diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index d04029f171..d4de1819cf 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -17,6 +17,7 @@ Thanks, you're awesome :-) --> #### Added * Added `search.*` fields #729 +* Added `x509.*` fields #762 #### Improvements diff --git a/code/go/ecs/x509.go b/code/go/ecs/x509.go new file mode 100644 index 0000000000..c5020b0706 --- /dev/null +++ b/code/go/ecs/x509.go @@ -0,0 +1,104 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +import ( + "time" +) + +// These fields contain x509 certificate metadata. +type X509 struct { + // Version of x509 format. + VersionNumber int64 `ecs:"version_number"` + + // Unique serial number issued by the certificate authority. + SerialNumber string `ecs:"serial_number"` + + // Distinguished name (DN) of issuing certificate authority. + IssuerDistinguishedName string `ecs:"issuer.distinguished_name"` + + // Common name (CN) of issuing certificate authority. + IssuerCommonName string `ecs:"issuer.common_name"` + + // List of organizational units (OU) of issuing certificate authority. + IssuerOrganizationalUnit string `ecs:"issuer.organizational_unit"` + + // Organizational units (O) of issuing certificate authority. + IssuerOrganization string `ecs:"issuer.organization"` + + // Locality name (L) + IssuerLocality string `ecs:"issuer.locality"` + + // State or province name (ST, S, or P) + IssuerStateOrProvince string `ecs:"issuer.state_or_province"` + + // Country (C) code + IssuerCountry string `ecs:"issuer.country"` + + // Identifier for certificate signature algorithm. Recommend using names + // found in Go Lang Crypto library + // (https://golang.org/src/crypto/x509/x509.go). + SignatureAlgorithm string `ecs:"signature_algorithm"` + + // Time at which the certificate is first considered valid. + NotBefore time.Time `ecs:"not_before"` + + // Time at which the certificate is first considered valid. + NotAfter time.Time `ecs:"not_after"` + + // Distinguished name (DN) of the certificate subject entity. + SubjectDistinguishedName string `ecs:"subject.distinguished_name"` + + // Common name (CN) of subject. + SubjectCommonName string `ecs:"subject.common_name"` + + // List of organizational units (OU) of subject. + SubjectOrganizationalUnit string `ecs:"subject.organizational_unit"` + + // Organizational units (O) of subject. + SubjectOrganization string `ecs:"subject.organization"` + + // Locality name (L) + SubjectLocality string `ecs:"subject.locality"` + + // State or province name (ST, S, or P) + SubjectStateOrProvince string `ecs:"subject.state_or_province"` + + // Country (C) code + SubjectCountry string `ecs:"subject.country"` + + // Algorithm used to generate the public key. + PublicKeyAlgorithm string `ecs:"public_key_algorithm"` + + // The size of the public key space in bits. + PublicKeySize int64 `ecs:"public_key_size"` + + // Exponent used to derive the public key. This is algorithm specific. + PublicKeyExponent int64 `ecs:"public_key_exponent"` + + // The curve used by the elliptic curve public key algorithm. This is + // algorithm specific. + PublicKeyCurve string `ecs:"public_key_curve"` + + // List of subject alternative names (SAN). Name types vary by certificate + // authority and certificate type but commonly contain IP addresses, DNS + // names (and wildcards), and email addresses. + AlternativeNames string `ecs:"alternative_names"` +} diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index e5fc2b158a..18e9631add 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -2217,6 +2217,12 @@ example: `1001` // =============================================================== +| <> +| These fields contain x509 certificate metadata. + +// =============================================================== + + |===== [[ecs-geo]] @@ -6075,6 +6081,29 @@ example: `tls` // =============================================================== +|===== + +==== Field Reuse + + + + +[[ecs-tls-nestings]] +===== Field sets that can be nested under TLS + +[options="header"] +|===== +| Nested fields | Description + +// =============================================================== + + +| <> +| These fields contain x509 certificate metadata. + +// =============================================================== + + |===== [[ecs-tracing]] @@ -6834,3 +6863,339 @@ example: `Critical` // =============================================================== |===== + +[[ecs-x509]] +=== x509 Certificate Fields + +These fields contain x509 certificate metadata. + +==== x509 Certificate Field Details + +[options="header"] +|===== +| Field | Description | Level + +// =============================================================== + +| x509.alternative_names +| List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + +type: keyword + + + +example: `*.elastic.co` + +| extended + +// =============================================================== + +| x509.issuer.common_name +| Common name (CN) of issuing certificate authority. + +type: keyword + + + +example: `DigiCert SHA2 High Assurance Server CA` + +| extended + +// =============================================================== + +| x509.issuer.country +| Country (C) code + +type: keyword + + + +example: `US` + +| extended + +// =============================================================== + +| x509.issuer.distinguished_name +| Distinguished name (DN) of issuing certificate authority. + +type: keyword + + + +example: `C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA` + +| extended + +// =============================================================== + +| x509.issuer.locality +| Locality name (L) + +type: keyword + + + +example: `Mountain View` + +| extended + +// =============================================================== + +| x509.issuer.organization +| Organizational units (O) of issuing certificate authority. + +type: keyword + + + +example: `DigiCert Inc` + +| extended + +// =============================================================== + +| x509.issuer.organizational_unit +| List of organizational units (OU) of issuing certificate authority. + +type: keyword + + + +example: `www.digicert.com` + +| extended + +// =============================================================== + +| x509.issuer.state_or_province +| State or province name (ST, S, or P) + +type: keyword + + + +example: `California` + +| extended + +// =============================================================== + +| x509.not_after +| Time at which the certificate is first considered valid. + +type: date + + + +example: `2020-07-16 03:15:39+00:00` + +| extended + +// =============================================================== + +| x509.not_before +| Time at which the certificate is first considered valid. + +type: date + + + +example: `2019-08-16 01:40:25+00:00` + +| extended + +// =============================================================== + +| x509.public_key_algorithm +| Algorithm used to generate the public key. + +type: keyword + + + +example: `RSA, ECDSA` + +| extended + +// =============================================================== + +| x509.public_key_curve +| The curve used by the elliptic curve public key algorithm. This is algorithm specific. + +type: keyword + + + +example: `nistp521` + +| extended + +// =============================================================== + +| x509.public_key_exponent +| Exponent used to derive the public key. This is algorithm specific. + +type: long + + + +example: `65537` + +| extended + +// =============================================================== + +| x509.public_key_size +| The size of the public key space in bits. + +type: long + + + +example: `2048` + +| extended + +// =============================================================== + +| x509.serial_number +| Unique serial number issued by the certificate authority. + +type: keyword + + + +example: `55:fb:b9:c7:de:bf:09:80:9d:12:cc:aa` + +| extended + +// =============================================================== + +| x509.signature_algorithm +| Identifier for certificate signature algorithm. Recommend using names found in Go Lang Crypto library (https://golang.org/src/crypto/x509/x509.go). + +type: keyword + + + +example: `SHA256-RSA` + +| extended + +// =============================================================== + +| x509.subject.common_name +| Common name (CN) of subject. + +type: keyword + + + +example: `r2.shared.global.fastly.net` + +| extended + +// =============================================================== + +| x509.subject.country +| Country (C) code + +type: keyword + + + +example: `US` + +| extended + +// =============================================================== + +| x509.subject.distinguished_name +| Distinguished name (DN) of the certificate subject entity. + +type: keyword + + + +example: `C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net` + +| extended + +// =============================================================== + +| x509.subject.locality +| Locality name (L) + +type: keyword + + + +example: `San Francisco` + +| extended + +// =============================================================== + +| x509.subject.organization +| Organizational units (O) of subject. + +type: keyword + + + +example: `Fastly, Inc.