name: device.serial_number + ignore_above: 1024 + level: core + name: serial_number + normalize: [] + short: Serial Number of the device + type: keyword group: 2 name: device prefix: device. @@ -2258,6 +2285,19 @@ dll: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + dll.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: dll-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: dll.code_signature.flags + ignore_above: 1024 + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: keyword dll.code_signature.signing_id: dashed_name: dll-code-signature-signing-id description: 'The identifier used to sign the process. @@ -2356,6 +2396,20 @@ dll: short: Boolean to capture if the digital signature is verified against the binary content. type: boolean + dll.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: dll-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: dll.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword dll.hash.md5: dashed_name: dll-hash-md5 description: MD5 hash. @@ -3518,6 +3572,20 @@ email: normalize: [] short: Attachment file extension. type: keyword + email.attachments.file.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: email-attachments-file-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: email.attachments.file.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword email.attachments.file.hash.md5: dashed_name: email-attachments-file-hash-md5 description: MD5 hash. @@ -4929,6 +4997,19 @@ file: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + file.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: file-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: file.code_signature.flags + ignore_above: 1024 + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: keyword file.code_signature.signing_id: dashed_name: file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -5589,6 +5670,20 @@ file: normalize: [] short: Primary group name of the file. type: keyword + file.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: file-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: file.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword file.hash.md5: dashed_name: file-hash-md5 description: MD5 hash. @@ -6886,6 +6981,19 @@ hash: range of generic bytes. Entity-specific hashes such as ja3 or imphash are placed in the fieldsets to which they relate (tls and pe, respectively).' fields: + hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + short: The Code Directory (CD) hash of an executable. + type: keyword hash.md5: dashed_name: hash-md5 description: MD5 hash. @@ -9909,6 +10017,19 @@ process: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + process.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: process-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: process.code_signature.flags + ignore_above: 1024 + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: keyword process.code_signature.signing_id: dashed_name: process-code-signature-signing-id description: 'The identifier used to sign the process. @@ -11582,6 +11703,20 @@ process: original_fieldset: process short: The working directory of the process. type: keyword + process.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: process-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: process.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword process.hash.md5: dashed_name: process-hash-md5 description: MD5 hash. @@ -12057,6 +12192,19 @@ process: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + process.parent.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: process-parent-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: process.parent.code_signature.flags + ignore_above: 1024 + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: keyword process.parent.code_signature.signing_id: dashed_name: process-parent-code-signature-signing-id description: 'The identifier used to sign the process. @@ -12758,6 +12906,20 @@ process: original_fieldset: process short: Virtual process id. type: long + process.parent.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: process-parent-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: process.parent.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword process.parent.hash.md5: dashed_name: process-parent-hash-md5 description: MD5 hash. @@ -14947,6 +15109,7 @@ process: - process.previous - process.real_group - process.real_user + - process.responsible - process.saved_group - process.saved_user - process.session_leader @@ -15008,6 +15171,12 @@ process: - array short_override: An array of previous executions for the process, including the initial fork. Only executable and args are set. + - as: responsible + at: process + beta: This field is beta and subject to change. + full: process.responsible + short_override: Responsible process in macOS tracks the originating process + of an app, key for understanding permissions and hierarchy. top_level: true reused_here: - full: process.group @@ -15105,6 +15274,11 @@ process: schema_name: process short: An array of previous executions for the process, including the initial fork. Only executable and args are set. + - beta: This field is beta and subject to change. + full: process.responsible + schema_name: process + short: Responsible process in macOS tracks the originating process of an app, + key for understanding permissions and hierarchy. short: These fields contain information about a process. title: Process type: group @@ -15281,8 +15455,8 @@ related: risk: beta: These fields are in beta and are subject to change. description: Fields for describing risk score and risk level of entities such as - hosts and users. These fields are not allowed to be nested under `event.*`. Please - continue to use `event.risk_score` and `event.risk_score_norm` for event risk. + hosts and users. These fields are not allowed to be nested under `event.*`. Please + continue to use `event.risk_score` and `event.risk_score_norm` for event risk. fields: risk.calculated_level: dashed_name: risk-calculated-level @@ -17307,6 +17481,19 @@ threat: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + threat.enrichments.indicator.file.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-file-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: threat.enrichments.indicator.file.code_signature.flags + ignore_above: 1024 + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: keyword threat.enrichments.indicator.file.code_signature.signing_id: dashed_name: threat-enrichments-indicator-file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -17976,6 +18163,20 @@ threat: original_fieldset: file short: Primary group name of the file. type: keyword + threat.enrichments.indicator.file.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-file-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: threat.enrichments.indicator.file.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword threat.enrichments.indicator.file.hash.md5: dashed_name: threat-enrichments-indicator-file-hash-md5 description: MD5 hash. @@ -20023,6 +20224,19 @@ threat: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + threat.indicator.file.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-file-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: threat.indicator.file.code_signature.flags + ignore_above: 1024 + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: keyword threat.indicator.file.code_signature.signing_id: dashed_name: threat-indicator-file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -20692,6 +20906,20 @@ threat: original_fieldset: file short: Primary group name of the file. type: keyword + threat.indicator.file.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-file-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: threat.indicator.file.