Add thumbprint_sha256 to code_signature.* (#2452)

* add thumprint to code_signature

* address PR feedback

* update changelog

* include pattern

---------

Co-authored-by: Michael Wolf <[email protected]>

Author: ayfaouzi

CHANGELOG.next.md

@@ -14,7 +14,8 @@ Thanks, you're awesome :-) -->
 
 #### Bugfixes
 
-#### Added
+* Add `thumbprint_sha256` to `code_signature` schema. #2452
+* Add `origin_referrer_url` and `origin_url` fields, which indicate the origin information to the file, process and dll schemas #2441
 
 #### Improvements
 

docs/reference/ecs-code_signature.md

@@ -22,6 +22,7 @@ These fields contain information about binary code signatures.
 | $$$field-code-signature-status$$$ [code_signature.status](#field-code-signature-status) | Additional information about the certificate status.<br><br>This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.<br><br>type: keyword<br><br>example: `ERROR_UNTRUSTED_ROOT` | extended |
 | $$$field-code-signature-subject-name$$$ [code_signature.subject_name](#field-code-signature-subject-name) | Subject name of the code signer<br><br>type: keyword<br><br>example: `Microsoft Corporation` | core |
 | $$$field-code-signature-team-id$$$ [code_signature.team_id](#field-code-signature-team-id) | The team identifier used to sign the process.<br><br>This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.<br><br>type: keyword<br><br>example: `EQHXZ8M8AV` | extended |
+| $$$field-code-signature-thumbprint-sha256$$$ [code_signature.thumbprint_sha256](#field-code-signature-thumbprint-sha256) | _This field is beta and subject to change._ Certificate SHA256 hash that uniquely identifies the code signer.<br><br>type: keyword<br><br>example: `c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b` | extended |
 | $$$field-code-signature-timestamp$$$ [code_signature.timestamp](#field-code-signature-timestamp) | Date and time when the code signature was generated and signed.<br><br>type: date<br><br>example: `2021-01-01T12:10:30Z` | extended |
 | $$$field-code-signature-trusted$$$ [code_signature.trusted](#field-code-signature-trusted) | Stores the trust status of the certificate chain.<br><br>Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.<br><br>type: boolean<br><br>example: `true` | extended |
 | $$$field-code-signature-valid$$$ [code_signature.valid](#field-code-signature-valid) | Boolean to capture if the digital signature is verified against the binary content.<br><br>Leave unpopulated if a certificate was unchecked.<br><br>type: boolean<br><br>example: `true` | extended |

docs/reference/ecs-otel-alignment-overview.md

@@ -27,7 +27,7 @@ The following table summarizes the alignment status by namespaces between ECS in
 | CloudEvents | · | [5](https://opentelemetry.io/docs/specs/semconv/attributes-registry/cloudevents) | · | · | · | · | · | · |  |
 | cloudfoundry | · | [11](https://opentelemetry.io/docs/specs/semconv/attributes-registry/cloudfoundry) | · | · | · | · | · | · |  |
 | Code | · | [6](https://opentelemetry.io/docs/specs/semconv/attributes-registry/code) | · | · | · | · | · | · |  |
-| Code Signature | [10](/reference/ecs-code_signature.md) | · | · | · | · | · | · | · | · |
+| Code Signature | [11](/reference/ecs-code_signature.md) | · | · | · | · | · | · | · | · |
 | Container | [14](/reference/ecs-container.md) | [13](https://opentelemetry.io/docs/specs/semconv/attributes-registry/container) | 4 | 2 | 1 | · | 2 | · | · |
 | CPU | · | [1](https://opentelemetry.io/docs/specs/semconv/attributes-registry/cpu) | · | · | · | · | · | · |  |
 | Data Stream | [3](/reference/ecs-data_stream.md) | · | · | · | · | · | · | · | 3 |

