From d69cb01a821156a2f9435c8acb878e48d43357bc Mon Sep 17 00:00:00 2001 From: Michael Wolf Date: Mon, 16 Sep 2024 17:19:45 -0700 Subject: [PATCH] use correct type on code_signature.flags --- docs/fields/field-details.asciidoc | 2 +- experimental/generated/beats/fields.ecs.yml | 18 ++++++++++------ experimental/generated/csv/fields.csv | 12 +++++------ experimental/generated/ecs/ecs_flat.yml | 18 ++++++++++------ experimental/generated/ecs/ecs_nested.yml | 21 ++++++++++++------- .../composable/component/dll.json | 3 ++- .../composable/component/file.json | 3 ++- .../composable/component/process.json | 6 ++++-- .../composable/component/threat.json | 6 ++++-- .../elasticsearch/legacy/template.json | 18 ++++++++++------ generated/beats/fields.ecs.yml | 18 ++++++++++------ generated/csv/fields.csv | 12 +++++------ generated/ecs/ecs_flat.yml | 18 ++++++++++------ generated/ecs/ecs_nested.yml | 21 ++++++++++++------- .../composable/component/dll.json | 3 ++- .../composable/component/file.json | 3 ++- .../composable/component/process.json | 6 ++++-- .../composable/component/threat.json | 6 ++++-- generated/elasticsearch/legacy/template.json | 18 ++++++++++------ rfcs/text/0044/code_signature.yml | 4 ++-- schemas/code_signature.yml | 2 +- 21 files changed, 140 insertions(+), 78 deletions(-) diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc index f2259fb87..23ae02e99 100644 --- a/docs/fields/field-details.asciidoc +++ b/docs/fields/field-details.asciidoc @@ -873,7 +873,7 @@ a| beta:[ This field is beta and subject to change. ] The flags used to sign the process. -type: string +type: keyword diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 625206235..ee0ecb5e3 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -1273,7 +1273,8 @@ default_field: false - name: code_signature.flags level: extended - type: string + type: keyword + ignore_above: 1024 description: The flags used to sign the process. example: 570522385 default_field: false @@ -2439,7 +2440,8 @@ default_field: false - name: code_signature.flags level: extended - type: string + type: keyword + ignore_above: 1024 description: The flags used to sign the process. example: 570522385 default_field: false @@ -4793,7 +4795,8 @@ default_field: false - name: code_signature.flags level: extended - type: string + type: keyword + ignore_above: 1024 description: The flags used to sign the process. example: 570522385 default_field: false @@ -6117,7 +6120,8 @@ default_field: false - name: parent.code_signature.flags level: extended - type: string + type: keyword + ignore_above: 1024 description: The flags used to sign the process. example: 570522385 default_field: false @@ -9177,7 +9181,8 @@ default_field: false - name: enrichments.indicator.file.code_signature.flags level: extended - type: string + type: keyword + ignore_above: 1024 description: The flags used to sign the process. example: 570522385 default_field: false @@ -10798,7 +10803,8 @@ default_field: false - name: indicator.file.code_signature.flags level: extended - type: string + type: keyword + ignore_above: 1024 description: The flags used to sign the process. example: 570522385 default_field: false diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 85f24dce1..be5ee3346 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -149,7 +149,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,device,device.serial_number,keyword,core,,DJGAQS4CW5,Serial Number of the device 8.12.0-dev+exp,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -8.12.0-dev+exp,true,dll,dll.code_signature.flags,string,extended,,570522385,Code signing flags of the process +8.12.0-dev+exp,true,dll,dll.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process 8.12.0-dev+exp,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -280,7 +280,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. 8.12.0-dev+exp,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -8.12.0-dev+exp,true,file,file.code_signature.flags,string,extended,,570522385,Code signing flags of the process +8.12.0-dev+exp,true,file,file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process 8.12.0-dev+exp,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -593,7 +593,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array. 8.12.0-dev+exp,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -8.12.0-dev+exp,true,process,process.code_signature.flags,string,extended,,570522385,Code signing flags of the process +8.12.0-dev+exp,true,process,process.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process 8.12.0-dev+exp,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -775,7 +775,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. 8.12.0-dev+exp,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -8.12.0-dev+exp,true,process,process.parent.code_signature.flags,string,extended,,570522385,Code signing flags of the process +8.12.0-dev+exp,true,process,process.parent.