Skip to content

Commit

Permalink
Fix type in code signature (#2382)
Browse files Browse the repository at this point in the history
Change the type of code_signature.flags to keyword, which is what it should be. Also add a unit test that will verify all types are valid.
  • Loading branch information
mjwolf authored Sep 23, 2024
1 parent 8be4ed7 commit 220ecee
Show file tree
Hide file tree
Showing 22 changed files with 175 additions and 78 deletions.
2 changes: 1 addition & 1 deletion docs/fields/field-details.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -873,7 +873,7 @@ a| beta:[ This field is beta and subject to change. ]

The flags used to sign the process.

type: string
type: keyword



Expand Down
18 changes: 12 additions & 6 deletions experimental/generated/beats/fields.ecs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1273,7 +1273,8 @@
default_field: false
- name: code_signature.flags
level: extended
type: string
type: keyword
ignore_above: 1024
description: The flags used to sign the process.
example: 570522385
default_field: false
Expand Down Expand Up @@ -2439,7 +2440,8 @@
default_field: false
- name: code_signature.flags
level: extended
type: string
type: keyword
ignore_above: 1024
description: The flags used to sign the process.
example: 570522385
default_field: false
Expand Down Expand Up @@ -4793,7 +4795,8 @@
default_field: false
- name: code_signature.flags
level: extended
type: string
type: keyword
ignore_above: 1024
description: The flags used to sign the process.
example: 570522385
default_field: false
Expand Down Expand Up @@ -6117,7 +6120,8 @@
default_field: false
- name: parent.code_signature.flags
level: extended
type: string
type: keyword
ignore_above: 1024
description: The flags used to sign the process.
example: 570522385
default_field: false
Expand Down Expand Up @@ -9177,7 +9181,8 @@
default_field: false
- name: enrichments.indicator.file.code_signature.flags
level: extended
type: string
type: keyword
ignore_above: 1024
description: The flags used to sign the process.
example: 570522385
default_field: false
Expand Down Expand Up @@ -10798,7 +10803,8 @@
default_field: false
- name: indicator.file.code_signature.flags
level: extended
type: string
type: keyword
ignore_above: 1024
description: The flags used to sign the process.
example: 570522385
default_field: false
Expand Down
12 changes: 6 additions & 6 deletions experimental/generated/csv/fields.csv
Original file line number Diff line number Diff line change
Expand Up @@ -149,7 +149,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
8.12.0-dev+exp,true,device,device.serial_number,keyword,core,,DJGAQS4CW5,Serial Number of the device
8.12.0-dev+exp,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
8.12.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
8.12.0-dev+exp,true,dll,dll.code_signature.flags,string,extended,,570522385,Code signing flags of the process
8.12.0-dev+exp,true,dll,dll.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
8.12.0-dev+exp,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
8.12.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
8.12.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
Expand Down Expand Up @@ -280,7 +280,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
8.12.0-dev+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
8.12.0-dev+exp,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
8.12.0-dev+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
8.12.0-dev+exp,true,file,file.code_signature.flags,string,extended,,570522385,Code signing flags of the process
8.12.0-dev+exp,true,file,file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
8.12.0-dev+exp,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
8.12.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
8.12.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
Expand Down Expand Up @@ -593,7 +593,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
8.12.0-dev+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array.
8.12.0-dev+exp,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
8.12.0-dev+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
8.12.0-dev+exp,true,process,process.code_signature.flags,string,extended,,570522385,Code signing flags of the process
8.12.0-dev+exp,true,process,process.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
8.12.0-dev+exp,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
8.12.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