experimental/generated/beats/fields.ecs.yml

@@ -1317,6 +1317,14 @@
         is relevant to Apple *OS only.'
       example: EQHXZ8M8AV
       default_field: false
+    - name: code_signature.thumbprint_sha256
+      level: extended
+      type: keyword
+      ignore_above: 64
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      pattern: ^[0-9a-f]{64}$
+      default_field: false
     - name: code_signature.timestamp
       level: extended
       type: date
@@ -2498,6 +2506,14 @@
         is relevant to Apple *OS only.'
       example: EQHXZ8M8AV
       default_field: false
+    - name: code_signature.thumbprint_sha256
+      level: extended
+      type: keyword
+      ignore_above: 64
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      pattern: ^[0-9a-f]{64}$
+      default_field: false
     - name: code_signature.timestamp
       level: extended
       type: date
@@ -4867,6 +4883,14 @@
         is relevant to Apple *OS only.'
       example: EQHXZ8M8AV
       default_field: false
+    - name: code_signature.thumbprint_sha256
+      level: extended
+      type: keyword
+      ignore_above: 64
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      pattern: ^[0-9a-f]{64}$
+      default_field: false
     - name: code_signature.timestamp
       level: extended
       type: date
@@ -6192,6 +6216,14 @@
         is relevant to Apple *OS only.'
       example: EQHXZ8M8AV
       default_field: false
+    - name: parent.code_signature.thumbprint_sha256
+      level: extended
+      type: keyword
+      ignore_above: 64
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      pattern: ^[0-9a-f]{64}$
+      default_field: false
     - name: parent.code_signature.timestamp
       level: extended
       type: date
@@ -9236,6 +9268,14 @@
         is relevant to Apple *OS only.'
       example: EQHXZ8M8AV
       default_field: false
+    - name: enrichments.indicator.file.code_signature.thumbprint_sha256
+      level: extended
+      type: keyword
+      ignore_above: 64
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      pattern: ^[0-9a-f]{64}$
+      default_field: false
     - name: enrichments.indicator.file.code_signature.timestamp
       level: extended
       type: date
@@ -10872,6 +10912,14 @@
         is relevant to Apple *OS only.'
       example: EQHXZ8M8AV
       default_field: false
+    - name: indicator.file.code_signature.thumbprint_sha256
+      level: extended
+      type: keyword
+      ignore_above: 64
+      description: Certificate SHA256 hash that uniquely identifies the code signer.
+      example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+      pattern: ^[0-9a-f]{64}$
+      default_field: false
     - name: indicator.file.code_signature.timestamp
       level: extended
       type: date

experimental/generated/csv/fields.csv

@@ -154,6 +154,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.1.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 9.1.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
 9.1.0-dev+exp,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+9.1.0-dev+exp,true,dll,dll.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
 9.1.0-dev+exp,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
 9.1.0-dev+exp,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
 9.1.0-dev+exp,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
@@ -287,6 +288,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.1.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 9.1.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
 9.1.0-dev+exp,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+9.1.0-dev+exp,true,file,file.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
 9.1.0-dev+exp,true,file,file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
 9.1.0-dev+exp,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
 9.1.0-dev+exp,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
@@ -602,6 +604,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.1.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 9.1.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
 9.1.0-dev+exp,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+9.1.0-dev+exp,true,process,process.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
 9.1.0-dev+exp,true,process,process.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
 9.1.0-dev+exp,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
 9.1.0-dev+exp,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
@@ -784,6 +787,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.1.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 9.1.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
 9.1.0-dev+exp,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+9.1.0-dev+exp,true,process,process.parent.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
 9.1.0-dev+exp,true,process,process.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
 9.1.0-dev+exp,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
 9.1.0-dev+exp,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
@@ -1169,6 +1173,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
 9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
 9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
 9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
 9.1.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.
@@ -1390,6 +1395,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 9.1.0-dev+exp,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 9.1.0-dev+exp,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
 9.1.0-dev+exp,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process.
+9.1.0-dev+exp,true,threat,threat.indicator.file.code_signature.thumbprint_sha256,keyword,extended,,c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b,SHA256 hash of the certificate.
 9.1.0-dev+exp,true,threat,threat.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed.
 9.1.0-dev+exp,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain.
 9.1.0-dev+exp,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content.