` + +| extended + +// =============================================================== + +| x509.subject.organizational_unit +| List of organizational units (OU) of subject. + +type: keyword + + + + + +| extended + +// =============================================================== + +| x509.subject.state_or_province +| State or province name (ST, S, or P) + +type: keyword + + + +example: `California` + +| extended + +// =============================================================== + +| x509.version_number +| Version of x509 format. + +type: long + + + +example: `3` + +| extended + +// =============================================================== + +|===== + +==== Field Reuse + +The `x509` fields are expected to be nested at: `file.x509`, `tls.x509`. + +Note also that the `x509` fields are not expected to be used directly at the top level. + + + diff --git a/docs/fields.asciidoc b/docs/fields.asciidoc index 3486218007..7543e59f22 100644 --- a/docs/fields.asciidoc +++ b/docs/fields.asciidoc @@ -104,6 +104,8 @@ all fields are defined. | <> | Fields to describe the vulnerability relevant to an event. +| <> | These fields contain x509 certificate metadata. + |===== include::field-details.asciidoc[] diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 32a605920b..51bb2b1d98 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -1640,6 +1640,173 @@ ignore_above: 1024 description: The user ID (UID) or security identifier (SID) of the file owner. example: '1001' + - name: x509.alternative_names + level: extended + type: keyword + ignore_above: 1024 + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' + default_field: false + - name: x509.issuer.common_name + level: extended + type: keyword + ignore_above: 1024 + description: Common name (CN) of issuing certificate authority. + example: DigiCert SHA2 High Assurance Server CA + default_field: false + - name: x509.issuer.country + level: extended + type: keyword + ignore_above: 1024 + description: Country (C) code + example: US + default_field: false + - name: x509.issuer.distinguished_name + level: extended + type: keyword + ignore_above: 1024 + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance + Server CA + default_field: false + - name: x509.issuer.locality + level: extended + type: keyword + ignore_above: 1024 + description: Locality name (L) + example: Mountain View + default_field: false + - name: x509.issuer.organization + level: extended + type: keyword + ignore_above: 1024 + description: Organizational units (O) of issuing certificate authority. + example: DigiCert Inc + default_field: false + - name: x509.issuer.organizational_unit + level: extended + type: keyword + ignore_above: 1024 + description: List of organizational units (OU) of issuing certificate authority. + example: www.digicert.com + default_field: false + - name: x509.issuer.state_or_province + level: extended + type: keyword + ignore_above: 1024 + description: State or province name (ST, S, or P) + example: California + default_field: false + - name: x509.not_after + level: extended + type: date + description: Time at which the certificate is first considered valid. + example: 2020-07-16 03:15:39+00:00 + default_field: false + - name: x509.not_before + level: extended + type: date + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + default_field: false + - name: x509.public_key_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: Algorithm used to generate the public key. + example: RSA, ECDSA + default_field: false + - name: x509.public_key_curve + level: extended + type: keyword + ignore_above: 1024 + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 + default_field: false + - name: x509.public_key_exponent + level: extended + type: long + description: Exponent used to derive the public key. This is algorithm specific. + example: 65537 + default_field: false + - name: x509.public_key_size + level: extended + type: long + description: The size of the public key space in bits. + example: 2048 + default_field: false + - name: x509.serial_number + level: extended + type: keyword + ignore_above: 1024 + description: Unique serial number issued by the certificate authority. + example: 55:fb:b9:c7:de:bf:09:80:9d:12:cc:aa + default_field: false + - name: x509.signature_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: Identifier for certificate signature algorithm. Recommend using + names found in Go Lang Crypto library (https://golang.org/src/crypto/x509/x509.go). + example: SHA256-RSA + default_field: false + - name: x509.subject.common_name + level: extended + type: keyword + ignore_above: 1024 + description: Common name (CN) of subject. + example: r2.shared.global.fastly.net + default_field: false + - name: x509.subject.country + level: extended + type: keyword + ignore_above: 1024 + description: Country (C) code + example: US + default_field: false + - name: x509.subject.distinguished_name + level: extended + type: keyword + ignore_above: 1024 + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net + default_field: false + - name: x509.subject.locality + level: extended + type: keyword + ignore_above: 1024 + description: Locality name (L) + example: San Francisco + default_field: false + - name: x509.subject.organization + level: extended + type: keyword + ignore_above: 1024 + description: Organizational units (O) of subject. + example: Fastly, Inc. + default_field: false + - name: x509.subject.organizational_unit + level: extended + type: keyword + ignore_above: 1024 + description: List of organizational units (OU) of subject. + default_field: false + - name: x509.subject.state_or_province + level: extended + type: keyword + ignore_above: 1024 + description: State or province name (ST, S, or P) + example: California + default_field: false + - name: x509.version_number + level: extended + type: long + description: Version of x509 format. + example: 3 + default_field: false - name: geo title: Geo group: 2 @@ -4477,6 +4644,173 @@ description: Normalized lowercase protocol name parsed from original string. example: tls default_field: false + - name: x509.alternative_names + level: extended + type: keyword + ignore_above: 1024 + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' + default_field: false + - name: x509.issuer.common_name + level: extended + type: keyword + ignore_above: 1024 + description: Common name (CN) of issuing certificate authority. + example: DigiCert SHA2 High Assurance Server CA + default_field: false + - name: x509.issuer.country + level: extended + type: keyword + ignore_above: 1024 + description: Country (C) code + example: US + default_field: false + - name: x509.issuer.distinguished_name + level: extended + type: keyword + ignore_above: 1024 + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance + Server CA + default_field: false + - name: x509.issuer.locality + level: extended + type: keyword + ignore_above: 1024 + description: Locality name (L) + example: Mountain View + default_field: false + - name: x509.issuer.organization + level: extended + type: keyword + ignore_above: 1024 + description: Organizational units (O) of issuing certificate authority. + example: DigiCert Inc + default_field: false + - name: x509.issuer.organizational_unit + level: extended + type: keyword + ignore_above: 1024 + description: List of organizational units (OU) of issuing certificate authority. + example: www.digicert.com + default_field: false + - name: x509.issuer.state_or_province + level: extended + type: keyword + ignore_above: 1024 + description: State or province name (ST, S, or P) + example: California + default_field: false + - name: x509.not_after + level: extended + type: date + description: Time at which the certificate is first considered valid. + example: 2020-07-16 03:15:39+00:00 + default_field: false + - name: x509.not_before + level: extended + type: date + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + default_field: false + - name: x509.public_key_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: Algorithm used to generate the public key. + example: RSA, ECDSA + default_field: false + - name: x509.public_key_curve + level: extended + type: keyword + ignore_above: 1024 + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 + default_field: false + - name: x509.public_key_exponent + level: extended + type: long + description: Exponent used to derive the public key. This is algorithm specific. + example: 65537 + default_field: false + - name: x509.public_key_size + level: extended + type: long + description: The size of the public key space in bits. + example: 2048 + default_field: false + - name: x509.serial_number + level: extended + type: keyword + ignore_above: 1024 + description: Unique serial number issued by the certificate authority. + example: 55:fb:b9:c7:de:bf:09:80:9d:12:cc:aa + default_field: false + - name: x509.signature_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: Identifier for certificate signature algorithm. Recommend using + names found in Go Lang Crypto library (https://golang.org/src/crypto/x509/x509.go). + example: SHA256-RSA + default_field: false + - name: x509.subject.common_name + level: extended + type: keyword + ignore_above: 1024 + description: Common name (CN) of subject. + example: r2.shared.global.fastly.net + default_field: false + - name: x509.subject.country + level: extended + type: keyword + ignore_above: 1024 + description: Country (C) code + example: US + default_field: false + - name: x509.subject.distinguished_name + level: extended + type: keyword + ignore_above: 1024 + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net + default_field: false + - name: x509.subject.locality + level: extended + type: keyword + ignore_above: 1024 + description: Locality name (L) + example: San Francisco + default_field: false + - name: x509.subject.organization + level: extended + type: keyword + ignore_above: 1024 + description: Organizational units (O) of subject. + example: Fastly, Inc. + default_field: false + - name: x509.subject.organizational_unit + level: extended + type: keyword + ignore_above: 1024 + description: List of organizational units (OU) of subject. + default_field: false + - name: x509.subject.state_or_province + level: extended + type: keyword + ignore_above: 1024 + description: State or province name (ST, S, or P) + example: California + default_field: false + - name: x509.version_number + level: extended + type: long + description: Version of x509 format. + example: 3 + default_field: false - name: tracing title: Tracing group: 2 @@ -4954,3 +5288,176 @@ prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) example: Critical default_field: false + - name: x509 + title: x509 Certificate + group: 2 + description: These fields contain x509 certificate metadata. + type: group + fields: + - name: alternative_names + level: extended + type: keyword + ignore_above: 1024 + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' + default_field: false + - name: issuer.common_name + level: extended + type: keyword + ignore_above: 1024 + description: Common name (CN) of issuing certificate authority. + example: DigiCert SHA2 High Assurance Server CA + default_field: false + - name: issuer.country + level: extended + type: keyword + ignore_above: 1024 + description: Country (C) code + example: US + default_field: false + - name: issuer.distinguished_name + level: extended + type: keyword + ignore_above: 1024 + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance + Server CA + default_field: false + - name: issuer.locality + level: extended + type: keyword + ignore_above: 1024 + description: Locality name (L) + example: Mountain View + default_field: false + - name: issuer.organization + level: extended + type: keyword + ignore_above: 1024 + description: Organizational units (O) of issuing certificate authority. + example: DigiCert Inc + default_field: false + - name: issuer.organizational_unit + level: extended + type: keyword + ignore_above: 1024 + description: List of organizational units (OU) of issuing certificate authority. + example: www.digicert.com + default_field: false + - name: issuer.state_or_province + level: extended + type: keyword + ignore_above: 1024 + description: State or province name (ST, S, or P) + example: California + default_field: false + - name: not_after + level: extended + type: date + description: Time at which the certificate is first considered valid. + example: 2020-07-16 03:15:39+00:00 + default_field: false + - name: not_before + level: extended + type: date + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + default_field: false + - name: public_key_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: Algorithm used to generate the public key. + example: RSA, ECDSA + default_field: false + - name: public_key_curve + level: extended + type: keyword + ignore_above: 1024 + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 + default_field: false + - name: public_key_exponent + level: extended + type: long + description: Exponent used to derive the public key. This is algorithm specific. + example: 65537 + default_field: false + - name: public_key_size + level: extended + type: long + description: The size of the public key space in bits. + example: 2048 + default_field: false + - name: serial_number + level: extended + type: keyword + ignore_above: 1024 + description: Unique serial number issued by the certificate authority. + example: 55:fb:b9:c7:de:bf:09:80:9d:12:cc:aa + default_field: false + - name: signature_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: Identifier for certificate signature algorithm. Recommend using + names found in Go Lang Crypto library (https://golang.org/src/crypto/x509/x509.go). + example: SHA256-RSA + default_field: false + - name: subject.common_name + level: extended + type: keyword + ignore_above: 1024 + description: Common name (CN) of subject. + example: r2.shared.global.fastly.net + default_field: false + - name: subject.country + level: extended + type: keyword + ignore_above: 1024 + description: Country (C) code + example: US + default_field: false + - name: subject.distinguished_name + level: extended + type: keyword + ignore_above: 1024 + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net + default_field: false + - name: subject.locality + level: extended + type: keyword + ignore_above: 1024 + description: Locality name (L) + example: San Francisco + default_field: false + - name: subject.organization + level: extended + type: keyword + ignore_above: 1024 + description: Organizational units (O) of subject. + example: Fastly, Inc. + default_field: false + - name: subject.organizational_unit + level: extended + type: keyword + ignore_above: 1024 + description: List of organizational units (OU) of subject. + default_field: false + - name: subject.state_or_province + level: extended + type: keyword + ignore_above: 1024 + description: State or province name (ST, S, or P) + example: California + default_field: false + - name: version_number + level: extended + type: long + description: Version of x509 format. + example: 3 + default_field: false diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index a3475e1eec..1e6603646a 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -197,6 +197,30 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.6.0-dev,true,file,file.target_path.text,text,extended,,,Target path for symlinks. 1.6.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)." 1.6.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. +1.6.0-dev,true,file,file.x509.alternative_names,keyword,extended,,*.elastic.co,"List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses." +1.6.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,,DigiCert SHA2 High Assurance Server CA,Common name (CN) of issuing certificate authority. +1.6.0-dev,true,file,file.x509.issuer.country,keyword,extended,,US,Country (C) code +1.6.0-dev,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +1.6.0-dev,true,file,file.x509.issuer.locality,keyword,extended,,Mountain View,Locality name (L) +1.6.0-dev,true,file,file.x509.issuer.organization,keyword,extended,,DigiCert Inc,Organizational units (O) of issuing certificate authority. +1.6.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,,www.digicert.com,List of organizational units (OU) of issuing certificate authority. +1.6.