Merge branch 'main' into x509.serial_number

elastic · Sep 26, 2024 · 8034054 · 8034054
2 parents 89f9df5 + e78c424
commit 8034054
Show file tree

Hide file tree

Showing 26 changed files with 180 additions and 84 deletions.
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -12,4 +12,4 @@ jobs:
         with:
           python-version: '3.x'
       - run: git fetch --prune --unshallow --tags
-      - run: make check
+      - run: make check yamllint
diff --git a/Makefile b/Makefile
@@ -86,7 +86,7 @@ misspell:
 	fi
 	./build/misspell/bin/misspell -error README.md CONTRIBUTING.md schemas/* docs/* experimental/schemas/*
 
-# Warn re misspell removal     
+# Warn re misspell removal
 .PHONY: misspell_warn
 misspell_warn:
 	@echo "Warning: due to lack of cross-platform support, misspell is no longer included in this task and may be deprecated in future\n"
@@ -110,4 +110,4 @@ build/ve/bin/activate: scripts/requirements.txt scripts/requirements-dev.txt
 # Check YAML syntax (currently not enforced).
 .PHONY: yamllint
 yamllint: ve
-	build/ve/bin/yamllint schemas/*.yml
+	build/ve/bin/yamllint -d '{extends: default, rules: {line-length: disable}}' schemas/*.yml
diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
@@ -873,7 +873,7 @@ a| beta:[ This field is beta and subject to change. ]
 
 The flags used to sign the process.
 
-type: string
+type: keyword
 
 
 

diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
@@ -1273,7 +1273,8 @@
       default_field: false
     - name: code_signature.flags
       level: extended
-      type: string
+      type: keyword
+      ignore_above: 1024
       description: The flags used to sign the process.
       example: 570522385
       default_field: false
@@ -2439,7 +2440,8 @@
       default_field: false
     - name: code_signature.flags
       level: extended
-      type: string
+      type: keyword
+      ignore_above: 1024
       description: The flags used to sign the process.
       example: 570522385
       default_field: false
@@ -4793,7 +4795,8 @@
       default_field: false
     - name: code_signature.flags
       level: extended
-      type: string
+      type: keyword
+      ignore_above: 1024
       description: The flags used to sign the process.
       example: 570522385
       default_field: false
@@ -6117,7 +6120,8 @@
       default_field: false
     - name: parent.code_signature.flags
       level: extended
-      type: string
+      type: keyword
+      ignore_above: 1024
       description: The flags used to sign the process.
       example: 570522385
       default_field: false
@@ -9177,7 +9181,8 @@
       default_field: false
     - name: enrichments.indicator.file.code_signature.flags
       level: extended
-      type: string
+      type: keyword
+      ignore_above: 1024
       description: The flags used to sign the process.
       example: 570522385
       default_field: false
@@ -10798,7 +10803,8 @@
       default_field: false
     - name: indicator.file.code_signature.flags
       level: extended
-      type: string
+      type: keyword
+      ignore_above: 1024
       description: The flags used to sign the process.
       example: 570522385
       default_field: false

diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
@@ -149,7 +149,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev+exp,true,device,device.serial_number,keyword,core,,DJGAQS4CW5,Serial Number of the device
 8.12.0-dev+exp,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
 8.12.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.12.0-dev+exp,true,dll,dll.code_signature.flags,string,extended,,570522385,Code signing flags of the process
+8.12.0-dev+exp,true,dll,dll.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
 8.12.0-dev+exp,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
 8.12.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 8.12.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
@@ -280,7 +280,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
 8.12.0-dev+exp,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
 8.12.0-dev+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.12.0-dev+exp,true,file,file.code_signature.flags,string,extended,,570522385,Code signing flags of the process
+8.12.0-dev+exp,true,file,file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
 8.12.0-dev+exp,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
 8.12.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 8.12.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
@@ -593,7 +593,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array.
 8.12.0-dev+exp,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
 8.12.0-dev+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.12.0-dev+exp,true,process,process.code_signature.flags,string,extended,,570522385,Code signing flags of the process
+8.12.0-dev+exp,true,process,process.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
 8.12.0-dev+exp,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
 8.12.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 8.12.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
@@ -775,7 +775,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
 8.12.0-dev+exp,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
 8.12.0-dev+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.12.0-dev+exp,true,process,process.parent.code_signature.flags,string,extended,,570522385,Code signing flags of the process
+8.12.0-dev+exp,true,process,process.parent.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
 8.12.0-dev+exp,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
 8.12.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 8.12.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
@@ -1162,7 +1162,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.flags,string,extended,,570522385,Code signing flags of the process
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
@@ -1381,7 +1381,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev+exp,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
 8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
 8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.flags,string,extended,,570522385,Code signing flags of the process
+8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
 8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
 8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer

diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
@@ -1806,12 +1806,13 @@ dll.code_signature.flags:
   description: The flags used to sign the process.
   example: 570522385
   flat_name: dll.code_signature.flags
+  ignore_above: 1024
   level: extended
   name: flags
   normalize: []
   original_fieldset: code_signature
   short: Code signing flags of the process
-  type: string
+  type: keyword
 dll.code_signature.signing_id:
   dashed_name: dll-code-signature-signing-id
   description: 'The identifier used to sign the process.
@@ -3957,12 +3958,13 @@ file.code_signature.flags:
   description: The flags used to sign the process.
   example: 570522385
   flat_name: file.code_signature.flags
+  ignore_above: 1024
   level: extended
   name: flags
   normalize: []
   original_fieldset: code_signature
   short: Code signing flags of the process
-  type: string
+  type: keyword
 file.code_signature.signing_id:
   dashed_name: file-code-signature-signing-id
   description: 'The identifier used to sign the process.
@@ -7786,12 +7788,13 @@ process.code_signature.flags:
   description: The flags used to sign the process.
   example: 570522385
   flat_name: process.code_signature.flags
+  ignore_above: 1024
   level: extended
   name: flags
   normalize: []
   original_fieldset: code_signature
   short: Code signing flags of the process
-  type: string
+  type: keyword
 process.code_signature.signing_id:
   dashed_name: process-code-signature-signing-id
   description: 'The identifier used to sign the process.
@@ -9955,12 +9958,13 @@ process.parent.code_signature.flags:
   description: The flags used to sign the process.
   example: 570522385
   flat_name: process.parent.code_signature.flags
+  ignore_above: 1024
   level: extended
   name: flags
   normalize: []
   original_fieldset: code_signature
   short: Code signing flags of the process
-  type: string
+  type: keyword
 process.parent.code_signature.signing_id:
   dashed_name: process-parent-code-signature-signing-id
   description: 'The identifier used to sign the process.
@@ -14781,12 +14785,13 @@ threat.enrichments.indicator.file.code_signature.flags:
   description: The flags used to sign the process.
   example: 570522385
   flat_name: threat.enrichments.indicator.file.code_signature.flags
+  ignore_above: 1024
   level: extended
   name: flags
   normalize: []
   original_fieldset: code_signature
   short: Code signing flags of the process
-  type: string
+  type: keyword
 threat.enrichments.indicator.file.code_signature.signing_id:
   dashed_name: threat-enrichments-indicator-file-code-signature-signing-id
   description: 'The identifier used to sign the process.
@@ -17515,12 +17520,13 @@ threat.indicator.file.code_signature.flags:
   description: The flags used to sign the process.
   example: 570522385
   flat_name: threat.indicator.file.code_signature.flags
+  ignore_above: 1024
   level: extended
   name: flags
   normalize: []
   original_fieldset: code_signature
   short: Code signing flags of the process
-  type: string
+  type: keyword
 threat.indicator.file.code_signature.signing_id:
   dashed_name: threat-indicator-file-code-signature-signing-id
   description: 'The identifier used to sign the process.

diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
@@ -1326,11 +1326,12 @@ code_signature:
       description: The flags used to sign the process.
       example: 570522385
       flat_name: code_signature.flags
+      ignore_above: 1024
       level: extended
       name: flags
       normalize: []
       short: Code signing flags of the process
-      type: string
+      type: keyword
     code_signature.signing_id:
       dashed_name: code-signature-signing-id
       description: 'The identifier used to sign the process.
@@ -2290,12 +2291,13 @@ dll:
       description: The flags used to sign the process.
       example: 570522385
       flat_name: dll.code_signature.flags
+      ignore_above: 1024
       level: extended
       name: flags
       normalize: []
       original_fieldset: code_signature
       short: Code signing flags of the process
-      type: string
+      type: keyword
     dll.code_signature.signing_id:
       dashed_name: dll-code-signature-signing-id
       description: 'The identifier used to sign the process.
@@ -5001,12 +5003,13 @@ file:
       description: The flags used to sign the process.
       example: 570522385
       flat_name: file.code_signature.flags
+      ignore_above: 1024
       level: extended
       name: flags
       normalize: []
       original_fieldset: code_signature
       short: Code signing flags of the process
-      type: string
+      type: keyword
     file.code_signature.signing_id:
       dashed_name: file-code-signature-signing-id
       description: 'The identifier used to sign the process.
@@ -10020,12 +10023,13 @@ process:
       description: The flags used to sign the process.
       example: 570522385
       flat_name: process.code_signature.flags
+      ignore_above: 1024
       level: extended
       name: flags
       normalize: []
       original_fieldset: code_signature
       short: Code signing flags of the process
-      type: string
+      type: keyword
     process.code_signature.signing_id:
       dashed_name: process-code-signature-signing-id
       description: 'The identifier used to sign the process.
@@ -12194,12 +12198,13 @@ process:
       description: The flags used to sign the process.
       example: 570522385
       flat_name: process.parent.code_signature.flags
+      ignore_above: 1024
       level: extended
       name: flags
       normalize: []
       original_fieldset: code_signature
       short: Code signing flags of the process
-      type: string
+      type: keyword
     process.parent.code_signature.signing_id:
       dashed_name: process-parent-code-signature-signing-id
       description: 'The identifier used to sign the process.
@@ -17482,12 +17487,13 @@ threat:
       description: The flags used to sign the process.
       example: 570522385
       flat_name: threat.enrichments.indicator.file.code_signature.flags
+      ignore_above: 1024
       level: extended
       name: flags
       normalize: []
       original_fieldset: code_signature
       short: Code signing flags of the process
-      type: string
+      type: keyword
     threat.enrichments.indicator.file.code_signature.signing_id:
       dashed_name: threat-enrichments-indicator-file-code-signature-signing-id
       description: 'The identifier used to sign the process.
@@ -20224,12 +20230,13 @@ threat:
       description: The flags used to sign the process.
       example: 570522385
       flat_name: threat.indicator.file.code_signature.flags
+      ignore_above: 1024
       level: extended
       name: flags
       normalize: []
       original_fieldset: code_signature
       short: Code signing flags of the process
-      type: string
+      type: keyword
     threat.indicator.file.code_signature.signing_id:
       dashed_name: threat-indicator-file-code-signature-signing-id
       description: 'The identifier used to sign the process.

diff --git a/experimental/generated/elasticsearch/composable/component/dll.json b/experimental/generated/elasticsearch/composable/component/dll.json
@@ -18,7 +18,8 @@
                   "type": "boolean"
                 },
                 "flags": {
-                  "type": "string"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "signing_id": {
                   "ignore_above": 1024,

diff --git a/experimental/generated/elasticsearch/composable/component/file.json b/experimental/generated/elasticsearch/composable/component/file.json
@@ -25,7 +25,8 @@
                   "type": "boolean"
                 },
                 "flags": {
-                  "type": "string"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "signing_id": {
                   "ignore_above": 1024,

diff --git a/experimental/generated/elasticsearch/composable/component/process.json b/experimental/generated/elasticsearch/composable/component/process.json
@@ -25,7 +25,8 @@
                   "type": "boolean"
                 },
                 "flags": {
-                  "type": "string"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "signing_id": {
                   "ignore_above": 1024,
@@ -832,7 +833,8 @@
                       "type": "boolean"
                     },
                     "flags": {
-                      "type": "string"
+                      "ignore_above": 1024,
+                      "type": "keyword"
                     },
                     "signing_id": {
                       "ignore_above": 1024,

diff --git a/experimental/generated/elasticsearch/composable/component/threat.json b/experimental/generated/elasticsearch/composable/component/threat.json
@@ -67,7 +67,8 @@
                               "type": "boolean"
                             },
                             "flags": {
-                              "type": "string"
+                              "ignore_above": 1024,
+                              "type": "keyword"
                             },
                             "signing_id": {
                               "ignore_above": 1024,
@@ -995,7 +996,8 @@
                           "type": "boolean"
                         },
                         "flags": {
-                          "type": "string"
+                          "ignore_above": 1024,
+                          "type": "keyword"
                         },
                         "signing_id": {
                           "ignore_above": 1024,