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process 8.12.0-dev+exp,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -1162,7 +1162,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.flags,string,extended,,570522385,Code signing flags of the process +8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -1381,7 +1381,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. 8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.flags,string,extended,,570522385,Code signing flags of the process +8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process 8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 6e09b7f52..e529df5f9 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -1806,12 +1806,13 @@ dll.code_signature.flags: description: The flags used to sign the process. example: 570522385 flat_name: dll.code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] original_fieldset: code_signature short: Code signing flags of the process - type: string + type: keyword dll.code_signature.signing_id: dashed_name: dll-code-signature-signing-id description: 'The identifier used to sign the process. @@ -3957,12 +3958,13 @@ file.code_signature.flags: description: The flags used to sign the process. example: 570522385 flat_name: file.code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] original_fieldset: code_signature short: Code signing flags of the process - type: string + type: keyword file.code_signature.signing_id: dashed_name: file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -7787,12 +7789,13 @@ process.code_signature.flags: description: The flags used to sign the process. example: 570522385 flat_name: process.code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] original_fieldset: code_signature short: Code signing flags of the process - type: string + type: keyword process.code_signature.signing_id: dashed_name: process-code-signature-signing-id description: 'The identifier used to sign the process. @@ -9956,12 +9959,13 @@ process.parent.code_signature.flags: description: The flags used to sign the process. example: 570522385 flat_name: process.parent.code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] original_fieldset: code_signature short: Code signing flags of the process - type: string + type: keyword process.parent.code_signature.signing_id: dashed_name: process-parent-code-signature-signing-id description: 'The identifier used to sign the process. @@ -14782,12 +14786,13 @@ threat.enrichments.indicator.file.code_signature.flags: description: The flags used to sign the process. example: 570522385 flat_name: threat.enrichments.indicator.file.code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] original_fieldset: code_signature short: Code signing flags of the process - type: string + type: keyword threat.enrichments.indicator.file.code_signature.signing_id: dashed_name: threat-enrichments-indicator-file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -17518,12 +17523,13 @@ threat.indicator.file.code_signature.flags: description: The flags used to sign the process. example: 570522385 flat_name: threat.indicator.file.code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] original_fieldset: code_signature short: Code signing flags of the process - type: string + type: keyword threat.indicator.file.code_signature.signing_id: dashed_name: threat-indicator-file-code-signature-signing-id description: 'The identifier used to sign the process. diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 1f7f9648b..f4a284451 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -1326,11 +1326,12 @@ code_signature: description: The flags used to sign the process. example: 570522385 flat_name: code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] short: Code signing flags of the process - type: string + type: keyword code_signature.signing_id: dashed_name: code-signature-signing-id description: 'The identifier used to sign the process. @@ -2290,12 +2291,13 @@ dll: description: The flags used to sign the process. example: 570522385 flat_name: dll.code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] original_fieldset: code_signature short: Code signing flags of the process - type: string + type: keyword dll.code_signature.signing_id: dashed_name: dll-code-signature-signing-id description: 'The identifier used to sign the process. @@ -5001,12 +5003,13 @@ file: description: The flags used to sign the process. example: 570522385 flat_name: file.code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] original_fieldset: code_signature short: Code signing flags of the process - type: string + type: keyword file.code_signature.signing_id: dashed_name: file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -10020,12 +10023,13 @@ process: description: The flags used to sign the process. example: 570522385 flat_name: process.code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] original_fieldset: code_signature short: Code signing flags of the process - type: string + type: keyword process.code_signature.signing_id: dashed_name: process-code-signature-signing-id description: 'The identifier used to sign the process. @@ -12194,12 +12198,13 @@ process: description: The flags used to sign the process. example: 570522385 flat_name: process.parent.code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] original_fieldset: code_signature short: Code signing flags of the process - type: string + type: keyword process.parent.code_signature.signing_id: dashed_name: process-parent-code-signature-signing-id description: 'The identifier used to sign the process. @@ -17482,12 +17487,13 @@ threat: description: The flags used to sign the process. example: 570522385 flat_name: threat.enrichments.indicator.file.code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] original_fieldset: code_signature short: Code signing flags of the process - type: string + type: keyword threat.enrichments.indicator.file.code_signature.signing_id: dashed_name: threat-enrichments-indicator-file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -20224,12 +20230,13 @@ threat: description: The flags used to sign the process. example: 570522385 flat_name: threat.indicator.file.code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] original_fieldset: code_signature short: Code signing flags of the process - type: string + type: keyword threat.indicator.file.code_signature.signing_id: dashed_name: threat-indicator-file-code-signature-signing-id description: 'The identifier used to sign the process. diff --git a/experimental/generated/elasticsearch/composable/component/dll.json b/experimental/generated/elasticsearch/composable/component/dll.json index 55e224626..e59687764 100644 --- a/experimental/generated/elasticsearch/composable/component/dll.json +++ b/experimental/generated/elasticsearch/composable/component/dll.json @@ -18,7 +18,8 @@ "type": "boolean" }, "flags": { - "type": "string" + "ignore_above": 1024, + "type": "keyword" }, "signing_id": { "ignore_above": 1024, diff --git a/experimental/generated/elasticsearch/composable/component/file.json b/experimental/generated/elasticsearch/composable/component/file.json index adb9d1d8e..175a0cbab 100644 --- a/experimental/generated/elasticsearch/composable/component/file.json +++ b/experimental/generated/elasticsearch/composable/component/file.json @@ -25,7 +25,8 @@ "type": "boolean" }, "flags": { - "type": "string" + "ignore_above": 1024, + "type": "keyword" }, "signing_id": { "ignore_above": 1024, diff --git a/experimental/generated/elasticsearch/composable/component/process.json b/experimental/generated/elasticsearch/composable/component/process.json index de0be5f24..76b8983a3 100644 --- a/experimental/generated/elasticsearch/composable/component/process.json +++ b/experimental/generated/elasticsearch/composable/component/process.json @@ -25,7 +25,8 @@ "type": "boolean" }, "flags": { - "type": "string" + "ignore_above": 1024, + "type": "keyword" }, "signing_id": { "ignore_above": 1024, @@ -832,7 +833,8 @@ "type": "boolean" }, "flags": { - "type": "string" + "ignore_above": 1024, + "type": "keyword" }, "signing_id": { "ignore_above": 1024, diff --git a/experimental/generated/elasticsearch/composable/component/threat.json b/experimental/generated/elasticsearch/composable/component/threat.json index cdcbbd7ae..32056d150 100644 --- a/experimental/generated/elasticsearch/composable/component/threat.json +++ b/experimental/generated/elasticsearch/composable/component/threat.json @@ -67,7 +67,8 @@ "type": "boolean" }, "flags": { - "type": "string" + "ignore_above": 1024, + "type": "keyword" }, "signing_id": { "ignore_above": 1024, @@ -995,7 +996,8 @@ "type": "boolean" }, "flags": { - "type": "string" + "ignore_above": 1024, + "type": "keyword" }, "signing_id": { "ignore_above": 1024, diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json index 6b9172fe3..bc7f44606 100644 --- a/experimental/generated/elasticsearch/legacy/template.json +++ b/experimental/generated/elasticsearch/legacy/template.json @@ -801,7 +801,8 @@ "type": "boolean" }, "flags": { - "type": "string" + "ignore_above": 1024, + "type": "keyword" }, "signing_id": { "ignore_above": 1024, @@ -1376,7 +1377,8 @@ "type": "boolean" }, "flags": { - "type": "string" + "ignore_above": 1024, + "type": "keyword" }, "signing_id": { "ignore_above": 1024, @@ -2768,7 +2770,8 @@ "type": "boolean" }, "flags": { - "type": "string" + "ignore_above": 1024, + "type": "keyword" }, "signing_id": { "ignore_above": 1024, @@ -3575,7 +3578,8 @@ "type": "boolean" }, "flags": { - "type": "string" + "ignore_above": 1024, + "type": "keyword" }, "signing_id": { "ignore_above": 1024, @@ -5320,7 +5324,8 @@ "type": "boolean" }, "flags": { - "type": "string" + "ignore_above": 1024, + "type": "keyword" }, "signing_id": { "ignore_above": 1024, @@ -6248,7 +6253,8 @@ "type": "boolean" }, "flags": { - "type": "string" + "ignore_above": 1024, + "type": "keyword" }, "signing_id": { "ignore_above": 1024, diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 77f9536d9..3883c5b04 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -1223,7 +1223,8 @@ default_field: false - name: code_signature.flags level: extended - type: string + type: keyword + ignore_above: 1024 description: The flags used to sign the process. example: 570522385 default_field: false @@ -2389,7 +2390,8 @@ default_field: false - name: code_signature.flags level: extended - type: string + type: keyword + ignore_above: 1024 description: The flags used to sign the process. example: 570522385 default_field: false @@ -4743,7 +4745,8 @@ default_field: false - name: code_signature.flags level: extended - type: string + type: keyword + ignore_above: 1024 description: The flags used to sign the process. example: 570522385 default_field: false @@ -6067,7 +6070,8 @@ default_field: false - name: parent.code_signature.flags level: extended - type: string + type: keyword + ignore_above: 1024 description: The flags used to sign the process. example: 570522385 default_field: false @@ -9127,7 +9131,8 @@ default_field: false - name: enrichments.indicator.file.code_signature.flags level: extended - type: string + type: keyword + ignore_above: 1024 description: The flags used to sign the process. example: 570522385 default_field: false @@ -10748,7 +10753,8 @@ default_field: false - name: indicator.file.code_signature.flags level: extended - type: string + type: keyword + ignore_above: 1024 description: The flags used to sign the process. example: 570522385 default_field: false diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index a7210ad73..8af3fac81 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -142,7 +142,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,device,device.serial_number,keyword,core,,DJGAQS4CW5,Serial Number of the device 8.12.0-dev,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -8.12.0-dev,true,dll,dll.code_signature.flags,string,extended,,570522385,Code signing flags of the process +8.12.0-dev,true,dll,dll.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process 8.12.0-dev,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -273,7 +273,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. 8.12.0-dev,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -8.12.0-dev,true,file,file.code_signature.flags,string,extended,,570522385,Code signing flags of the process +8.12.0-dev,true,file,file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process 8.12.0-dev,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -586,7 +586,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array. 8.12.0-dev,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -8.12.0-dev,true,process,process.code_signature.flags,string,extended,,570522385,Code signing flags of the process +8.12.0-dev,true,process,process.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process 8.12.0-dev,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -768,7 +768,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. 8.12.0-dev,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -8.12.0-dev,true,process,process.parent.code_signature.flags,string,extended,,570522385,Code signing flags of the process +8.12.0-dev,true,process,process.parent.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process 8.12.0-dev,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -1155,7 +1155,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. 8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.flags,string,extended,,570522385,Code signing flags of the process +8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process 8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -1374,7 +1374,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. 8.12.0-dev,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -8.12.0-dev,true,threat,threat.indicator.file.code_signature.flags,string,extended,,570522385,Code signing flags of the process +8.12.0-dev,true,threat,threat.