8.12.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
Expand Down Expand Up @@ -775,7 +775,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
8.12.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
8.12.0-dev+exp,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
8.12.0-dev+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
8.12.0-dev+exp,true,process,process.parent.code_signature.flags,string,extended,,570522385,Code signing flags of the process
8.12.0-dev+exp,true,process,process.parent.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
8.12.0-dev+exp,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
8.12.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
8.12.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
Expand Down Expand Up @@ -1162,7 +1162,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.flags,string,extended,,570522385,Code signing flags of the process
8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
Expand Down Expand Up @@ -1381,7 +1381,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
8.12.0-dev+exp,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.flags,string,extended,,570522385,Code signing flags of the process
8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
Expand Down
18 changes: 12 additions & 6 deletions experimental/generated/ecs/ecs_flat.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1806,12 +1806,13 @@ dll.code_signature.flags:
description: The flags used to sign the process.
example: 570522385
flat_name: dll.code_signature.flags
ignore_above: 1024
level: extended
name: flags
normalize: []
original_fieldset: code_signature
short: Code signing flags of the process
type: string
type: keyword
dll.code_signature.signing_id:
dashed_name: dll-code-signature-signing-id
description: 'The identifier used to sign the process.
Expand Down Expand Up @@ -3957,12 +3958,13 @@ file.code_signature.flags:
description: The flags used to sign the process.
example: 570522385
flat_name: file.code_signature.flags
ignore_above: 1024
level: extended
name: flags
normalize: []
original_fieldset: code_signature
short: Code signing flags of the process
type: string
type: keyword
file.code_signature.signing_id:
dashed_name: file-code-signature-signing-id
description: 'The identifier used to sign the process.
Expand Down Expand Up @@ -7787,12 +7789,13 @@ process.code_signature.flags:
description: The flags used to sign the process.
example: 570522385
flat_name: process.code_signature.flags
ignore_above: 1024
level: extended
name: flags
normalize: []
original_fieldset: code_signature
short: Code signing flags of the process
type: string
type: keyword
process.code_signature.signing_id:
dashed_name: process-code-signature-signing-id
description: 'The identifier used to sign the process.
Expand Down Expand Up @@ -9956,12 +9959,13 @@ process.parent.code_signature.flags:
description: The flags used to sign the process.
example: 570522385
flat_name: process.parent.code_signature.flags
ignore_above: 1024
level: extended
name: flags
normalize: []
original_fieldset: code_signature
short: Code signing flags of the process
type: string
type: keyword
process.parent.code_signature.signing_id:
dashed_name: process-parent-code-signature-signing-id
description: 'The identifier used to sign the process.
Expand Down Expand Up @@ -14782,12 +14786,13 @@ threat.enrichments.indicator.file.code_signature.flags:
description: The flags used to sign the process.
example: 570522385
flat_name: threat.enrichments.indicator.file.code_signature.flags
ignore_above: 1024
level: extended
name: flags
normalize: []
original_fieldset: code_signature
short: Code signing flags of the process
type: string
type: keyword
threat.enrichments.indicator.file.code_signature.signing_id:
dashed_name: threat-enrichments-indicator-file-code-signature-signing-id
description: 'The identifier used to sign the process.
Expand Down Expand Up @@ -17518,12 +17523,13 @@ threat.indicator.file.code_signature.flags:
description: The flags used to sign the process.
example: 570522385
flat_name: threat.indicator.file.code_signature.flags
ignore_above: 1024
level: extended
name: flags
normalize: []
original_fieldset: code_signature
short: Code signing flags of the process
type: string
type: keyword
threat.indicator.file.code_signature.signing_id:
dashed_name: threat-indicator-file-code-signature-signing-id
description: 'The identifier used to sign the process.
Expand Down