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword threat.indicator.file.hash.md5: dashed_name: threat-indicator-file-hash-md5 description: MD5 hash. diff --git a/experimental/generated/elasticsearch/composable/component/device.json b/experimental/generated/elasticsearch/composable/component/device.json index cf66d72b06..215d046175 100644 --- a/experimental/generated/elasticsearch/composable/component/device.json +++ b/experimental/generated/elasticsearch/composable/component/device.json @@ -27,6 +27,10 @@ "type": "keyword" } } + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" } } } diff --git a/experimental/generated/elasticsearch/composable/component/dll.json b/experimental/generated/elasticsearch/composable/component/dll.json index 2de113a6ea..e59687764d 100644 --- a/experimental/generated/elasticsearch/composable/component/dll.json +++ b/experimental/generated/elasticsearch/composable/component/dll.json @@ -17,6 +17,10 @@ "exists": { "type": "boolean" }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -46,6 +50,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" diff --git a/experimental/generated/elasticsearch/composable/component/email.json b/experimental/generated/elasticsearch/composable/component/email.json index 83863c9c0c..5de733e5f7 100644 --- a/experimental/generated/elasticsearch/composable/component/email.json +++ b/experimental/generated/elasticsearch/composable/component/email.json @@ -18,6 +18,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" diff --git a/experimental/generated/elasticsearch/composable/component/file.json b/experimental/generated/elasticsearch/composable/component/file.json index a04643e7d9..175a0cbab7 100644 --- a/experimental/generated/elasticsearch/composable/component/file.json +++ b/experimental/generated/elasticsearch/composable/component/file.json @@ -24,6 +24,10 @@ "exists": { "type": "boolean" }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -233,6 +237,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" diff --git a/experimental/generated/elasticsearch/composable/component/process.json b/experimental/generated/elasticsearch/composable/component/process.json index f4dd52c1ce..76b8983a3b 100644 --- a/experimental/generated/elasticsearch/composable/component/process.json +++ b/experimental/generated/elasticsearch/composable/component/process.json @@ -24,6 +24,10 @@ "exists": { "type": "boolean" }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -674,6 +678,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -824,6 +832,10 @@ "exists": { "type": "boolean" }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -1055,6 +1067,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" diff --git a/experimental/generated/elasticsearch/composable/component/threat.json b/experimental/generated/elasticsearch/composable/component/threat.json index 7f002d5bb7..32056d1507 100644 --- a/experimental/generated/elasticsearch/composable/component/threat.json +++ b/experimental/generated/elasticsearch/composable/component/threat.json @@ -66,6 +66,10 @@ "exists": { "type": "boolean" }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -275,6 +279,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -987,6 +995,10 @@ "exists": { "type": "boolean" }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -1196,6 +1208,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json index 18386e190c..bc7f446065 100644 --- a/experimental/generated/elasticsearch/legacy/template.json +++ b/experimental/generated/elasticsearch/legacy/template.json @@ -782,6 +782,10 @@ "type": "keyword" } } + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -796,6 +800,10 @@ "exists": { "type": "boolean" }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -825,6 +833,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -1050,6 +1062,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -1360,6 +1376,10 @@ "exists": { "type": "boolean" }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -1569,6 +1589,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -2745,6 +2769,10 @@ "exists": { "type": "boolean" }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -3395,6 +3423,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -3545,6 +3577,10 @@ "exists": { "type": "boolean" }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -3776,6 +3812,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -5283,6 +5323,10 @@ "exists": { "type": "boolean" }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -5492,6 +5536,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -6204,6 +6252,10 @@ "exists": { "type": "boolean" }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -6413,6 +6465,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index fa0007884b..3883c5b045 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -1133,9 +1133,9 @@ - name: device title: Device group: 2 - description: 'Fields that describe a device instance and its characteristics. Data - collected for applications and processes running on a (mobile) device can be - enriched with these fields to describe the identity, type and other characteristics + description: 'Fields that describe a device instance and its characteristics. + Data collected for applications and processes running on a (mobile) device can + be enriched with these fields to describe the identity, type and other characteristics of the device. This field group definition is based on the Device namespace of the OpenTelemetry @@ -1147,13 +1147,15 @@ level: extended type: keyword ignore_above: 1024 - description: "The unique identifier of a device. The identifier must not change\ - \ across application sessions but stay fixed for an instance of a (mobile)\ - \ device. \nOn iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor).\ - \ On Android, this value must be equal to the Firebase Installation ID or\ - \ a globally unique UUID which is persisted across sessions in your application.\n\ - For GDPR and data protection law reasons this identifier should not carry\ - \ information that would allow to identify a user." + description: 'The unique identifier of a device. The identifier must not change + across application sessions but stay fixed for an instance of a (mobile) device. + + On iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor). + On Android, this value must be equal to the Firebase Installation ID or a + globally unique UUID which is persisted across sessions in your application. + + For GDPR and data protection law reasons this identifier should not carry + information that would allow to identify a user.' example: 00000000-54b3-e7c7-0000-000046bffd97 default_field: false - name: manufacturer @@ -1177,6 +1179,14 @@ description: The human readable marketing name of the device model. example: Samsung Galaxy S6 default_field: false + - name: serial_number + level: core + type: keyword + ignore_above: 1024 + description: The unique serial number serves as a distinct identifier for each + device, aiding in inventory management and device authentication. + example: DJGAQS4CW5 + default_field: false - name: dll title: DLL group: 2 @@ -1211,6 +1221,13 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: code_signature.flags + level: extended + type: keyword + ignore_above: 1024 + description: The flags used to sign the process. + example: 570522385 + default_field: false - name: code_signature.signing_id level: extended type: keyword @@ -1273,6 +1290,14 @@ Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false + - name: hash.cdhash + level: extended + type: keyword + ignore_above: 1024 + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + default_field: false - name: hash.md5 level: extended type: keyword @@ -1710,6 +1735,14 @@ description: Attachment file extension, excluding the leading dot. example: txt default_field: false + - name: attachments.file.hash.cdhash + level: extended + type: keyword + ignore_above: 1024 + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + default_field: false - name: attachments.file.hash.md5 level: extended