diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index b618b7394b..cc2d5276c5 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -12,4 +12,4 @@ jobs: with: python-version: '3.x' - run: git fetch --prune --unshallow --tags - - run: make check + - run: make check yamllint diff --git a/Makefile b/Makefile index d6e65d4a45..5aaeebcebd 100644 --- a/Makefile +++ b/Makefile @@ -86,7 +86,7 @@ misspell: fi ./build/misspell/bin/misspell -error README.md CONTRIBUTING.md schemas/* docs/* experimental/schemas/* -# Warn re misspell removal +# Warn re misspell removal .PHONY: misspell_warn misspell_warn: @echo "Warning: due to lack of cross-platform support, misspell is no longer included in this task and may be deprecated in future\n" @@ -110,4 +110,4 @@ build/ve/bin/activate: scripts/requirements.txt scripts/requirements-dev.txt # Check YAML syntax (currently not enforced). .PHONY: yamllint yamllint: ve - build/ve/bin/yamllint schemas/*.yml + build/ve/bin/yamllint -d '{extends: default, rules: {line-length: disable}}' schemas/*.yml diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc index eb2539b58c..5f1db39af5 100644 --- a/docs/fields/field-details.asciidoc +++ b/docs/fields/field-details.asciidoc @@ -873,7 +873,7 @@ a| beta:[ This field is beta and subject to change. ] The flags used to sign the process. -type: string +type: keyword diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 3f1ce4ce93..2b0517df7f 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -1273,7 +1273,8 @@ default_field: false - name: code_signature.flags level: extended - type: string + type: keyword + ignore_above: 1024 description: The flags used to sign the process. example: 570522385 default_field: false @@ -2439,7 +2440,8 @@ default_field: false - name: code_signature.flags level: extended - type: string + type: keyword + ignore_above: 1024 description: The flags used to sign the process. example: 570522385 default_field: false @@ -4793,7 +4795,8 @@ default_field: false - name: code_signature.flags level: extended - type: string + type: keyword + ignore_above: 1024 description: The flags used to sign the process. example: 570522385 default_field: false @@ -6117,7 +6120,8 @@ default_field: false - name: parent.code_signature.flags level: extended - type: string + type: keyword + ignore_above: 1024 description: The flags used to sign the process. example: 570522385 default_field: false @@ -9186,7 +9190,8 @@ default_field: false - name: enrichments.indicator.file.code_signature.flags level: extended - type: string + type: keyword + ignore_above: 1024 description: The flags used to sign the process. example: 570522385 default_field: false @@ -10807,7 +10812,8 @@ default_field: false - name: indicator.file.code_signature.flags level: extended - type: string + type: keyword + ignore_above: 1024 description: The flags used to sign the process. example: 570522385 default_field: false diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index c3e41bd7f7..6509128e7c 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -149,7 +149,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,device,device.serial_number,keyword,core,,DJGAQS4CW5,Serial Number of the device 8.12.0-dev+exp,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -8.12.0-dev+exp,true,dll,dll.code_signature.flags,string,extended,,570522385,Code signing flags of the process +8.12.0-dev+exp,true,dll,dll.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process 8.12.0-dev+exp,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -280,7 +280,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. 8.12.0-dev+exp,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -8.12.0-dev+exp,true,file,file.code_signature.flags,string,extended,,570522385,Code signing flags of the process +8.12.0-dev+exp,true,file,file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process 8.12.0-dev+exp,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -593,7 +593,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array. 8.12.0-dev+exp,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -8.12.0-dev+exp,true,process,process.code_signature.flags,string,extended,,570522385,Code signing flags of the process +8.12.0-dev+exp,true,process,process.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process 8.12.0-dev+exp,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -775,7 +775,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. 8.12.0-dev+exp,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -8.12.0-dev+exp,true,process,process.parent.code_signature.flags,string,extended,,570522385,Code signing flags of the process +8.12.0-dev+exp,true,process,process.parent.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process 8.12.0-dev+exp,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -1163,7 +1163,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.flags,string,extended,,570522385,Code signing flags of the process +8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -1382,7 +1382,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. 