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process 8.12.0-dev,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 7e504589d..bad8611fa 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -1737,12 +1737,13 @@ dll.code_signature.flags: description: The flags used to sign the process. example: 570522385 flat_name: dll.code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] original_fieldset: code_signature short: Code signing flags of the process - type: string + type: keyword dll.code_signature.signing_id: dashed_name: dll-code-signature-signing-id description: 'The identifier used to sign the process. @@ -3888,12 +3889,13 @@ file.code_signature.flags: description: The flags used to sign the process. example: 570522385 flat_name: file.code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] original_fieldset: code_signature short: Code signing flags of the process - type: string + type: keyword file.code_signature.signing_id: dashed_name: file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -7718,12 +7720,13 @@ process.code_signature.flags: description: The flags used to sign the process. example: 570522385 flat_name: process.code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] original_fieldset: code_signature short: Code signing flags of the process - type: string + type: keyword process.code_signature.signing_id: dashed_name: process-code-signature-signing-id description: 'The identifier used to sign the process. @@ -9887,12 +9890,13 @@ process.parent.code_signature.flags: description: The flags used to sign the process. example: 570522385 flat_name: process.parent.code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] original_fieldset: code_signature short: Code signing flags of the process - type: string + type: keyword process.parent.code_signature.signing_id: dashed_name: process-parent-code-signature-signing-id description: 'The identifier used to sign the process. @@ -14713,12 +14717,13 @@ threat.enrichments.indicator.file.code_signature.flags: description: The flags used to sign the process. example: 570522385 flat_name: threat.enrichments.indicator.file.code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] original_fieldset: code_signature short: Code signing flags of the process - type: string + type: keyword threat.enrichments.indicator.file.code_signature.signing_id: dashed_name: threat-enrichments-indicator-file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -17449,12 +17454,13 @@ threat.indicator.file.code_signature.flags: description: The flags used to sign the process. example: 570522385 flat_name: threat.indicator.file.code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] original_fieldset: code_signature short: Code signing flags of the process - type: string + type: keyword threat.indicator.file.code_signature.signing_id: dashed_name: threat-indicator-file-code-signature-signing-id description: 'The identifier used to sign the process. diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index b08955b69..a401fa7b0 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -1246,11 +1246,12 @@ code_signature: description: The flags used to sign the process. example: 570522385 flat_name: code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] short: Code signing flags of the process - type: string + type: keyword code_signature.signing_id: dashed_name: code-signature-signing-id description: 'The identifier used to sign the process. @@ -2210,12 +2211,13 @@ dll: description: The flags used to sign the process. example: 570522385 flat_name: dll.code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] original_fieldset: code_signature short: Code signing flags of the process - type: string + type: keyword dll.code_signature.signing_id: dashed_name: dll-code-signature-signing-id description: 'The identifier used to sign the process. @@ -4921,12 +4923,13 @@ file: description: The flags used to sign the process. example: 570522385 flat_name: file.code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] original_fieldset: code_signature short: Code signing flags of the process - type: string + type: keyword file.code_signature.signing_id: dashed_name: file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -9940,12 +9943,13 @@ process: description: The flags used to sign the process. example: 570522385 flat_name: process.code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] original_fieldset: code_signature short: Code signing flags of the process - type: string + type: keyword process.code_signature.signing_id: dashed_name: process-code-signature-signing-id description: 'The identifier used to sign the process. @@ -12114,12 +12118,13 @@ process: description: The flags used to sign the process. example: 570522385 flat_name: process.parent.code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] original_fieldset: code_signature short: Code signing flags of the process - type: string + type: keyword process.parent.code_signature.signing_id: dashed_name: process-parent-code-signature-signing-id description: 'The identifier used to sign the process. @@ -17402,12 +17407,13 @@ threat: description: The flags used to sign the process. example: 570522385 flat_name: threat.enrichments.indicator.file.code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] original_fieldset: code_signature short: Code signing flags of the process - type: string + type: keyword threat.enrichments.indicator.file.code_signature.signing_id: dashed_name: threat-enrichments-indicator-file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -20144,12 +20150,13 @@ threat: description: The flags used to sign the process. example: 570522385 flat_name: threat.indicator.file.code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] original_fieldset: code_signature short: Code signing flags of the process - type: string + type: keyword threat.indicator.file.code_signature.signing_id: dashed_name: threat-indicator-file-code-signature-signing-id description: 'The identifier used to sign the process. diff --git a/generated/elasticsearch/composable/component/dll.json b/generated/elasticsearch/composable/component/dll.json index b5f52995c..7c76d1ed0 100644 --- a/generated/elasticsearch/composable/component/dll.json +++ b/generated/elasticsearch/composable/component/dll.json @@ -18,7 +18,8 @@ "type": "boolean" }, "flags": { - "type": "string" + "ignore_above": 1024, + "type": "keyword" }, "signing_id": { "ignore_above": 1024, diff --git a/generated/elasticsearch/composable/component/file.json b/generated/elasticsearch/composable/component/file.json index cc12f10be..c032c0a53 100644 --- a/generated/elasticsearch/composable/component/file.json +++ b/generated/elasticsearch/composable/component/file.json @@ -25,7 +25,8 @@ "type": "boolean" }, "flags": { - "type": "string" + "ignore_above": 1024, + "type": "keyword" }, "signing_id": { "ignore_above": 1024, diff --git a/generated/elasticsearch/composable/component/process.json b/generated/elasticsearch/composable/component/process.json index 610ff7484..d48a4edda 100644 --- a/generated/elasticsearch/composable/component/process.json +++ b/generated/elasticsearch/composable/component/process.json @@ -25,7 +25,8 @@ "type": "boolean" }, "flags": { - "type": "string" + "ignore_above": 1024, + "type": "keyword" }, "signing_id": { "ignore_above": 1024, @@ -832,7 +833,8 @@ "type": "boolean" }, "flags": { - "type": "string" + "ignore_above": 1024, + "type": "keyword" }, "signing_id": { "ignore_above": 1024, diff --git a/generated/elasticsearch/composable/component/threat.json b/generated/elasticsearch/composable/component/threat.json index c9030c416..40f98ec19 100644 --- a/generated/elasticsearch/composable/component/threat.json +++ b/generated/elasticsearch/composable/component/threat.json @@ -67,7 +67,8 @@ "type": "boolean" }, "flags": { - "type": "string" + "ignore_above": 1024, + "type": "keyword" }, "signing_id": { "ignore_above": 1024, @@ -995,7 +996,8 @@ "type": "boolean" }, "flags": { - "type": "string" + "ignore_above": 1024, + "type": "keyword" }, "signing_id": { "ignore_above": 1024, diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json index 6725cae44..66b302ceb 100644 --- a/generated/elasticsearch/legacy/template.json +++ b/generated/elasticsearch/legacy/template.json @@ -759,7 +759,8 @@ "type": "boolean" }, "flags": { - "type": "string" + "ignore_above": 1024, + "type": "keyword" }, "signing_id": { "ignore_above": 1024, @@ -1334,7 +1335,8 @@ "type": "boolean" }, "flags": { - "type": "string" + "ignore_above": 1024, + "type": "keyword" }, "signing_id": { "ignore_above": 1024, @@ -2726,7 +2728,8 @@ "type": "boolean" }, "flags": { - "type": "string" + "ignore_above": 1024, + "type": "keyword" }, "signing_id": { "ignore_above": 1024, @@ -3533,7 +3536,8 @@ "type": "boolean" }, "flags": { - "type": "string" + "ignore_above": 1024, + "type": "keyword" }, "signing_id": { "ignore_above": 1024, @@ -5278,7 +5282,8 @@ "type": "boolean" }, "flags": { - "type": "string" + "ignore_above": 1024, + "type": "keyword" }, "signing_id": { "ignore_above": 1024, @@ -6206,7 +6211,8 @@ "type": "boolean" }, "flags": { - "type": "string" + "ignore_above": 1024, + "type": "keyword" }, "signing_id": { "ignore_above": 1024, diff --git a/rfcs/text/0044/code_signature.yml b/rfcs/text/0044/code_signature.yml index 091339048..d16b64b6e 100644 --- a/rfcs/text/0044/code_signature.yml +++ b/rfcs/text/0044/code_signature.yml @@ -3,8 +3,8 @@ fields: - name: flags level: extended - type: string + type: keyword short: Code signing flags of the process description: > The flags used to sign the process. - example: 570522385 \ No newline at end of file + example: 570522385 diff --git a/schemas/code_signature.yml b/schemas/code_signature.yml index 67e6a5da4..e5808e6e3 100644 --- a/schemas/code_signature.yml +++ b/schemas/code_signature.yml @@ -37,7 +37,7 @@ - name: flags level: extended - type: string + type: keyword short: Code signing flags of the process description: > The flags used to sign the process.