type: keyword @@ -2355,6 +2388,13 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: code_signature.flags + level: extended + type: keyword + ignore_above: 1024 + description: The flags used to sign the process. + example: 570522385 + default_field: false - name: code_signature.signing_id level: extended type: keyword @@ -2739,6 +2779,14 @@ ignore_above: 1024 description: Primary group name of the file. example: alice + - name: hash.cdhash + level: extended + type: keyword + ignore_above: 1024 + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + default_field: false - name: hash.md5 level: extended type: keyword @@ -4695,6 +4743,13 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: code_signature.flags + level: extended + type: keyword + ignore_above: 1024 + description: The flags used to sign the process. + example: 570522385 + default_field: false - name: code_signature.signing_id level: extended type: keyword @@ -5724,6 +5779,14 @@ description: The working directory of the process. example: /home/alice default_field: false + - name: hash.cdhash + level: extended + type: keyword + ignore_above: 1024 + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + default_field: false - name: hash.md5 level: extended type: keyword @@ -6005,6 +6068,13 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: parent.code_signature.flags + level: extended + type: keyword + ignore_above: 1024 + description: The flags used to sign the process. + example: 570522385 + default_field: false - name: parent.code_signature.signing_id level: extended type: keyword @@ -6416,6 +6486,14 @@ the process exists within.' example: 4242 default_field: false + - name: parent.hash.cdhash + level: extended + type: keyword + ignore_above: 1024 + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + default_field: false - name: parent.hash.md5 level: extended type: keyword @@ -9051,6 +9129,13 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: enrichments.indicator.file.code_signature.flags + level: extended + type: keyword + ignore_above: 1024 + description: The flags used to sign the process. + example: 570522385 + default_field: false - name: enrichments.indicator.file.code_signature.signing_id level: extended type: keyword @@ -9442,6 +9527,14 @@ description: Primary group name of the file. example: alice default_field: false + - name: enrichments.indicator.file.hash.cdhash + level: extended + type: keyword + ignore_above: 1024 + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + default_field: false - name: enrichments.indicator.file.hash.md5 level: extended type: keyword @@ -10658,6 +10751,13 @@ description: Boolean to capture if a signature is present. example: 'true' default_field: false + - name: indicator.file.code_signature.flags + level: extended + type: keyword + ignore_above: 1024 + description: The flags used to sign the process. + example: 570522385 + default_field: false - name: indicator.file.code_signature.signing_id level: extended type: keyword @@ -11049,6 +11149,14 @@ description: Primary group name of the file. example: alice default_field: false + - name: indicator.file.hash.cdhash + level: extended + type: keyword + ignore_above: 1024 + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + default_field: false - name: indicator.file.hash.md5 level: extended type: keyword diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index c31a8de31c..8af3fac81a 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -139,8 +139,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer. 8.12.0-dev,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model. 8.12.0-dev,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model. +8.12.0-dev,true,device,device.serial_number,keyword,core,,DJGAQS4CW5,Serial Number of the device 8.12.0-dev,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +8.12.0-dev,true,dll,dll.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process 8.12.0-dev,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -148,6 +150,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. 8.12.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. 8.12.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +8.12.0-dev,true,dll,dll.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. 8.12.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash. 8.12.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash. 8.12.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash. @@ -201,6 +204,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to. 8.12.0-dev,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments. 8.12.0-dev,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension. +8.12.0-dev,true,email,email.attachments.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. 8.12.0-dev,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash. 8.12.0-dev,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash. 8.12.0-dev,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash. @@ -269,6 +273,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. 8.12.0-dev,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +8.12.0-dev,true,file,file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process 8.12.0-dev,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -323,6 +328,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. 8.12.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. 8.12.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file. +8.12.0-dev,true,file,file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. 8.12.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash. 8.12.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash. 8.12.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash. @@ -580,6 +586,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array. 8.12.0-dev,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +8.12.0-dev,true,process,process.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process 8.12.0-dev,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -721,6 +728,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,process,process.group_leader.vpid,long,core,,4242,Virtual process id. 8.12.0-dev,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process. 8.12.0-dev,true,process,process.group_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process. +8.12.0-dev,true,process,process.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. 8.12.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash. 8.12.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash. 8.12.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash. @@ -760,6 +768,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. 8.12.0-dev,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +8.12.0-dev,true,process,process.parent.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process 8.12.0-dev,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -818,6 +827,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,process,process.parent.group_leader.pid,long,core,,4242,Process id. 8.12.0-dev,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. 8.12.0-dev,true,process,process.parent.group_leader.vpid,long,core,,4242,Virtual process id. +8.12.0-dev,true,process,process.parent.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. 8.12.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash. 8.12.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash. 8.12.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash. @@ -1145,6 +1155,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. 8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process 8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -1199,6 +1210,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. 8.12.0-dev,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. 8.12.0-dev,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file. +8.12.0-dev,true,threat,threat.enrichments.indicator.