8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.flags,string,extended,,570522385,Code signing flags of the process +8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process 8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 1aecb01166..c78d8ba96a 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -1806,12 +1806,13 @@ dll.code_signature.flags: description: The flags used to sign the process. example: 570522385 flat_name: dll.code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] original_fieldset: code_signature short: Code signing flags of the process - type: string + type: keyword dll.code_signature.signing_id: dashed_name: dll-code-signature-signing-id description: 'The identifier used to sign the process. @@ -3957,12 +3958,13 @@ file.code_signature.flags: description: The flags used to sign the process. example: 570522385 flat_name: file.code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] original_fieldset: code_signature short: Code signing flags of the process - type: string + type: keyword file.code_signature.signing_id: dashed_name: file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -7787,12 +7789,13 @@ process.code_signature.flags: description: The flags used to sign the process. example: 570522385 flat_name: process.code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] original_fieldset: code_signature short: Code signing flags of the process - type: string + type: keyword process.code_signature.signing_id: dashed_name: process-code-signature-signing-id description: 'The identifier used to sign the process. @@ -9956,12 +9959,13 @@ process.parent.code_signature.flags: description: The flags used to sign the process. example: 570522385 flat_name: process.parent.code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] original_fieldset: code_signature short: Code signing flags of the process - type: string + type: keyword process.parent.code_signature.signing_id: dashed_name: process-parent-code-signature-signing-id description: 'The identifier used to sign the process. @@ -14796,12 +14800,13 @@ threat.enrichments.indicator.file.code_signature.flags: description: The flags used to sign the process. example: 570522385 flat_name: threat.enrichments.indicator.file.code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] original_fieldset: code_signature short: Code signing flags of the process - type: string + type: keyword threat.enrichments.indicator.file.code_signature.signing_id: dashed_name: threat-enrichments-indicator-file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -17532,12 +17537,13 @@ threat.indicator.file.code_signature.flags: description: The flags used to sign the process. example: 570522385 flat_name: threat.indicator.file.code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] original_fieldset: code_signature short: Code signing flags of the process - type: string + type: keyword threat.indicator.file.code_signature.signing_id: dashed_name: threat-indicator-file-code-signature-signing-id description: 'The identifier used to sign the process. diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index a04ec92aec..17596a0501 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -1326,11 +1326,12 @@ code_signature: description: The flags used to sign the process. example: 570522385 flat_name: code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] short: Code signing flags of the process - type: string + type: keyword code_signature.signing_id: dashed_name: code-signature-signing-id description: 'The identifier used to sign the process. @@ -2290,12 +2291,13 @@ dll: description: The flags used to sign the process. example: 570522385 flat_name: dll.code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] original_fieldset: code_signature short: Code signing flags of the process - type: string + type: keyword dll.code_signature.signing_id: dashed_name: dll-code-signature-signing-id description: 'The identifier used to sign the process. @@ -5001,12 +5003,13 @@ file: description: The flags used to sign the process. example: 570522385 flat_name: file.code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] original_fieldset: code_signature short: Code signing flags of the process - type: string + type: keyword file.code_signature.signing_id: dashed_name: file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -10020,12 +10023,13 @@ process: description: The flags used to sign the process. example: 570522385 flat_name: process.code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] original_fieldset: code_signature short: Code signing flags of the process - type: string + type: keyword process.code_signature.signing_id: dashed_name: process-code-signature-signing-id description: 'The identifier used to sign the process. @@ -12194,12 +12198,13 @@ process: description: The flags used to sign the process. example: 570522385 flat_name: process.parent.code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] original_fieldset: code_signature short: Code signing flags of the process - type: string + type: keyword process.parent.code_signature.signing_id: dashed_name: process-parent-code-signature-signing-id description: 'The identifier used to sign the process. @@ -17496,12 +17501,13 @@ threat: description: The flags used to sign the process. example: 570522385 flat_name: threat.enrichments.indicator.file.code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] original_fieldset: code_signature short: Code signing flags of the process - type: string + type: keyword threat.enrichments.indicator.file.code_signature.signing_id: dashed_name: threat-enrichments-indicator-file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -20238,12 +20244,13 @@ threat: description: The flags used to sign the process. example: 570522385 flat_name: threat.indicator.file.code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] original_fieldset: code_signature short: Code signing flags of the process - type: string + type: keyword threat.indicator.file.code_signature.signing_id: dashed_name: threat-indicator-file-code-signature-signing-id description: 'The identifier used to sign the process. diff --git a/experimental/generated/elasticsearch/composable/component/dll.json b/experimental/generated/elasticsearch/composable/component/dll.json index 55e2246263..e59687764d 100644 --- a/experimental/generated/elasticsearch/composable/component/dll.json +++ b/experimental/generated/elasticsearch/composable/component/dll.json @@ -18,7 +18,8 @@ "type": "boolean" }, "flags": { - "type": "string" + "ignore_above": 1024, + "type": "keyword" }, "signing_id": { "ignore_above": 1024, diff --git a/experimental/generated/elasticsearch/composable/component/file.json b/experimental/generated/elasticsearch/composable/component/file.json index adb9d1d8ec..175a0cbab7 100644 --- a/experimental/generated/elasticsearch/composable/component/file.json +++ b/experimental/generated/elasticsearch/composable/component/file.json @@ -25,7 +25,8 @@ "type": "boolean" }, "flags": { - "type": "string" + "ignore_above": 1024, + "type": "keyword" }, "signing_id": { "ignore_above": 1024, diff --git a/experimental/generated/elasticsearch/composable/component/process.json b/experimental/generated/elasticsearch/composable/component/process.json index de0be5f249..76b8983a3b 100644 --- a/experimental/generated/elasticsearch/composable/component/process.json +++ b/experimental/generated/elasticsearch/composable/component/process.json @@ -25,7 +25,8 @@ "type": "boolean" }, "flags": { - "type": "string" + "ignore_above": 1024, + "type": "keyword" }, "signing_id": { "ignore_above": 1024, @@ -832,7 +833,8 @@ "type": "boolean" }, "flags": { - "type": "string" + "ignore_above": 1024, + "type": "keyword" }, "signing_id": { "ignore_above": 1024, diff --git a/experimental/generated/elasticsearch/composable/component/threat.json b/experimental/generated/elasticsearch/composable/component/threat.json index cdcbbd7ae6..32056d1507 100644 --- a/experimental/generated/elasticsearch/composable/component/threat.json +++ b/experimental/generated/elasticsearch/composable/component/threat.json @@ -67,7 +67,8 @@ "type": "boolean" }, "flags": { - "type": "string" + "ignore_above": 1024, + "type": "keyword" }, "signing_id": { "ignore_above": 1024, @@ -995,7 +996,8 @@ "type": "boolean" }, "flags": { - "type": "string" + "ignore_above": 1024, + "type": "keyword" }, "signing_id": { "ignore_above": 1024, diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json index 459afd6a1a..c3e442ee00 100644 --- a/experimental/generated/elasticsearch/legacy/template.json +++ b/experimental/generated/elasticsearch/legacy/template.json @@ -801,7 +801,8 @@ "type": "boolean" }, "flags": { - "type": "string" + "ignore_above": 1024, + "type": "keyword" }, "signing_id": { "ignore_above": 1024, @@ -1376,7 +1377,8 @@ "type": "boolean" }, "flags": { - "type": "string" + "ignore_above": 1024, + "type": "keyword" }, "signing_id": { "ignore_above": 1024, @@ -2768,7 +2770,8 @@ "type": "boolean" }, "flags": { - "type": "string" + "ignore_above": 1024, + "type": "keyword" }, "signing_id": { "ignore_above": 1024, @@ -3575,7 +3578,8 @@ "type": "boolean" }, "flags": { - "type": "string" + "ignore_above": 1024, + "type": "keyword" }, "signing_id": { "ignore_above": 1024, @@ -5324,7 +5328,8 @@ "type": "boolean" }, "flags": { - "type": "string" + "ignore_above": 1024, + "type": "keyword" }, "signing_id": { "ignore_above": 1024, @@ -6252,7 +6257,8 @@ "type": "boolean" }, "flags": { - "type": "string" + "ignore_above": 1024, + "type": "keyword" }, "signing_id": { "ignore_above": 1024, diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 9e8fb0a70d..b721f7cc65 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -1223,7 +1223,8 @@ default_field: false - name: code_signature.flags level: extended - type: string + type: keyword + ignore_above: 1024 description: The flags used to sign the process. example: 570522385 default_field: false @@ -2389,7 +2390,8 @@ default_field: false - name: code_signature.flags level: extended - type: string + type: keyword + ignore_above: 1024 description: The flags used to sign the process. example: 570522385 default_field: false @@ -4743,7 +4745,8 @@ default_field: false - name: code_signature.flags level: extended - type: string + type: keyword + ignore_above: 1024 description: The flags used to sign the process. example: 570522385 default_field: false @@ -6067,7 +6070,8 @@ default_field: false - name: parent.code_signature.flags level: extended - type: string + type: keyword + ignore_above: 1024 description: The flags used to sign the process. example: 570522385 default_field: false @@ -9136,7 +9140,8 @@ default_field: false - name: enrichments.indicator.file.code_signature.flags level: extended - type: string + type: keyword + ignore_above: 1024 description: The flags used to sign the process. example: 570522385 default_field: false @@ -10757,7 +10762,8 @@ default_field: false - name: indicator.file.code_signature.flags level: extended - type: string + type: keyword + ignore_above: 1024 description: The flags used to sign the process. example: 570522385 default_field: false diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 71c0f4300c..c976f116d4 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -142,7 +142,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,device,device.serial_number,keyword,core,,DJGAQS4CW5,Serial Number of the device 8.12.0-dev,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -8.12.0-dev,true,dll,dll.code_signature.flags,string,extended,,570522385,Code signing flags of the process +8.12.0-dev,true,dll,dll.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process 8.12.0-dev,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -273,7 +273,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. 8.12.0-dev,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -8.12.0-dev,true,file,file.code_signature.flags,string,extended,,570522385,Code signing flags of the process +8.12.0-dev,true,file,file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process 8.12.0-dev,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -586,7 +586,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array. 8.12.0-dev,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -8.12.0-dev,true,process,process.code_signature.flags,string,extended,,570522385,Code signing flags of the process +8.12.0-dev,true,process,process.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process 8.12.0-dev,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -768,7 +768,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. 8.12.0-dev,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -8.12.0-dev,true,process,process.parent.code_signature.flags,string,extended,,570522385,Code signing flags of the process +8.12.0-dev,true,process,process.parent.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process 8.12.0-dev,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -1156,7 +1156,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. 8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.flags,string,extended,,570522385,Code signing flags of the process +8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process 8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer @@ -1375,7 +1375,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. 8.12.0-dev,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. 8.12.0-dev,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -8.12.0-dev,true,threat,threat.indicator.file.code_signature.flags,string,extended,,570522385,Code signing flags of the process +8.12.0-dev,true,threat,threat.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process 8.12.0-dev,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. 8.12.0-dev,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. 8.12.0-dev,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 9431bf26e7..95d7013887 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -1737,12 +1737,13 @@ dll.code_signature.flags: description: The flags used to sign the process. example: 570522385 flat_name: dll.code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] original_fieldset: code_signature short: Code signing flags of the process - type: string + type: keyword dll.code_signature.signing_id: dashed_name: dll-code-signature-signing-id description: 'The identifier used to sign the process. @@ -3888,12 +3889,13 @@ file.code_signature.flags: description: The flags used to sign the process. example: 570522385 flat_name: file.code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] original_fieldset: code_signature short: Code signing flags of the process - type: string + type: keyword file.code_signature.signing_id: dashed_name: file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -7718,12 +7720,13 @@ process.code_signature.flags: description: The flags used to sign the process. example: 570522385 flat_name: process.code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] original_fieldset: code_signature short: Code signing flags of the process - type: string + type: keyword process.code_signature.signing_id: dashed_name: process-code-signature-signing-id description: 'The identifier used to sign the process. @@ -9887,12 +9890,13 @@ process.parent.code_signature.flags: description: The flags used to sign the process. example: 570522385 flat_name: process.parent.code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] original_fieldset: code_signature short: Code signing flags of the process - type: string + type: keyword process.parent.code_signature.signing_id: dashed_name: process-parent-code-signature-signing-id description: 'The identifier used to sign the process. @@ -14727,12 +14731,13 @@ threat.enrichments.indicator.file.code_signature.flags: description: The flags used to sign the process. example: 570522385 flat_name: threat.enrichments.indicator.file.code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] original_fieldset: code_signature short: Code signing flags of the process - type: string + type: keyword threat.enrichments.indicator.file.code_signature.signing_id: dashed_name: threat-enrichments-indicator-file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -17463,12 +17468,13 @@ threat.indicator.file.code_signature.flags: description: The flags used to sign the process. example: 570522385 flat_name: threat.indicator.file.code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] original_fieldset: code_signature short: Code signing flags of the process - type: string + type: keyword threat.indicator.file.code_signature.signing_id: dashed_name: threat-indicator-file-code-signature-signing-id description: 'The identifier used to sign the process. diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index a4470668e4..5491a7eb8d 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -1246,11 +1246,12 @@ code_signature: description: The flags used to sign the process. example: 570522385 flat_name: code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] short: Code signing flags of the process - type: string + type: keyword code_signature.signing_id: dashed_name: code-signature-signing-id description: 'The identifier used to sign the process. @@ -2210,12 +2211,13 @@ dll: description: The flags used to sign the process. example: 570522385 flat_name: dll.code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] original_fieldset: code_signature short: Code signing flags of the process - type: string + type: keyword dll.code_signature.signing_id: dashed_name: dll-code-signature-signing-id description: 'The identifier used to sign the process. @@ -4921,12 +4923,13 @@ file: description: The flags used to sign the process. example: 570522385 flat_name: file.code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] original_fieldset: code_signature short: Code signing flags of the process - type: string + type: keyword file.code_signature.signing_id: dashed_name: file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -9940,12 +9943,13 @@ process: description: The flags used to sign the process. example: 570522385 flat_name: process.code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] original_fieldset: code_signature short: Code signing flags of the process - type: string + type: keyword process.code_signature.signing_id: dashed_name: process-code-signature-signing-id description: 'The identifier used to sign the process. @@ -12114,12 +12118,13 @@ process: description: The flags used to sign the process. example: 570522385 flat_name: process.parent.code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] original_fieldset: code_signature short: Code signing flags of the process - type: string + type: keyword process.parent.code_signature.signing_id: dashed_name: process-parent-code-signature-signing-id description: 'The identifier used to sign the process. @@ -17416,12 +17421,13 @@ threat: description: The flags used to sign the process. example: 570522385 flat_name: threat.enrichments.indicator.file.code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] original_fieldset: code_signature short: Code signing flags of the process - type: string + type: keyword threat.enrichments.indicator.file.code_signature.signing_id: dashed_name: threat-enrichments-indicator-file-code-signature-signing-id description: 'The identifier used to sign the process. @@ -20158,12 +20164,13 @@ threat: description: The flags used to sign the process. example: 570522385 flat_name: threat.indicator.file.code_signature.flags + ignore_above: 1024 level: extended name: flags normalize: [] original_fieldset: code_signature short: Code signing flags of the process - type: string + type: keyword threat.indicator.file.code_signature.signing_id: dashed_name: threat-indicator-file-code-signature-signing-id description: 'The identifier used to sign the process. diff --git a/generated/elasticsearch/composable/component/dll.json b/generated/elasticsearch/composable/component/dll.json index b5f52995c5..7c76d1ed0d 100644 --- a/generated/elasticsearch/composable/component/dll.json +++ b/generated/elasticsearch/composable/component/dll.json @@ -18,7 +18,8 @@ "type": "boolean" }, "flags": { - "type": "string" + "ignore_above": 1024, + "type": "keyword" }, "signing_id": { "ignore_above": 1024, diff --git