experimental/generated/ecs/ecs_flat.yml

@@ -1968,6 +1968,20 @@ dll.code_signature.team_id:
   original_fieldset: code_signature
   short: The team identifier used to sign the process.
   type: keyword
+dll.code_signature.thumbprint_sha256:
+  beta: This field is beta and subject to change.
+  dashed_name: dll-code-signature-thumbprint-sha256
+  description: Certificate SHA256 hash that uniquely identifies the code signer.
+  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+  flat_name: dll.code_signature.thumbprint_sha256
+  ignore_above: 64
+  level: extended
+  name: thumbprint_sha256
+  normalize: []
+  original_fieldset: code_signature
+  pattern: ^[0-9a-f]{64}$
+  short: SHA256 hash of the certificate.
+  type: keyword
 dll.code_signature.timestamp:
   dashed_name: dll-code-signature-timestamp
   description: Date and time when the code signature was generated and signed.
@@ -4192,6 +4206,20 @@ file.code_signature.team_id:
   original_fieldset: code_signature
   short: The team identifier used to sign the process.
   type: keyword
+file.code_signature.thumbprint_sha256:
+  beta: This field is beta and subject to change.
+  dashed_name: file-code-signature-thumbprint-sha256
+  description: Certificate SHA256 hash that uniquely identifies the code signer.
+  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+  flat_name: file.code_signature.thumbprint_sha256
+  ignore_above: 64
+  level: extended
+  name: thumbprint_sha256
+  normalize: []
+  original_fieldset: code_signature
+  pattern: ^[0-9a-f]{64}$
+  short: SHA256 hash of the certificate.
+  type: keyword
 file.code_signature.timestamp:
   dashed_name: file-code-signature-timestamp
   description: Date and time when the code signature was generated and signed.
@@ -8236,6 +8264,20 @@ process.code_signature.team_id:
   original_fieldset: code_signature
   short: The team identifier used to sign the process.
   type: keyword
+process.code_signature.thumbprint_sha256:
+  beta: This field is beta and subject to change.
+  dashed_name: process-code-signature-thumbprint-sha256
+  description: Certificate SHA256 hash that uniquely identifies the code signer.
+  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+  flat_name: process.code_signature.thumbprint_sha256
+  ignore_above: 64
+  level: extended
+  name: thumbprint_sha256
+  normalize: []
+  original_fieldset: code_signature
+  pattern: ^[0-9a-f]{64}$
+  short: SHA256 hash of the certificate.
+  type: keyword
 process.code_signature.timestamp:
   dashed_name: process-code-signature-timestamp
   description: Date and time when the code signature was generated and signed.
@@ -10420,6 +10462,20 @@ process.parent.code_signature.team_id:
   original_fieldset: code_signature
   short: The team identifier used to sign the process.
   type: keyword
+process.parent.code_signature.thumbprint_sha256:
+  beta: This field is beta and subject to change.
+  dashed_name: process-parent-code-signature-thumbprint-sha256
+  description: Certificate SHA256 hash that uniquely identifies the code signer.
+  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+  flat_name: process.parent.code_signature.thumbprint_sha256
+  ignore_above: 64
+  level: extended
+  name: thumbprint_sha256
+  normalize: []
+  original_fieldset: code_signature
+  pattern: ^[0-9a-f]{64}$
+  short: SHA256 hash of the certificate.
+  type: keyword
 process.parent.code_signature.timestamp:
   dashed_name: process-parent-code-signature-timestamp
   description: Date and time when the code signature was generated and signed.
@@ -15312,6 +15368,20 @@ threat.enrichments.indicator.file.code_signature.team_id:
   original_fieldset: code_signature
   short: The team identifier used to sign the process.
   type: keyword
+threat.enrichments.indicator.file.code_signature.thumbprint_sha256:
+  beta: This field is beta and subject to change.
+  dashed_name: threat-enrichments-indicator-file-code-signature-thumbprint-sha256
+  description: Certificate SHA256 hash that uniquely identifies the code signer.
+  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+  flat_name: threat.enrichments.indicator.file.code_signature.thumbprint_sha256
+  ignore_above: 64
+  level: extended
+  name: thumbprint_sha256
+  normalize: []
+  original_fieldset: code_signature
+  pattern: ^[0-9a-f]{64}$
+  short: SHA256 hash of the certificate.
+  type: keyword
 threat.enrichments.indicator.file.code_signature.timestamp:
   dashed_name: threat-enrichments-indicator-file-code-signature-timestamp
   description: Date and time when the code signature was generated and signed.
@@ -18075,6 +18145,20 @@ threat.indicator.file.code_signature.team_id:
   original_fieldset: code_signature
   short: The team identifier used to sign the process.
   type: keyword
+threat.indicator.file.code_signature.thumbprint_sha256:
+  beta: This field is beta and subject to change.
+  dashed_name: threat-indicator-file-code-signature-thumbprint-sha256
+  description: Certificate SHA256 hash that uniquely identifies the code signer.
+  example: c0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476b
+  flat_name: threat.indicator.file.code_signature.thumbprint_sha256
+  ignore_above: 64
+  level: extended
+  name: thumbprint_sha256
+  normalize: []
+  original_fieldset: code_signature
+  pattern: ^[0-9a-f]{64}$
+  short: SHA256 hash of the certificate.
+  type: keyword
 threat.indicator.file.code_signature.timestamp:
   dashed_name: threat-indicator-file-code-signature-timestamp
   description: Date and time when the code signature was generated and signed.