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. 8.12.0-dev,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash. 8.12.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash. 8.12.0-dev,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash. @@ -1362,6 +1374,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. 8.12.0-dev,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +8.12.0-dev,true,threat,threat.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process 8.12.0-dev,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -1416,6 +1429,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. 8.12.0-dev,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. 8.12.0-dev,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file. +8.12.0-dev,true,threat,threat.indicator.file.hash.cdhash,keyword,extended,,3783b4052fd474dbe30676b45c329e7a6d44acd9,The Code Directory (CD) hash of an executable. 8.12.0-dev,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash. 8.12.0-dev,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash. 8.12.0-dev,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 2022bddaf4..bad8611fa7 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -1642,13 +1642,15 @@ destination.user.roles: type: keyword device.id: dashed_name: device-id - description: "The unique identifier of a device. The identifier must not change\ - \ across application sessions but stay fixed for an instance of a (mobile) device.\ - \ \nOn iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor).\ - \ On Android, this value must be equal to the Firebase Installation ID or a globally\ - \ unique UUID which is persisted across sessions in your application.\nFor GDPR\ - \ and data protection law reasons this identifier should not carry information\ - \ that would allow to identify a user." + description: 'The unique identifier of a device. The identifier must not change + across application sessions but stay fixed for an instance of a (mobile) device. + + On iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor). + On Android, this value must be equal to the Firebase Installation ID or a globally + unique UUID which is persisted across sessions in your application. + + For GDPR and data protection law reasons this identifier should not carry information + that would allow to identify a user.' example: 00000000-54b3-e7c7-0000-000046bffd97 flat_name: device.id ignore_above: 1024 @@ -1690,6 +1692,19 @@ device.model.name: normalize: [] short: The human readable marketing name of the device model. type: keyword +device.serial_number: + beta: This field is beta and subject to change. + dashed_name: device-serial-number + description: The unique serial number serves as a distinct identifier for each device, + aiding in inventory management and device authentication. + example: DJGAQS4CW5 + flat_name: device.serial_number + ignore_above: 1024 + level: core + name: serial_number + normalize: [] + short: Serial Number of the device + type: keyword dll.code_signature.digest_algorithm: dashed_name: dll-code-signature-digest-algorithm description: 'The hashing algorithm used to sign the process. @@ -1716,6 +1731,19 @@ dll.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +dll.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: dll-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: dll.code_signature.flags + ignore_above: 1024 + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: keyword dll.code_signature.signing_id: dashed_name: dll-code-signature-signing-id description: 'The identifier used to sign the process. @@ -1814,6 +1842,20 @@ dll.code_signature.valid: short: Boolean to capture if the digital signature is verified against the binary content. type: boolean +dll.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: dll-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: dll.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword dll.hash.md5: dashed_name: dll-hash-md5 description: MD5 hash. @@ -2497,6 +2539,20 @@ email.attachments.file.extension: normalize: [] short: Attachment file extension. type: keyword +email.attachments.file.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: email-attachments-file-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: email.attachments.file.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword email.attachments.file.hash.md5: dashed_name: email-attachments-file-hash-md5 description: MD5 hash. @@ -3827,6 +3883,19 @@ file.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +file.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: file-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: file.code_signature.flags + ignore_above: 1024 + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: keyword file.code_signature.signing_id: dashed_name: file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -4486,6 +4555,20 @@ file.group: normalize: [] short: Primary group name of the file. type: keyword +file.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: file-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: file.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword file.hash.md5: dashed_name: file-hash-md5 description: MD5 hash. @@ -7631,6 +7714,19 @@ process.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +process.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: process-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: process.code_signature.flags + ignore_above: 1024 + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: keyword process.code_signature.signing_id: dashed_name: process-code-signature-signing-id description: 'The identifier used to sign the process. @@ -9303,6 +9399,20 @@ process.group_leader.working_directory: original_fieldset: process short: The working directory of the process. type: keyword +process.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: process-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: process.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword process.hash.md5: dashed_name: process-hash-md5 description: MD5 hash. @@ -9774,6 +9884,19 @@ process.parent.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +process.parent.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: process-parent-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: process.parent.code_signature.flags + ignore_above: 1024 + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: keyword process.parent.code_signature.signing_id: dashed_name: process-parent-code-signature-signing-id description: 'The identifier used to sign the process. @@ -10474,6 +10597,20 @@ process.parent.group_leader.vpid: original_fieldset: process short: Virtual process id. type: long +process.parent.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: process-parent-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: process.parent.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword process.parent.hash.md5: dashed_name: process-parent-hash-md5 description: MD5 hash. @@ -14574,6 +14711,19 @@ threat.enrichments.indicator.file.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +threat.enrichments.indicator.file.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-file-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: threat.enrichments.indicator.file.code_signature.flags + ignore_above: 1024 + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: keyword threat.enrichments.indicator.file.code_signature.signing_id: dashed_name: threat-enrichments-indicator-file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -15242,6 +15392,20 @@ threat.enrichments.indicator.file.group: original_fieldset: file short: Primary group name of the file. type: keyword +threat.enrichments.indicator.file.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-file-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: threat.enrichments.indicator.file.