a/generated/elasticsearch/composable/component/file.json b/generated/elasticsearch/composable/component/file.json index cc12f10be1..c032c0a53c 100644 --- a/generated/elasticsearch/composable/component/file.json +++ b/generated/elasticsearch/composable/component/file.json @@ -25,7 +25,8 @@ "type": "boolean" }, "flags": { - "type": "string" + "ignore_above": 1024, + "type": "keyword" }, "signing_id": { "ignore_above": 1024, diff --git a/generated/elasticsearch/composable/component/process.json b/generated/elasticsearch/composable/component/process.json index 610ff74848..d48a4eddab 100644 --- a/generated/elasticsearch/composable/component/process.json +++ b/generated/elasticsearch/composable/component/process.json @@ -25,7 +25,8 @@ "type": "boolean" }, "flags": { - "type": "string" + "ignore_above": 1024, + "type": "keyword" }, "signing_id": { "ignore_above": 1024, @@ -832,7 +833,8 @@ "type": "boolean" }, "flags": { - "type": "string" + "ignore_above": 1024, + "type": "keyword" }, "signing_id": { "ignore_above": 1024, diff --git a/generated/elasticsearch/composable/component/threat.json b/generated/elasticsearch/composable/component/threat.json index c9030c4167..40f98ec195 100644 --- a/generated/elasticsearch/composable/component/threat.json +++ b/generated/elasticsearch/composable/component/threat.json @@ -67,7 +67,8 @@ "type": "boolean" }, "flags": { - "type": "string" + "ignore_above": 1024, + "type": "keyword" }, "signing_id": { "ignore_above": 1024, @@ -995,7 +996,8 @@ "type": "boolean" }, "flags": { - "type": "string" + "ignore_above": 1024, + "type": "keyword" }, "signing_id": { "ignore_above": 1024, diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json index bb5462b644..9421e038ea 100644 --- a/generated/elasticsearch/legacy/template.json +++ b/generated/elasticsearch/legacy/template.json @@ -759,7 +759,8 @@ "type": "boolean" }, "flags": { - "type": "string" + "ignore_above": 1024, + "type": "keyword" }, "signing_id": { "ignore_above": 1024, @@ -1334,7 +1335,8 @@ "type": "boolean" }, "flags": { - "type": "string" + "ignore_above": 1024, + "type": "keyword" }, "signing_id": { "ignore_above": 1024, @@ -2726,7 +2728,8 @@ "type": "boolean" }, "flags": { - "type": "string" + "ignore_above": 1024, + "type": "keyword" }, "signing_id": { "ignore_above": 1024, @@ -3533,7 +3536,8 @@ "type": "boolean" }, "flags": { - "type": "string" + "ignore_above": 1024, + "type": "keyword" }, "signing_id": { "ignore_above": 1024, @@ -5282,7 +5286,8 @@ "type": "boolean" }, "flags": { - "type": "string" + "ignore_above": 1024, + "type": "keyword" }, "signing_id": { "ignore_above": 1024, @@ -6210,7 +6215,8 @@ "type": "boolean" }, "flags": { - "type": "string" + "ignore_above": 1024, + "type": "keyword" }, "signing_id": { "ignore_above": 1024, diff --git a/rfcs/text/0044/code_signature.yml b/rfcs/text/0044/code_signature.yml index 091339048d..d16b64b6e4 100644 --- a/rfcs/text/0044/code_signature.yml +++ b/rfcs/text/0044/code_signature.yml @@ -3,8 +3,8 @@ fields: - name: flags level: extended - type: string + type: keyword short: Code signing flags of the process description: > The flags used to sign the process. - example: 570522385 \ No newline at end of file + example: 570522385 diff --git a/schemas/code_signature.yml b/schemas/code_signature.yml index 67e6a5da4a..e5808e6e3d 100644 --- a/schemas/code_signature.yml +++ b/schemas/code_signature.yml @@ -37,7 +37,7 @@ - name: flags level: extended - type: string + type: keyword short: Code signing flags of the process description: > The flags used to sign the process. diff --git a/schemas/email.yml b/schemas/email.yml index 82bfd5b219..9c8b6ff390 100644 --- a/schemas/email.yml +++ b/schemas/email.yml @@ -180,8 +180,8 @@ A brief summary of the topic of the message. example: "Please see this important message." multi_fields: - - type: match_only_text - name: text + - type: match_only_text + name: text - name: to.address level: extended diff --git a/schemas/pe.yml b/schemas/pe.yml index f2a5f1561e..d201544658 100644 --- a/schemas/pe.yml +++ b/schemas/pe.yml @@ -208,4 +208,3 @@ format: string type: long level: extended - diff --git a/scripts/tests/test_ecs_spec.py b/scripts/tests/test_ecs_spec.py index edb0b8420c..a55d7bbb68 100644 --- a/scripts/tests/test_ecs_spec.py +++ b/scripts/tests/test_ecs_spec.py @@ -130,6 +130,41 @@ def test_normalize_always_array(self): for (field_name, field) in self.ecs_fields.items(): self.assertIsInstance(field.get('normalize'), list, field_name) + def test_valid_type(self): + valid_types = ['binary', + 'boolean', + 'keyword', + 'constant_keyword', + 'wildcard', + 'long', + 'integer', + 'short', + 'byte', + 'double', + 'float', + 'half_float', + 'scaled_float', + 'unsigned_long', + 'date', + 'date_nanos', + 'alias', + 'object', + 'flattened', + 'nested', + 'join', + 'long_range', + 'double_range', + 'date_range', + 'ip', + 'text', + 'match_only_text', + 'geo_point', + 'geo_shape', + 'point', + 'shape'] + for (field_name, field) in self.ecs_fields.items(): + self.assertIn(field.get('type'), valid_types, field_name) + if __name__ == '__main__': unittest.main()