21 changes: 14 additions & 7 deletions experimental/generated/ecs/ecs_nested.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1326,11 +1326,12 @@ code_signature:
description: The flags used to sign the process.
example: 570522385
flat_name: code_signature.flags
ignore_above: 1024
level: extended
name: flags
normalize: []
short: Code signing flags of the process
type: string
type: keyword
code_signature.signing_id:
dashed_name: code-signature-signing-id
description: 'The identifier used to sign the process.
Expand Down Expand Up @@ -2290,12 +2291,13 @@ dll:
description: The flags used to sign the process.
example: 570522385
flat_name: dll.code_signature.flags
ignore_above: 1024
level: extended
name: flags
normalize: []
original_fieldset: code_signature
short: Code signing flags of the process
type: string
type: keyword
dll.code_signature.signing_id:
dashed_name: dll-code-signature-signing-id
description: 'The identifier used to sign the process.
Expand Down Expand Up @@ -5001,12 +5003,13 @@ file:
description: The flags used to sign the process.
example: 570522385
flat_name: file.code_signature.flags
ignore_above: 1024
level: extended
name: flags
normalize: []
original_fieldset: code_signature
short: Code signing flags of the process
type: string
type: keyword
file.code_signature.signing_id:
dashed_name: file-code-signature-signing-id
description: 'The identifier used to sign the process.
Expand Down Expand Up @@ -10020,12 +10023,13 @@ process:
description: The flags used to sign the process.
example: 570522385
flat_name: process.code_signature.flags
ignore_above: 1024
level: extended
name: flags
normalize: []
original_fieldset: code_signature
short: Code signing flags of the process
type: string
type: keyword
process.code_signature.signing_id:
dashed_name: process-code-signature-signing-id
description: 'The identifier used to sign the process.
Expand Down Expand Up @@ -12194,12 +12198,13 @@ process:
description: The flags used to sign the process.
example: 570522385
flat_name: process.parent.code_signature.flags
ignore_above: 1024
level: extended
name: flags
normalize: []
original_fieldset: code_signature
short: Code signing flags of the process
type: string
type: keyword
process.parent.code_signature.signing_id:
dashed_name: process-parent-code-signature-signing-id
description: 'The identifier used to sign the process.
Expand Down Expand Up @@ -17482,12 +17487,13 @@ threat:
description: The flags used to sign the process.
example: 570522385
flat_name: threat.enrichments.indicator.file.code_signature.flags
ignore_above: 1024
level: extended
name: flags
normalize: []
original_fieldset: code_signature
short: Code signing flags of the process
type: string
type: keyword
threat.enrichments.indicator.file.code_signature.signing_id:
dashed_name: threat-enrichments-indicator-file-code-signature-signing-id
description: 'The identifier used to sign the process.
Expand Down Expand Up @@ -20224,12 +20230,13 @@ threat:
description: The flags used to sign the process.
example: 570522385
flat_name: threat.indicator.file.code_signature.flags
ignore_above: 1024
level: extended
name: flags
normalize: []
original_fieldset: code_signature
short: Code signing flags of the process
type: string
type: keyword
threat.indicator.file.code_signature.signing_id:
dashed_name: threat-indicator-file-code-signature-signing-id
description: 'The identifier used to sign the process.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,8 @@
"type": "boolean"
},
"flags": {
"type": "string"
"ignore_above": 1024,
"type": "keyword"
},
"signing_id": {
"ignore_above": 1024,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,8 @@
"type": "boolean"
},
"flags": {
"type": "string"
"ignore_above": 1024,
"type": "keyword"
},
"signing_id": {
"ignore_above": 1024,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,8 @@
"type": "boolean"
},
"flags": {
"type": "string"
"ignore_above": 1024,
"type": "keyword"
},
"signing_id": {
"ignore_above": 1024,
Expand Down Expand Up @@ -832,7 +833,8 @@
"type": "boolean"
},
"flags": {
"type": "string"
"ignore_above": 1024,
"type": "keyword"
},
"signing_id": {
"ignore_above": 1024,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,8 @@
"type": "boolean"
},
"flags": {
"type": "string"
"ignore_above": 1024,
"type": "keyword"
},
"signing_id": {
"ignore_above": 1024,
Expand Down Expand Up @@ -995,7 +996,8 @@
"type": "boolean"
},
"flags": {
"type": "string"
"ignore_above": 1024,
"type": "keyword"
},
"signing_id": {
"ignore_above": 1024,
Expand Down
Loading

0 comments on commit 220ecee

Please sign in to comment.