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword threat.enrichments.indicator.file.hash.md5: dashed_name: threat-enrichments-indicator-file-hash-md5 description: MD5 hash. @@ -17284,6 +17448,19 @@ threat.indicator.file.code_signature.exists: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean +threat.indicator.file.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-file-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: threat.indicator.file.code_signature.flags + ignore_above: 1024 + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: keyword threat.indicator.file.code_signature.signing_id: dashed_name: threat-indicator-file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -17952,6 +18129,20 @@ threat.indicator.file.group: original_fieldset: file short: Primary group name of the file. type: keyword +threat.indicator.file.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-file-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: threat.indicator.file.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword threat.indicator.file.hash.md5: dashed_name: threat-indicator-file-hash-md5 description: MD5 hash. diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 8057eeed15..a401fa7b0a 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -1240,6 +1240,18 @@ code_signature: normalize: [] short: Boolean to capture if a signature is present. type: boolean + code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: code_signature.flags + ignore_above: 1024 + level: extended + name: flags + normalize: [] + short: Code signing flags of the process + type: keyword code_signature.signing_id: dashed_name: code-signature-signing-id description: 'The identifier used to sign the process. @@ -2073,7 +2085,7 @@ destination: type: group device: beta: These fields are in beta and are subject to change. - description: 'Fields that describe a device instance and its characteristics. Data + description: 'Fields that describe a device instance and its characteristics. Data collected for applications and processes running on a (mobile) device can be enriched with these fields to describe the identity, type and other characteristics of the device. @@ -2083,13 +2095,15 @@ device: fields: device.id: dashed_name: device-id - description: "The unique identifier of a device. The identifier must not change\ - \ across application sessions but stay fixed for an instance of a (mobile)\ - \ device. \nOn iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor).\ - \ On Android, this value must be equal to the Firebase Installation ID or\ - \ a globally unique UUID which is persisted across sessions in your application.\n\ - For GDPR and data protection law reasons this identifier should not carry\ - \ information that would allow to identify a user." + description: 'The unique identifier of a device. The identifier must not change + across application sessions but stay fixed for an instance of a (mobile) device. + + On iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor). + On Android, this value must be equal to the Firebase Installation ID or a + globally unique UUID which is persisted across sessions in your application. + + For GDPR and data protection law reasons this identifier should not carry + information that would allow to identify a user.' example: 00000000-54b3-e7c7-0000-000046bffd97 flat_name: device.id ignore_above: 1024 @@ -2131,6 +2145,19 @@ device: normalize: [] short: The human readable marketing name of the device model. type: keyword + device.serial_number: + beta: This field is beta and subject to change. + dashed_name: device-serial-number + description: The unique serial number serves as a distinct identifier for each + device, aiding in inventory management and device authentication. + example: DJGAQS4CW5 + flat_name: device.serial_number + ignore_above: 1024 + level: core + name: serial_number + normalize: [] + short: Serial Number of the device + type: keyword group: 2 name: device prefix: device. @@ -2178,6 +2205,19 @@ dll: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + dll.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: dll-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: dll.code_signature.flags + ignore_above: 1024 + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: keyword dll.code_signature.signing_id: dashed_name: dll-code-signature-signing-id description: 'The identifier used to sign the process. @@ -2276,6 +2316,20 @@ dll: short: Boolean to capture if the digital signature is verified against the binary content. type: boolean + dll.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: dll-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: dll.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword dll.hash.md5: dashed_name: dll-hash-md5 description: MD5 hash. @@ -3438,6 +3492,20 @@ email: normalize: [] short: Attachment file extension. type: keyword + email.attachments.file.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: email-attachments-file-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: email.attachments.file.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword email.attachments.file.hash.md5: dashed_name: email-attachments-file-hash-md5 description: MD5 hash. @@ -4849,6 +4917,19 @@ file: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + file.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: file-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: file.code_signature.flags + ignore_above: 1024 + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: keyword file.code_signature.signing_id: dashed_name: file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -5509,6 +5590,20 @@ file: normalize: [] short: Primary group name of the file. type: keyword + file.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: file-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: file.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword file.hash.md5: dashed_name: file-hash-md5 description: MD5 hash. @@ -6806,6 +6901,19 @@ hash: range of generic bytes. Entity-specific hashes such as ja3 or imphash are placed in the fieldsets to which they relate (tls and pe, respectively).' fields: + hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + short: The Code Directory (CD) hash of an executable. + type: keyword hash.md5: dashed_name: hash-md5 description: MD5 hash. @@ -9829,6 +9937,19 @@ process: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + process.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: process-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: process.code_signature.flags + ignore_above: 1024 + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: keyword process.code_signature.signing_id: dashed_name: process-code-signature-signing-id description: 'The identifier used to sign the process. @@ -11502,6 +11623,20 @@ process: original_fieldset: process short: The working directory of the process. type: keyword + process.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: process-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: process.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword process.hash.md5: dashed_name: process-hash-md5 description: MD5 hash. @@ -11977,6 +12112,19 @@ process: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + process.parent.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: process-parent-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: process.parent.code_signature.flags + ignore_above: 1024 + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: keyword process.parent.code_signature.signing_id: dashed_name: process-parent-code-signature-signing-id description: 'The identifier used to sign the process. @@ -12678,6 +12826,20 @@ process: original_fieldset: process short: Virtual process id. type: long + process.parent.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: process-parent-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: process.parent.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword process.parent.hash.md5: dashed_name: process-parent-hash-md5 description: MD5 hash. @@ -14867,6 +15029,7 @@ process: - process.previous - process.real_group - process.real_user + - process.responsible - process.saved_group - process.saved_user - process.session_leader @@ -14928,6 +15091,12 @@ process: - array short_override: An array of previous executions for the process, including the initial fork. Only executable and args are set. + - as: responsible + at: process + beta: This field is beta and subject to change. + full: process.responsible + short_override: Responsible process in macOS tracks the originating process + of an app, key for understanding permissions and hierarchy. top_level: true reused_here: - full: process.group @@ -15025,6 +15194,11 @@ process: schema_name: process short: An array of previous executions for the process, including the initial fork. Only executable and args are set. + - beta: This field is beta and subject to change. + full: process.responsible + schema_name: process + short: Responsible process in macOS tracks the originating process of an app, + key for understanding permissions and hierarchy. short: These fields contain information about a process. title: Process type: group @@ -15201,8 +15375,8 @@ related: risk: beta: These fields are in beta and are subject to change. description: Fields for describing risk score and risk level of entities such as - hosts and users. These fields are not allowed to be nested under `event.*`. Please - continue to use `event.risk_score` and `event.risk_score_norm` for event risk. + hosts and users. These fields are not allowed to be nested under `event.*`. Please + continue to use `event.risk_score` and `event.risk_score_norm` for event risk. fields: risk.calculated_level: dashed_name: risk-calculated-level @@ -17227,6 +17401,19 @@ threat: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + threat.enrichments.indicator.file.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-file-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: threat.enrichments.indicator.file.code_signature.flags + ignore_above: 1024 + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: keyword threat.enrichments.indicator.file.code_signature.signing_id: dashed_name: threat-enrichments-indicator-file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -17896,6 +18083,20 @@ threat: original_fieldset: file short: Primary group name of the file. type: keyword + threat.enrichments.indicator.file.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-file-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: threat.enrichments.indicator.file.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword threat.enrichments.indicator.file.hash.md5: dashed_name: threat-enrichments-indicator-file-hash-md5 description: MD5 hash. @@ -19943,6 +20144,19 @@ threat: original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean + threat.indicator.file.code_signature.flags: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-file-code-signature-flags + description: The flags used to sign the process. + example: 570522385 + flat_name: threat.indicator.file.code_signature.flags + ignore_above: 1024 + level: extended + name: flags + normalize: [] + original_fieldset: code_signature + short: Code signing flags of the process + type: keyword threat.indicator.file.code_signature.signing_id: dashed_name: threat-indicator-file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -20612,6 +20826,20 @@ threat: original_fieldset: file short: Primary group name of the file. type: keyword + threat.indicator.file.hash.cdhash: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-file-hash-cdhash + description: Code directory hash, utilized to uniquely identify and authenticate + the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + flat_name: threat.indicator.file.hash.cdhash + ignore_above: 1024 + level: extended + name: cdhash + normalize: [] + original_fieldset: hash + short: The Code Directory (CD) hash of an executable. + type: keyword threat.indicator.file.hash.md5: dashed_name: threat-indicator-file-hash-md5 description: MD5 hash. diff --git a/generated/elasticsearch/composable/component/device.json b/generated/elasticsearch/composable/component/device.json index e03f268c86..741cf82323 100644 --- a/generated/elasticsearch/composable/component/device.json +++ b/generated/elasticsearch/composable/component/device.json @@ -27,6 +27,10 @@ "type": "keyword" } } + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" } } } diff --git a/generated/elasticsearch/composable/component/dll.json b/generated/elasticsearch/composable/component/dll.json index d3561dd742..7c76d1ed0d 100644 --- a/generated/elasticsearch/composable/component/dll.json +++ b/generated/elasticsearch/composable/component/dll.json @@ -17,6 +17,10 @@ "exists": { "type": "boolean" }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -46,6 +50,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/elasticsearch/composable/component/email.json b/generated/elasticsearch/composable/component/email.json index 94e8c70084..4046e33558 100644 --- a/generated/elasticsearch/composable/component/email.json +++ b/generated/elasticsearch/composable/component/email.json @@ -18,6 +18,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/elasticsearch/composable/component/file.json b/generated/elasticsearch/composable/component/file.json index d055adf323..c032c0a53c 100644 --- a/generated/elasticsearch/composable/component/file.json +++ b/generated/elasticsearch/composable/component/file.json @@ -24,6 +24,10 @@ "exists": { "type": "boolean" }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -233,6 +237,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/elasticsearch/composable/component/process.json b/generated/elasticsearch/composable/component/process.json index 6cc1382d11..d48a4eddab 100644 --- a/generated/elasticsearch/composable/component/process.json +++ b/generated/elasticsearch/composable/component/process.json @@ -24,6 +24,10 @@ "exists": { "type": "boolean" }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -674,6 +678,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -824,6 +832,10 @@ "exists": { "type": "boolean" }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -1055,6 +1067,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/elasticsearch/composable/component/threat.json b/generated/elasticsearch/composable/component/threat.json index 17d9b1e77f..40f98ec195 100644 --- a/generated/elasticsearch/composable/component/threat.json +++ b/generated/elasticsearch/composable/component/threat.json @@ -66,6 +66,10 @@ "exists": { "type": "boolean" }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -275,6 +279,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -987,6 +995,10 @@ "exists": { "type": "boolean" }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -1196,6 +1208,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json index a6b67033e2..66b302cebd 100644 --- a/generated/elasticsearch/legacy/template.json +++ b/generated/elasticsearch/legacy/template.json @@ -740,6 +740,10 @@ "type": "keyword" } } + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -754,6 +758,10 @@ "exists": { "type": "boolean" }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -783,6 +791,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -1008,6 +1020,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -1318,6 +1334,10 @@ "exists": { "type": "boolean" }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -1527,6 +1547,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -2703,6 +2727,10 @@ "exists": { "type": "boolean" }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -3353,6 +3381,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -3503,6 +3535,10 @@ "exists": { "type": "boolean" }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -3734,6 +3770,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -5241,6 +5281,10 @@ "exists": { "type": "boolean" }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -5450,6 +5494,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" @@ -6162,6 +6210,10 @@ "exists": { "type": "boolean" }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, "signing_id": { "ignore_above": 1024, "type": "keyword" @@ -6371,6 +6423,10 @@ }, "hash": { "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, "md5": { "ignore_above": 1024, "type": "keyword" diff --git a/rfcs/text/0044-add-apple-platform-specific-fields.md b/rfcs/text/0044-add-apple-platform-specific-fields.md index 68d0da3214..1c58a32b94 100644 --- a/rfcs/text/0044-add-apple-platform-specific-fields.md +++ b/rfcs/text/0044-add-apple-platform-specific-fields.md @@ -1,8 +1,8 @@ # 0044: Apple Platform specific fields -- Stage: **0 (strawperson)** -- Date: **2024-08-13** +- Stage: **2 (Candidate)** +- Date: **2024-09-11** ### Summary @@ -60,7 +60,11 @@ Stage 2: Included a real world example source document. Ideally this example com Stage 3: Add more real world example source documents so we have at least 2 total, but ideally 3. Format as described in stage 2. --> - +https://developer.apple.com/documentation/endpointsecurity/es_process_t/3228978-is_es_client + +https://developer.apple.com/documentation/endpointsecurity/es_process_t/3228979-is_platform_binary + +https://developer.apple.com/documentation/endpointsecurity/es_process_t/3684982-responsible_audit_token + +https://developer.apple.com/documentation/endpointsecurity/es_process_t/3334987-codesigning_flags + +https://developer.apple.com/documentation/endpointsecurity/es_process_t/3228976-cdhash + ### RFC Pull Requests * Stage 0: https://github.com/elastic/ecs/pull/2338 +* Stage 2: https://github.com/elastic/ecs/pull/2370 + +- Stage: **0 (strawperson)** +- Date: **TBD** + + + + +This RFC proposes to expand the vulnerability fieldset to include more fields, the proposal takes into consideration various customer feedbacks provided to Security integration team, inputs from Infosec team managing vulnerabilities across Elastic and other companies. This will benefit our customers and internal product teams to provide more effective vulnerability management experience to end user. to come up with the list of fields, extensive research was done across various Vulnerability management products and schemas like OSV. It is a continuation of one of the previous RFC on similar topic- https://github.com/elastic/ecs/issues/1685 + + + + + +## Fields +The `vulnerabilities` fields being proposed are as follows: + +| Field | Type | Description / Use Case | +| ----- | ---- | ---------------------- | +| `vulnerability.vendor.id` | keyword | A vulnerability doesn't have necessary a CVE associated with it. It makes sense to seperate vulnerability ID (like CVEs) to the vendor/detection IDs. | +| `vulnerability.title` | keyword | Title/Name/Short Description for vulnerability, to be used in flyout and dashboards. | +| `vulnerability.mitigation` | text | Explains user how to fix or mitigate the problem, could be usefd to store resolution from the scanner vendor or document mitigation in place | +| `vulnerability.published` | date | The “published” field indicates the date when information about a specific vulnerability was publicly disclosed or made available.It represents the moment when details about the vulnerability were shared with the security community, vendors, and the public.This field helps security professionals track the timeline of vulnerability awareness, in ISO 8601 format - YYYY-MM-DD | +| `vulnerability.patch.*` | object | - | +| `vulnerability.patch.exists` | boolean | The “patch” field refers to whether a security fix or update (commonly known as a patch) is available to address the identified vulnerability. It indicates whether the software vendor or developer has released a solution to mitigate the vulnerability. | +| `vulnerability.patch.name` | text | Name of the patch | +| `vulnerability.patch.code` | keyword | Associated patch code for example ESA-2020-13 | +| `vulnerability.evidence` | text | A demonstration of the validity of a vulnerability claim, e.g. app.any.run replaying the exploitation of the vulnerability. | +| `vulnerability.status` | keyword | The status field helps security teams track vulnerabilities, prioritize actions, and communicate their progress effectively. Examples- open/ignored/patched/mitigated/false_positive/risk_accepted/reopened..| +| `vulnerability.tags` | keyword | This is different from cloud provider assigned resource tags, this is specifically for vulnerability. Vulnerability tags serve as a way to add custom metadata to vulnerabilities, enhancing their context and aiding in search and automation. | +| `vulnerability.first_found` | date | First time a vulnerability was found on the asset, in ISO 8601 format: 2016-05-23T08:05:34.853Z | +| `vulnerability.last_found` | date | Last time a vulnerability was found on the asset, in ISO 8601 format: 2016-05-23T08:05:34.853Z | +| `vulnerability.last_scanned` | date | Last time a scan was performed on the asset. It's important as some companies are scanning on a quarterly basis. If last_found and last_scanned are close, it means it's still an active vulnerability, in ISO 8601 format: 2016-05-23T08:05:34.853Z| +| `vulnerability.age` | long | Numbers of days since the vulnerability is active. It should be dynamically calculated (runtime fields, ingest, ...). It could either be then difference between the last_found date and the published date (preferred). It could also be the difference between the first_found and last_found dates. | +| `vulnerability.uid` | keyword | It's extremely important to be able to deduplicate different scans. It's often that we have different scanners showing the same vulnerability on the same asset. | +| `vulnerability.type` | keyword | To conclude if the vulnerability is confirmed or potential. | +| `vulnerability.exploitability.*` | object | - | +| `vulnerability.exploitability.exploited` | boolean | To indicate if the vulnerability has been exploited or not. | +| `vulnerability.exploitability.reference` | keyword | Exploitability databse for example CSA-KEV. | +| `vulnerability.exploitability.confidence` | keyword | Confidence measure the credibility of existence and exploitability. | +| `vulnerability.exploitability.first_seen` | date | First time of exploitability, in ISO 8601 format: 2016-05-23T08:05:34.853Z | +| `vulnerability.exploitability.last_seen` | date | Last time of exploitability, in ISO 8601 format: 2016-05-23T08:05:34.853Z | +| `vulnerability.affected.*` | object | The affected field is a JSON array containing objects that describes the affected package versions, meaning those that contain the vulnerability. | +| `vulnerability.affected.package` | array | Package field is a JSON object identifying the affected code library or command provided by the package. | +| `vulnerability.affected.severity` | array | This field applies to a specific package, in cases where affected packages have differing severities for the same vulnerability. | +| `vulnerability.affected.versions` | array | Affected version in whatever version syntax is used by the given package ecosystem. | + + + + + + +## Usage + + + +## Source data + + + + + + + +## Scope of impact + + + +## Concerns + + + + + + + +## People + +The following are the people that consulted on the contents of this RFC. + +* @smriti0321 | author +* @tinnytintin10 | Product Manager Cloud Security +* @oren-zohar | Engineering Manager Cloud Security +* @orouz | Engineer +* @clement-fouque | Information Security Analyst + + + +## References + + +previous RFC - https://github.com/elastic/ecs/issues/1685 +https://ossf.github.io/osv-schema/#affected-fields + +### RFC Pull Requests + + + +* Stage 0: https://github.com/elastic/ecs/pull/2331 + + diff --git a/schemas/README.md b/schemas/README.md index 7762616e13..bb9e9fce3e 100644 --- a/schemas/README.md +++ b/schemas/README.md @@ -92,7 +92,7 @@ which can be thought of loosely as a "role". A good example is nesting `process` at `process.parent`, to capture the parent of a process. In these cases, we replace the "flat" key name with a small object with keys `at` and `as`: -``` +```YAML reusable: top_level: true expected: @@ -115,7 +115,7 @@ The above defines all process fields in both places: The `beta` marker can optionally be used along with `at` and `as` to include a beta marker in the field reuses section, marking specific reuse locations as beta. Beta notices should not have newlines. -``` +```YAML reusable: top_level: true expected: @@ -127,7 +127,7 @@ Beta notices should not have newlines. The `short_override` marker can optionally be used along with `at` and `as` to set the short description of the nested field, instead of defaulting to the top-level fieldset's short description. Like short, descriptions must not have newlines. -``` +```YAML reusable: top_level: true expected: diff --git a/schemas/code_signature.yml b/schemas/code_signature.yml index 056262370f..e5808e6e3d 100644 --- a/schemas/code_signature.yml +++ b/schemas/code_signature.yml @@ -35,6 +35,15 @@ description: Boolean to capture if a signature is present. example: "true" + - name: flags + level: extended + type: keyword + short: Code signing flags of the process + description: > + The flags used to sign the process. + example: 570522385 + beta: This field is beta and subject to change. + - name: subject_name level: core type: keyword diff --git a/schemas/device.yml b/schemas/device.yml index 38fe123937..3e03e4ab1d 100644 --- a/schemas/device.yml +++ b/schemas/device.yml @@ -20,7 +20,7 @@ group: 2 short: Fields characterizing a (mobile) device a process or application is running on. description: > - Fields that describe a device instance and its characteristics. + Fields that describe a device instance and its characteristics. Data collected for applications and processes running on a (mobile) device can be enriched with these fields to describe the identity, type and other characteristics of the device. @@ -33,14 +33,14 @@ level: extended example: 00000000-54b3-e7c7-0000-000046bffd97 type: keyword - short: The unique identifier of a device. + short: The unique identifier of a device. description: > - The unique identifier of a device. The identifier must not change across application sessions but stay fixed for an instance of a (mobile) device. + The unique identifier of a device. The identifier must not change across application sessions but stay fixed for an instance of a (mobile) device. On iOS, this value must be equal to the vendor identifier (https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor). On Android, this value must be equal to the Firebase Installation ID or a globally unique UUID which is persisted across sessions in your application. - For GDPR and data protection law reasons this identifier should not carry information that would allow to identify a user. + For GDPR and data protection law reasons this identifier should not carry information that would allow to identify a user. - name: model.name level: extended example: Samsung Galaxy S6 @@ -58,4 +58,12 @@ example: Samsung type: keyword description: > - The vendor name of the device manufacturer. + The vendor name of the device manufacturer. + - name: serial_number + level: core + type: keyword + short: Serial Number of the device + description: > + The unique serial number serves as a distinct identifier for each device, aiding in inventory management and device authentication. + example: DJGAQS4CW5 + beta: This field is beta and subject to change. diff --git a/schemas/email.yml b/schemas/email.yml index 82bfd5b219..9c8b6ff390 100644 --- a/schemas/email.yml +++ b/schemas/email.yml @@ -180,8 +180,8 @@ A brief summary of the topic of the message. example: "Please see this important message." multi_fields: - - type: match_only_text - name: text + - type: match_only_text + name: text - name: to.address level: extended diff --git a/schemas/hash.yml b/schemas/hash.yml index ab3d4ed83b..b9e4b64c29 100644 --- a/schemas/hash.yml +++ b/schemas/hash.yml @@ -42,6 +42,14 @@ fields: + - name: cdhash + level: extended + type: keyword + short: The Code Directory (CD) hash of an executable. + description: Code directory hash, utilized to uniquely identify and authenticate the integrity of the executable code. + example: 3783b4052fd474dbe30676b45c329e7a6d44acd9 + beta: This field is beta and subject to change. + - name: md5 level: extended type: keyword diff --git a/schemas/pe.yml b/schemas/pe.yml index f2a5f1561e..d201544658 100644 --- a/schemas/pe.yml +++ b/schemas/pe.yml @@ -208,4 +208,3 @@ format: string type: long level: extended - diff --git a/schemas/process.yml b/schemas/process.yml index 91c8ef98ef..abb5366d00 100644 --- a/schemas/process.yml +++ b/schemas/process.yml @@ -61,9 +61,21 @@ short_override: An array of previous executions for the process, including the initial fork. Only executable and args are set. normalize: - array + - at: process + as: responsible + short_override: Responsible process in macOS tracks the originating process of an app, key for understanding permissions and hierarchy. + beta: This field is beta and subject to change. fields: + - name: endpoint_security_client + level: extended + type: boolean + short: Indicates whether this process executable is an Endpoint Security client. + description: > + Processes that have an endpoint security client must have the com.apple.endpointsecurity entitlement and the value is set to true in the message. + beta: This field is beta and subject to change. + - name: pid format: string level: core @@ -174,6 +186,14 @@ - type: match_only_text name: text + - name: platform_binary + level: extended + type: boolean + short: Indicates whether this process executable is a default platform binary shipped with the operating system. + description: > + Binaries that are shipped by the operating system are defined as platform binaries, this value is then set to true. + beta: This field is beta and subject to change. + - name: title level: extended type: keyword diff --git a/schemas/risk.yml b/schemas/risk.yml index 84835f08e2..8c54f392b5 100644 --- a/schemas/risk.yml +++ b/schemas/risk.yml @@ -22,8 +22,8 @@ beta: > These fields are in beta and are subject to change. description: > - Fields for describing risk score and risk level of entities such as hosts and users. - These fields are not allowed to be nested under `event.*`. Please continue to use + Fields for describing risk score and risk level of entities such as hosts and users. + These fields are not allowed to be nested under `event.*`. Please continue to use `event.risk_score` and `event.risk_score_norm` for event risk. reusable: top_level: false diff --git a/scripts/tests/test_ecs_spec.py b/scripts/tests/test_ecs_spec.py index edb0b8420c..a55d7bbb68 100644 --- a/scripts/tests/test_ecs_spec.py +++ b/scripts/tests/test_ecs_spec.py @@ -130,6 +130,41 @@ def test_normalize_always_array(self): for (field_name, field) in self.ecs_fields.items(): self.assertIsInstance(field.get('normalize'), list, field_name) + def test_valid_type(self): + valid_types = ['binary', + 'boolean', + 'keyword', + 'constant_keyword', + 'wildcard', + 'long', + 'integer', + 'short', + 'byte', + 'double', + 'float', + 'half_float', + 'scaled_float', + 'unsigned_long', + 'date', + 'date_nanos', + 'alias', + 'object', + 'flattened', + 'nested', + 'join', + 'long_range', + 'double_range', + 'date_range', + 'ip', + 'text', + 'match_only_text', + 'geo_point', + 'geo_shape', + 'point', + 'shape'] + for (field_name, field) in self.ecs_fields.items(): + self.assertIn(field.get('type'), valid_types, field_name) + if __name__ == '__main__': unittest.main()