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,,California,"State or province name (ST, S, or P)" +1.6.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is first considered valid. +1.6.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +1.6.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,"RSA, ECDSA",Algorithm used to generate the public key. +1.6.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +1.6.0-dev,true,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +1.6.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +1.6.0-dev,true,file,file.x509.serial_number,keyword,extended,,55:fb:b9:c7:de:bf:09:80:9d:12:cc:aa,Unique serial number issued by the certificate authority. +1.6.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. Recommend using names found in Go Lang Crypto library (https://golang.org/src/crypto/x509/x509.go). +1.6.0-dev,true,file,file.x509.subject.common_name,keyword,extended,,r2.shared.global.fastly.net,Common name (CN) of subject. +1.6.0-dev,true,file,file.x509.subject.country,keyword,extended,,US,Country (C) code +1.6.0-dev,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net",Distinguished name (DN) of the certificate subject entity. +1.6.0-dev,true,file,file.x509.subject.locality,keyword,extended,,San Francisco,Locality name (L) +1.6.0-dev,true,file,file.x509.subject.organization,keyword,extended,,"Fastly, Inc.",Organizational units (O) of subject. +1.6.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,,,List of organizational units (OU) of subject. +1.6.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,,California,"State or province name (ST, S, or P)" +1.6.0-dev,true,file,file.x509.version_number,long,extended,,3,Version of x509 format. 1.6.0-dev,true,geo,geo.city_name,keyword,core,,Montreal,City name. 1.6.0-dev,true,geo,geo.continent_name,keyword,core,,North America,Name of the continent. 1.6.0-dev,true,geo,geo.country_iso_code,keyword,core,,CA,Country ISO code. @@ -560,6 +584,30 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.6.0-dev,true,tls,tls.server.subject,keyword,extended,,"CN=www.mydomain.com, OU=Infrastructure Team, DC=mydomain, DC=com",Subject of the x.509 certificate presented by the server. 1.6.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string. 1.6.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string. +1.6.0-dev,true,tls,tls.x509.alternative_names,keyword,extended,,*.elastic.co,"List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses." +1.6.0-dev,true,tls,tls.x509.issuer.common_name,keyword,extended,,DigiCert SHA2 High Assurance Server CA,Common name (CN) of issuing certificate authority. +1.6.0-dev,true,tls,tls.x509.issuer.country,keyword,extended,,US,Country (C) code +1.6.0-dev,true,tls,tls.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +1.6.0-dev,true,tls,tls.x509.issuer.locality,keyword,extended,,Mountain View,Locality name (L) +1.6.0-dev,true,tls,tls.x509.issuer.organization,keyword,extended,,DigiCert Inc,Organizational units (O) of issuing certificate authority. +1.6.0-dev,true,tls,tls.x509.issuer.organizational_unit,keyword,extended,,www.digicert.com,List of organizational units (OU) of issuing certificate authority. +1.6.0-dev,true,tls,tls.x509.issuer.state_or_province,keyword,extended,,California,"State or province name (ST, S, or P)" +1.6.0-dev,true,tls,tls.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is first considered valid. +1.6.0-dev,true,tls,tls.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +1.6.0-dev,true,tls,tls.x509.public_key_algorithm,keyword,extended,,"RSA, ECDSA",Algorithm used to generate the public key. +1.6.0-dev,true,tls,tls.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +1.6.0-dev,true,tls,tls.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +1.6.0-dev,true,tls,tls.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +1.6.0-dev,true,tls,tls.x509.serial_number,keyword,extended,,55:fb:b9:c7:de:bf:09:80:9d:12:cc:aa,Unique serial number issued by the certificate authority. +1.6.0-dev,true,tls,tls.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. Recommend using names found in Go Lang Crypto library (https://golang.org/src/crypto/x509/x509.go). +1.6.0-dev,true,tls,tls.x509.subject.common_name,keyword,extended,,r2.shared.global.fastly.net,Common name (CN) of subject. +1.6.0-dev,true,tls,tls.x509.subject.country,keyword,extended,,US,Country (C) code +1.6.0-dev,true,tls,tls.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net",Distinguished name (DN) of the certificate subject entity. +1.6.0-dev,true,tls,tls.x509.subject.locality,keyword,extended,,San Francisco,Locality name (L) +1.6.0-dev,true,tls,tls.x509.subject.organization,keyword,extended,,"Fastly, Inc.",Organizational units (O) of subject. +1.6.0-dev,true,tls,tls.x509.subject.organizational_unit,keyword,extended,,,List of organizational units (OU) of subject. +1.6.0-dev,true,tls,tls.x509.subject.state_or_province,keyword,extended,,California,"State or province name (ST, S, or P)" +1.6.0-dev,true,tls,tls.x509.version_number,long,extended,,3,Version of x509 format. 1.6.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace. 1.6.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction. 1.6.0-dev,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url. @@ -617,3 +665,27 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.6.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score. 1.6.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version. 1.6.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability. +1.6.0-dev,true,x509,x509.alternative_names,keyword,extended,,*.elastic.co,"List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses." +1.6.0-dev,true,x509,x509.issuer.common_name,keyword,extended,,DigiCert SHA2 High Assurance Server CA,Common name (CN) of issuing certificate authority. +1.6.0-dev,true,x509,x509.issuer.country,keyword,extended,,US,Country (C) code +1.6.0-dev,true,x509,x509.issuer.distinguished_name,keyword,extended,,"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +1.6.0-dev,true,x509,x509.issuer.locality,keyword,extended,,Mountain View,Locality name (L) +1.6.0-dev,true,x509,x509.issuer.organization,keyword,extended,,DigiCert Inc,Organizational units (O) of issuing certificate authority. +1.6.0-dev,true,x509,x509.issuer.organizational_unit,keyword,extended,,www.digicert.com,List of organizational units (OU) of issuing certificate authority. +1.6.0-dev,true,x509,x509.issuer.state_or_province,keyword,extended,,California,"State or province name (ST, S, or P)" +1.6.0-dev,true,x509,x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is first considered valid. +1.6.0-dev,true,x509,x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +1.6.0-dev,true,x509,x509.public_key_algorithm,keyword,extended,,"RSA, ECDSA",Algorithm used to generate the public key. +1.6.0-dev,true,x509,x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +1.6.0-dev,true,x509,x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +1.6.0-dev,true,x509,x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +1.6.0-dev,true,x509,x509.serial_number,keyword,extended,,55:fb:b9:c7:de:bf:09:80:9d:12:cc:aa,Unique serial number issued by the certificate authority. +1.6.0-dev,true,x509,x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. Recommend using names found in Go Lang Crypto library (https://golang.org/src/crypto/x509/x509.go). +1.6.0-dev,true,x509,x509.subject.common_name,keyword,extended,,r2.shared.global.fastly.net,Common name (CN) of subject. +1.6.0-dev,true,x509,x509.subject.country,keyword,extended,,US,Country (C) code +1.6.0-dev,true,x509,x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net",Distinguished name (DN) of the certificate subject entity. +1.6.0-dev,true,x509,x509.subject.locality,keyword,extended,,San Francisco,Locality name (L) +1.6.0-dev,true,x509,x509.subject.organization,keyword,extended,,"Fastly, Inc.",Organizational units (O) of subject. +1.6.0-dev,true,x509,x509.subject.organizational_unit,keyword,extended,,,List of organizational units (OU) of subject. +1.6.0-dev,true,x509,x509.subject.state_or_province,keyword,extended,,California,"State or province name (ST, S, or P)" +1.6.0-dev,true,x509,x509.version_number,long,extended,,3,Version of x509 format. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index c208c747ca..d38c4fc1f9 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -3011,6 +3011,321 @@ file.uid: order: 10 short: The user ID (UID) or security identifier (SID) of the file owner. type: keyword +file.x509.alternative_names: + dashed_name: file-x509-alternative-names + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names (and + wildcards), and email addresses. + example: '*.elastic.co' + flat_name: file.x509.alternative_names + ignore_above: 1024 + level: extended + name: alternative_names + normalize: [] + order: 23 + original_fieldset: x509 + short: List of subject alternative names (SAN). Name types vary by certificate authority + and certificate type but commonly contain IP addresses, DNS names (and wildcards), + and email addresses. + type: keyword +file.x509.issuer.common_name: + dashed_name: file-x509-issuer-common-name + description: Common name (CN) of issuing certificate authority. + example: DigiCert SHA2 High Assurance Server CA + flat_name: file.x509.issuer.common_name + ignore_above: 1024 + level: extended + name: issuer.common_name + normalize: [] + order: 3 + original_fieldset: x509 + short: Common name (CN) of issuing certificate authority. + type: keyword +file.x509.issuer.country: + dashed_name: file-x509-issuer-country + description: Country (C) code + example: US + flat_name: file.x509.issuer.country + ignore_above: 1024 + level: extended + name: issuer.country + normalize: [] + order: 8 + original_fieldset: x509 + short: Country (C) code + type: keyword +file.x509.issuer.distinguished_name: + dashed_name: file-x509-issuer-distinguished-name + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance + Server CA + flat_name: file.x509.issuer.distinguished_name + ignore_above: 1024 + level: extended + name: issuer.distinguished_name + normalize: [] + order: 2 + original_fieldset: x509 + short: Distinguished name (DN) of issuing certificate authority. + type: keyword +file.x509.issuer.locality: + dashed_name: file-x509-issuer-locality + description: Locality name (L) + example: Mountain View + flat_name: file.x509.issuer.locality + ignore_above: 1024 + level: extended + name: issuer.locality + normalize: [] + order: 6 + original_fieldset: x509 + short: Locality name (L) + type: keyword +file.x509.issuer.organization: + dashed_name: file-x509-issuer-organization + description: Organizational units (O) of issuing certificate authority. + example: DigiCert Inc + flat_name: file.x509.issuer.organization + ignore_above: 1024 + level: extended + name: issuer.organization + normalize: [] + order: 5 + original_fieldset: x509 + short: Organizational units (O) of issuing certificate authority. + type: keyword +file.x509.issuer.organizational_unit: + dashed_name: file-x509-issuer-organizational-unit + description: List of organizational units (OU) of issuing certificate authority. + example: www.digicert.com + flat_name: file.x509.issuer.organizational_unit + ignore_above: 1024 + level: extended + name: issuer.organizational_unit + normalize: [] + order: 4 + original_fieldset: x509 + short: List of organizational units (OU) of issuing certificate authority. + type: keyword +file.x509.issuer.state_or_province: + dashed_name: file-x509-issuer-state-or-province + description: State or province name (ST, S, or P) + example: California + flat_name: file.x509.issuer.state_or_province + ignore_above: 1024 + level: extended + name: issuer.state_or_province + normalize: [] + order: 7 + original_fieldset: x509 + short: State or province name (ST, S, or P) + type: keyword +file.x509.not_after: + dashed_name: file-x509-not-after + description: Time at which the certificate is first considered valid. + example: 2020-07-16 03:15:39+00:00 + flat_name: file.x509.not_after + level: extended + name: not_after + normalize: [] + order: 11 + original_fieldset: x509 + short: Time at which the certificate is first considered valid. + type: date +file.x509.not_before: + dashed_name: file-x509-not-before + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + flat_name: file.x509.not_before + level: extended + name: not_before + normalize: [] + order: 10 + original_fieldset: x509 + short: Time at which the certificate is first considered valid. + type: date +file.x509.public_key_algorithm: + dashed_name: file-x509-public-key-algorithm + description: Algorithm used to generate the public key. + example: RSA, ECDSA + flat_name: file.x509.public_key_algorithm + ignore_above: 1024 + level: extended + name: public_key_algorithm + normalize: [] + order: 19 + original_fieldset: x509 + short: Algorithm used to generate the public key. + type: keyword +file.x509.public_key_curve: + dashed_name: file-x509-public-key-curve + description: The curve used by the elliptic curve public key algorithm. This is + algorithm specific. + example: nistp521 + flat_name: file.x509.public_key_curve + ignore_above: 1024 + level: extended + name: public_key_curve + normalize: [] + order: 22 + original_fieldset: x509 + short: The curve used by the elliptic curve public key algorithm. This is algorithm + specific. + type: keyword +file.x509.public_key_exponent: + dashed_name: file-x509-public-key-exponent + description: Exponent used to derive the public key. This is algorithm specific. + example: 65537 + flat_name: file.x509.public_key_exponent + level: extended + name: public_key_exponent + normalize: [] + order: 21 + original_fieldset: x509 + short: Exponent used to derive the public key. This is algorithm specific. + type: long +file.x509.public_key_size: + dashed_name: file-x509-public-key-size + description: The size of the public key space in bits. + example: 2048 + flat_name: file.x509.public_key_size + level: extended + name: public_key_size + normalize: [] + order: 20 + original_fieldset: x509 + short: The size of the public key space in bits. + type: long +file.x509.serial_number: + dashed_name: file-x509-serial-number + description: Unique serial number issued by the certificate authority. + example: 55:fb:b9:c7:de:bf:09:80:9d:12:cc:aa + flat_name: file.x509.serial_number + ignore_above: 1024 + level: extended + name: serial_number + normalize: [] + order: 1 + original_fieldset: x509 + short: Unique serial number issued by the certificate authority. + type: keyword +file.x509.signature_algorithm: + dashed_name: file-x509-signature-algorithm + description: Identifier for certificate signature algorithm. Recommend using names + found in Go Lang Crypto library (https://golang.org/src/crypto/x509/x509.go). + example: SHA256-RSA + flat_name: file.x509.signature_algorithm + ignore_above: 1024 + level: extended + name: signature_algorithm + normalize: [] + order: 9 + original_fieldset: x509 + short: Identifier for certificate signature algorithm. Recommend using names found + in Go Lang Crypto library (https://golang.org/src/crypto/x509/x509.go). + type: keyword +file.x509.subject.common_name: + dashed_name: file-x509-subject-common-name + description: Common name (CN) of subject. + example: r2.shared.global.fastly.net + flat_name: file.x509.subject.common_name + ignore_above: 1024 + level: extended + name: subject.common_name + normalize: [] + order: 13 + original_fieldset: x509 + short: Common name (CN) of subject. + type: keyword +file.x509.subject.country: + dashed_name: file-x509-subject-country + description: Country (C) code + example: US + flat_name: file.x509.subject.country + ignore_above: 1024 + level: extended + name: subject.country + normalize: [] + order: 18 + original_fieldset: x509 + short: Country (C) code + type: keyword +file.x509.subject.distinguished_name: + dashed_name: file-x509-subject-distinguished-name + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net + flat_name: file.x509.subject.distinguished_name + ignore_above: 1024 + level: extended + name: subject.distinguished_name + normalize: [] + order: 12 + original_fieldset: x509 + short: Distinguished name (DN) of the certificate subject entity. + type: keyword +file.x509.subject.locality: + dashed_name: file-x509-subject-locality + description: Locality name (L) + example: San Francisco + flat_name: file.x509.subject.locality + ignore_above: 1024 + level: extended + name: subject.locality + normalize: [] + order: 16 + original_fieldset: x509 + short: Locality name (L) + type: keyword +file.x509.subject.organization: + dashed_name: file-x509-subject-organization + description: Organizational units (O) of subject. + example: Fastly, Inc. + flat_name: file.x509.subject.organization + ignore_above: 1024 + level: extended + name: subject.organization + normalize: [] + order: 15 + original_fieldset: x509 + short: Organizational units (O) of subject. + type: keyword +file.x509.subject.organizational_unit: + dashed_name: file-x509-subject-organizational-unit + description: List of organizational units (OU) of subject. + flat_name: file.x509.subject.organizational_unit + ignore_above: 1024 + level: extended + name: subject.organizational_unit + normalize: [] + order: 14 + original_fieldset: x509 + short: List of organizational units (OU) of subject. + type: keyword +file.x509.subject.state_or_province: + dashed_name: file-x509-subject-state-or-province + description: State or province name (ST, S, or P) + example: California + flat_name: file.x509.subject.state_or_province + ignore_above: 1024 + level: extended + name: subject.state_or_province + normalize: [] + order: 17 + original_fieldset: x509 + short: State or province name (ST, S, or P) + type: keyword +file.x509.version_number: + dashed_name: file-x509-version-number + description: Version of x509 format. + example: 3 + flat_name: file.x509.version_number + level: extended + name: version_number + normalize: [] + order: 0 + original_fieldset: x509 + short: Version of x509 format. + type: long geo.city_name: dashed_name: geo-city-name description: City name. @@ -7725,6 +8040,321 @@ tls.version_protocol: order: 1 short: Normalized lowercase protocol name parsed from original string. type: keyword +tls.x509.alternative_names: + dashed_name: tls-x509-alternative-names + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names (and + wildcards), and email addresses. + example: '*.elastic.co' + flat_name: tls.x509.alternative_names + ignore_above: 1024 + level: extended + name: alternative_names + normalize: [] + order: 23 + original_fieldset: x509 + short: List of subject alternative names (SAN). Name types vary by certificate authority + and certificate type but commonly contain IP addresses, DNS names (and wildcards), + and email addresses. + type: keyword +tls.x509.issuer.common_name: + dashed_name: tls-x509-issuer-common-name + description: Common name (CN) of issuing certificate authority. + example: DigiCert SHA2 High Assurance Server CA + flat_name: tls.x509.issuer.common_name + ignore_above: 1024 + level: extended + name: issuer.common_name + normalize: [] + order: 3 + original_fieldset: x509 + short: Common name (CN) of issuing certificate authority. + type: keyword +tls.x509.issuer.country: + dashed_name: tls-x509-issuer-country + description: Country (C) code + example: US + flat_name: tls.x509.issuer.country + ignore_above: 1024 + level: extended + name: issuer.country + normalize: [] + order: 8 + original_fieldset: x509 + short: Country (C) code + type: keyword +tls.x509.issuer.distinguished_name: + dashed_name: tls-x509-issuer-distinguished-name + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance + Server CA + flat_name: tls.x509.issuer.distinguished_name + ignore_above: 1024 + level: extended + name: issuer.distinguished_name + normalize: [] + order: 2 + original_fieldset: x509 + short: Distinguished name (DN) of issuing certificate authority. + type: keyword +tls.x509.issuer.locality: + dashed_name: tls-x509-issuer-locality + description: Locality name (L) + example: Mountain View + flat_name: tls.x509.issuer.locality + ignore_above: 1024 + level: extended + name: issuer.locality + normalize: [] + order: 6 + original_fieldset: x509 + short: Locality name (L) + type: keyword +tls.x509.issuer.organization: + dashed_name: tls-x509-issuer-organization + description: Organizational units (O) of issuing certificate authority. + example: DigiCert Inc + flat_name: tls.x509.issuer.organization + ignore_above: 1024 + level: extended + name: issuer.organization + normalize: [] + order: 5 + original_fieldset: x509 + short: Organizational units (O) of issuing certificate authority. + type: keyword +tls.x509.issuer.organizational_unit: + dashed_name: tls-x509-issuer-organizational-unit + description: List of organizational units (OU) of issuing certificate authority. + example: www.digicert.com + flat_name: tls.x509.issuer.organizational_unit + ignore_above: 1024 + level: extended + name: issuer.organizational_unit + normalize: [] + order: 4 + original_fieldset: x509 + short: List of organizational units (OU) of issuing certificate authority. + type: keyword +tls.x509.issuer.state_or_province: + dashed_name: tls-x509-issuer-state-or-province + description: State or province name (ST, S, or P) + example: California + flat_name: tls.x509.issuer.state_or_province + ignore_above: 1024 + level: extended + name: issuer.state_or_province + normalize: [] + order: 7 + original_fieldset: x509 + short: State or province name (ST, S, or P) + type: keyword +tls.x509.not_after: + dashed_name: tls-x509-not-after + description: Time at which the certificate is first considered valid. + example: 2020-07-16 03:15:39+00:00 + flat_name: tls.x509.not_after + level: extended + name: not_after + normalize: [] + order: 11 + original_fieldset: x509 + short: Time at which the certificate is first considered valid. + type: date +tls.x509.not_before: + dashed_name: tls-x509-not-before + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + flat_name: tls.x509.not_before + level: extended + name: not_before + normalize: [] + order: 10 + original_fieldset: x509 + short: Time at which the certificate is first considered valid. + type: date +tls.x509.public_key_algorithm: + dashed_name: tls-x509-public-key-algorithm + description: Algorithm used to generate the public key. + example: RSA, ECDSA + flat_name: tls.x509.public_key_algorithm + ignore_above: 1024 + level: extended + name: public_key_algorithm + normalize: [] + order: 19 + original_fieldset: x509 + short: Algorithm used to generate the public key. + type: keyword +tls.x509.public_key_curve: + dashed_name: tls-x509-public-key-curve + description: The curve used by the elliptic curve public key algorithm. This is + algorithm specific. + example: nistp521 + flat_name: tls.x509.public_key_curve + ignore_above: 1024 + level: extended + name: public_key_curve + normalize: [] + order: 22 + original_fieldset: x509 + short: The curve used by the elliptic curve public key algorithm. This is algorithm + specific. + type: keyword +tls.x509.public_key_exponent: + dashed_name: tls-x509-public-key-exponent + description: Exponent used to derive the public key. This is algorithm specific. + example: 65537 + flat_name: tls.x509.public_key_exponent + level: extended + name: public_key_exponent + normalize: [] + order: 21 + original_fieldset: x509 + short: Exponent used to derive the public key. This is algorithm specific. + type: long +tls.x509.public_key_size: + dashed_name: tls-x509-public-key-size + description: The size of the public key space in bits. + example: 2048 + flat_name: tls.x509.public_key_size + level: extended + name: public_key_size + normalize: [] + order: 20 + original_fieldset: x509 + short: The size of the public key space in bits. + type: long +tls.x509.serial_number: + dashed_name: tls-x509-serial-number + description: Unique serial number issued by the certificate authority. + example: 55:fb:b9:c7:de:bf:09:80:9d:12:cc:aa + flat_name: tls.x509.serial_number + ignore_above: 1024 + level: extended + name: serial_number + normalize: [] + order: 1 + original_fieldset: x509 + short: Unique serial number issued by the certificate authority. + type: keyword +tls.x509.signature_algorithm: + dashed_name: tls-x509-signature-algorithm + description: Identifier for certificate signature algorithm. Recommend using names + found in Go Lang Crypto library (https://golang.org/src/crypto/x509/x509.go). + example: SHA256-RSA + flat_name: tls.x509.signature_algorithm + ignore_above: 1024 + level: extended + name: signature_algorithm + normalize: [] + order: 9 + original_fieldset: x509 + short: Identifier for certificate signature algorithm. Recommend using names found + in Go Lang Crypto library (https://golang.org/src/crypto/x509/x509.go). + type: keyword +tls.x509.subject.common_name: + dashed_name: tls-x509-subject-common-name + description: Common name (CN) of subject. + example: r2.shared.global.fastly.net + flat_name: tls.x509.subject.common_name + ignore_above: 1024 + level: extended + name: subject.common_name + normalize: [] + order: 13 + original_fieldset: x509 + short: Common name (CN) of subject. + type: keyword +tls.x509.subject.country: + dashed_name: tls-x509-subject-country + description: Country (C) code + example: US + flat_name: tls.x509.subject.country + ignore_above: 1024 + level: extended + name: subject.country + normalize: [] + order: 18 + original_fieldset: x509 + short: Country (C) code + type: keyword +tls.x509.subject.distinguished_name: + dashed_name: tls-x509-subject-distinguished-name + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net + flat_name: tls.x509.subject.distinguished_name + ignore_above: 1024 + level: extended + name: subject.distinguished_name + normalize: [] + order: 12 + original_fieldset: x509 + short: Distinguished name (DN) of the certificate subject entity. + type: keyword +tls.x509.subject.locality: + dashed_name: tls-x509-subject-locality + description: Locality name (L) + example: San Francisco + flat_name: tls.x509.subject.locality + ignore_above: 1024 + level: extended + name: subject.locality + normalize: [] + order: 16 + original_fieldset: x509 + short: Locality name (L) + type: keyword +tls.x509.subject.organization: + dashed_name: tls-x509-subject-organization + description: Organizational units (O) of subject. + example: Fastly, Inc. + flat_name: tls.x509.subject.organization + ignore_above: 1024 + level: extended + name: subject.organization + normalize: [] + order: 15 + original_fieldset: x509 + short: Organizational units (O) of subject. + type: keyword +tls.x509.subject.organizational_unit: + dashed_name: tls-x509-subject-organizational-unit + description: List of organizational units (OU) of subject. + flat_name: tls.x509.subject.organizational_unit + ignore_above: 1024 + level: extended + name: subject.organizational_unit + normalize: [] + order: 14 + original_fieldset: x509 + short: List of organizational units (OU) of subject. + type: keyword +tls.x509.subject.state_or_province: + dashed_name: tls-x509-subject-state-or-province + description: State or province name (ST, S, or P) + example: California + flat_name: tls.x509.subject.state_or_province + ignore_above: 1024 + level: extended + name: subject.state_or_province + normalize: [] + order: 17 + original_fieldset: x509 + short: State or province name (ST, S, or P) + type: keyword +tls.x509.version_number: + dashed_name: tls-x509-version-number + description: Version of x509 format. + example: 3 + flat_name: tls.x509.version_number + level: extended + name: version_number + normalize: [] + order: 0 + original_fieldset: x509 + short: Version of x509 format. + type: long trace.id: dashed_name: trace-id description: 'Unique identifier of the trace. @@ -8435,3 +9065,318 @@ vulnerability.severity: order: 11 short: Severity of the vulnerability. type: keyword +x509.alternative_names: + dashed_name: x509-alternative-names + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names (and + wildcards), and email addresses. + example: '*.elastic.co' + flat_name: x509.alternative_names + ignore_above: 1024 + level: extended + name: alternative_names + normalize: [] + order: 23 + original_fieldset: x509 + short: List of subject alternative names (SAN). Name types vary by certificate authority + and certificate type but commonly contain IP addresses, DNS names (and wildcards), + and email addresses. + type: keyword +x509.issuer.common_name: + dashed_name: x509-issuer-common-name + description: Common name (CN) of issuing certificate authority. + example: DigiCert SHA2 High Assurance Server CA + flat_name: x509.issuer.common_name + ignore_above: 1024 + level: extended + name: issuer.common_name + normalize: [] + order: 3 + original_fieldset: x509 + short: Common name (CN) of issuing certificate authority. + type: keyword +x509.issuer.country: + dashed_name: x509-issuer-country + description: Country (C) code + example: US + flat_name: x509.issuer.country + ignore_above: 1024 + level: extended + name: issuer.country + normalize: [] + order: 8 + original_fieldset: x509 + short: Country (C) code + type: keyword +x509.issuer.distinguished_name: + dashed_name: x509-issuer-distinguished-name + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance + Server CA + flat_name: x509.issuer.distinguished_name + ignore_above: 1024 + level: extended + name: issuer.distinguished_name + normalize: [] + order: 2 + original_fieldset: x509 + short: Distinguished name (DN) of issuing certificate authority. + type: keyword +x509.issuer.locality: + dashed_name: x509-issuer-locality + description: Locality name (L) + example: Mountain View + flat_name: x509.issuer.locality + ignore_above: 1024 + level: extended + name: issuer.locality + normalize: [] + order: 6 + original_fieldset: x509 + short: Locality name (L) + type: keyword +x509.issuer.organization: + dashed_name: x509-issuer-organization + description: Organizational units (O) of issuing certificate authority. + example: DigiCert Inc + flat_name: x509.issuer.organization + ignore_above: 1024 + level: extended + name: issuer.organization + normalize: [] + order: 5 + original_fieldset: x509 + short: Organizational units (O) of issuing certificate authority. + type: keyword +x509.issuer.organizational_unit: + dashed_name: x509-issuer-organizational-unit + description: List of organizational units (OU) of issuing certificate authority. + example: www.digicert.com + flat_name: x509.issuer.organizational_unit + ignore_above: 1024 + level: extended + name: issuer.organizational_unit + normalize: [] + order: 4 + original_fieldset: x509 + short: List of organizational units (OU) of issuing certificate authority. + type: keyword +x509.issuer.state_or_province: + dashed_name: x509-issuer-state-or-province + description: State or province name (ST, S, or P) + example: California + flat_name: x509.issuer.state_or_province + ignore_above: 1024 + level: extended + name: issuer.state_or_province + normalize: [] + order: 7 + original_fieldset: x509 + short: State or province name (ST, S, or P) + type: keyword +x509.not_after: + dashed_name: x509-not-after + description: Time at which the certificate is first considered valid. + example: 2020-07-16 03:15:39+00:00 + flat_name: x509.not_after + level: extended + name: not_after + normalize: [] + order: 11 + original_fieldset: x509 + short: Time at which the certificate is first considered valid. + type: date +x509.not_before: + dashed_name: x509-not-before + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + flat_name: x509.not_before + level: extended + name: not_before + normalize: [] + order: 10 + original_fieldset: x509 + short: Time at which the certificate is first considered valid. + type: date +x509.public_key_algorithm: + dashed_name: x509-public-key-algorithm + description: Algorithm used to generate the public key. + example: RSA, ECDSA + flat_name: x509.public_key_algorithm + ignore_above: 1024 + level: extended + name: public_key_algorithm + normalize: [] + order: 19 + original_fieldset: x509 + short: Algorithm used to generate the public key. + type: keyword +x509.public_key_curve: + dashed_name: x509-public-key-curve + description: The curve used by the elliptic curve public key algorithm. This is + algorithm specific. + example: nistp521 + flat_name: x509.public_key_curve + ignore_above: 1024 + level: extended + name: public_key_curve + normalize: [] + order: 22 + original_fieldset: x509 + short: The curve used by the elliptic curve public key algorithm. This is algorithm + specific. + type: keyword +x509.public_key_exponent: + dashed_name: x509-public-key-exponent + description: Exponent used to derive the public key. This is algorithm specific. + example: 65537 + flat_name: x509.public_key_exponent + level: extended + name: public_key_exponent + normalize: [] + order: 21 + original_fieldset: x509 + short: Exponent used to derive the public key. This is algorithm specific. + type: long +x509.public_key_size: + dashed_name: x509-public-key-size + description: The size of the public key space in bits. + example: 2048 + flat_name: x509.public_key_size + level: extended + name: public_key_size + normalize: [] + order: 20 + original_fieldset: x509 + short: The size of the public key space in bits. + type: long +x509.serial_number: + dashed_name: x509-serial-number + description: Unique serial number issued by the certificate authority. + example: 55:fb:b9:c7:de:bf:09:80:9d:12:cc:aa + flat_name: x509.serial_number + ignore_above: 1024 + level: extended + name: serial_number + normalize: [] + order: 1 + original_fieldset: x509 + short: Unique serial number issued by the certificate authority. + type: keyword +x509.signature_algorithm: + dashed_name: x509-signature-algorithm + description: Identifier for certificate signature algorithm. Recommend using names + found in Go Lang Crypto library (https://golang.org/src/crypto/x509/x509.go). + example: SHA256-RSA + flat_name: x509.signature_algorithm + ignore_above: 1024 + level: extended + name: signature_algorithm + normalize: [] + order: 9 + original_fieldset: x509 + short: Identifier for certificate signature algorithm. Recommend using names found + in Go Lang Crypto library (https://golang.org/src/crypto/x509/x509.go). + type: keyword +x509.subject.common_name: + dashed_name: x509-subject-common-name + description: Common name (CN) of subject. + example: r2.shared.global.fastly.net + flat_name: x509.subject.common_name + ignore_above: 1024 + level: extended + name: subject.common_name + normalize: [] + order: 13 + original_fieldset: x509 + short: Common name (CN) of subject. + type: keyword +x509.subject.country: + dashed_name: x509-subject-country + description: Country (C) code + example: US + flat_name: x509.subject.country + ignore_above: 1024 + level: extended + name: subject.country + normalize: [] + order: 18 + original_fieldset: x509 + short: Country (C) code + type: keyword +x509.subject.distinguished_name: + dashed_name: x509-subject-distinguished-name + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net + flat_name: x509.subject.distinguished_name + ignore_above: 1024 + level: extended + name: subject.distinguished_name + normalize: [] + order: 12 + original_fieldset: x509 + short: Distinguished name (DN) of the certificate subject entity. + type: keyword +x509.subject.locality: + dashed_name: x509-subject-locality + description: Locality name (L) + example: San Francisco + flat_name: x509.subject.locality + ignore_above: 1024 + level: extended + name: subject.locality + normalize: [] + order: 16 + original_fieldset: x509 + short: Locality name (L) + type: keyword +x509.subject.organization: + dashed_name: x509-subject-organization + description: Organizational units (O) of subject. + example: Fastly, Inc. + flat_name: x509.subject.organization + ignore_above: 1024 + level: extended + name: subject.organization + normalize: [] + order: 15 + original_fieldset: x509 + short: Organizational units (O) of subject. + type: keyword +x509.subject.organizational_unit: + dashed_name: x509-subject-organizational-unit + description: List of organizational units (OU) of subject. + flat_name: x509.subject.organizational_unit + ignore_above: 1024 + level: extended + name: subject.organizational_unit + normalize: [] + order: 14 + original_fieldset: x509 + short: List of organizational units (OU) of subject. + type: keyword +x509.subject.state_or_province: + dashed_name: x509-subject-state-or-province + description: State or province name (ST, S, or P) + example: California + flat_name: x509.subject.state_or_province + ignore_above: 1024 + level: extended + name: subject.state_or_province + normalize: [] + order: 17 + original_fieldset: x509 + short: State or province name (ST, S, or P) + type: keyword +x509.version_number: + dashed_name: x509-version-number + description: Version of x509 format. + example: 3 + flat_name: x509.version_number + level: extended + name: version_number + normalize: [] + order: 0 + original_fieldset: x509 + short: Version of x509 format. + type: long diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 4a265b9433..bfd05cf665 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -3293,12 +3293,328 @@ file: order: 10 short: The user ID (UID) or security identifier (SID) of the file owner. type: keyword + x509.alternative_names: + dashed_name: file-x509-alternative-names + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' + flat_name: file.x509.alternative_names + ignore_above: 1024 + level: extended + name: alternative_names + normalize: [] + order: 23 + original_fieldset: x509 + short: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + type: keyword + x509.issuer.common_name: + dashed_name: file-x509-issuer-common-name + description: Common name (CN) of issuing certificate authority. + example: DigiCert SHA2 High Assurance Server CA + flat_name: file.x509.issuer.common_name + ignore_above: 1024 + level: extended + name: issuer.common_name + normalize: [] + order: 3 + original_fieldset: x509 + short: Common name (CN) of issuing certificate authority. + type: keyword + x509.issuer.country: + dashed_name: file-x509-issuer-country + description: Country (C) code + example: US + flat_name: file.x509.issuer.country + ignore_above: 1024 + level: extended + name: issuer.country + normalize: [] + order: 8 + original_fieldset: x509 + short: Country (C) code + type: keyword + x509.issuer.distinguished_name: + dashed_name: file-x509-issuer-distinguished-name + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance + Server CA + flat_name: file.x509.issuer.distinguished_name + ignore_above: 1024 + level: extended + name: issuer.distinguished_name + normalize: [] + order: 2 + original_fieldset: x509 + short: Distinguished name (DN) of issuing certificate authority. + type: keyword + x509.issuer.locality: + dashed_name: file-x509-issuer-locality + description: Locality name (L) + example: Mountain View + flat_name: file.x509.issuer.locality + ignore_above: 1024 + level: extended + name: issuer.locality + normalize: [] + order: 6 + original_fieldset: x509 + short: Locality name (L) + type: keyword + x509.issuer.organization: + dashed_name: file-x509-issuer-organization + description: Organizational units (O) of issuing certificate authority. + example: DigiCert Inc + flat_name: file.x509.issuer.organization + ignore_above: 1024 + level: extended + name: issuer.organization + normalize: [] + order: 5 + original_fieldset: x509 + short: Organizational units (O) of issuing certificate authority. + type: keyword + x509.issuer.organizational_unit: + dashed_name: file-x509-issuer-organizational-unit + description: List of organizational units (OU) of issuing certificate authority. + example: www.digicert.com + flat_name: file.x509.issuer.organizational_unit + ignore_above: 1024 + level: extended + name: issuer.organizational_unit + normalize: [] + order: 4 + original_fieldset: x509 + short: List of organizational units (OU) of issuing certificate authority. + type: keyword + x509.issuer.state_or_province: + dashed_name: file-x509-issuer-state-or-province + description: State or province name (ST, S, or P) + example: California + flat_name: file.x509.issuer.state_or_province + ignore_above: 1024 + level: extended + name: issuer.state_or_province + normalize: [] + order: 7 + original_fieldset: x509 + short: State or province name (ST, S, or P) + type: keyword + x509.not_after: + dashed_name: file-x509-not-after + description: Time at which the certificate is first considered valid. + example: 2020-07-16 03:15:39+00:00 + flat_name: file.x509.not_after + level: extended + name: not_after + normalize: [] + order: 11 + original_fieldset: x509 + short: Time at which the certificate is first considered valid. + type: date + x509.not_before: + dashed_name: file-x509-not-before + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + flat_name: file.x509.not_before + level: extended + name: not_before + normalize: [] + order: 10 + original_fieldset: x509 + short: Time at which the certificate is first considered valid. + type: date + x509.public_key_algorithm: + dashed_name: file-x509-public-key-algorithm + description: Algorithm used to generate the public key. + example: RSA, ECDSA + flat_name: file.x509.public_key_algorithm + ignore_above: 1024 + level: extended + name: public_key_algorithm + normalize: [] + order: 19 + original_fieldset: x509 + short: Algorithm used to generate the public key. + type: keyword + x509.public_key_curve: + dashed_name: file-x509-public-key-curve + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 + flat_name: file.x509.public_key_curve + ignore_above: 1024 + level: extended + name: public_key_curve + normalize: [] + order: 22 + original_fieldset: x509 + short: The curve used by the elliptic curve public key algorithm. This is algorithm + specific. + type: keyword + x509.public_key_exponent: + dashed_name: file-x509-public-key-exponent + description: Exponent used to derive the public key. This is algorithm specific. + example: 65537 + flat_name: file.x509.public_key_exponent + level: extended + name: public_key_exponent + normalize: [] + order: 21 + original_fieldset: x509 + short: Exponent used to derive the public key. This is algorithm specific. + type: long + x509.public_key_size: + dashed_name: file-x509-public-key-size + description: The size of the public key space in bits. + example: 2048 + flat_name: file.x509.public_key_size + level: extended + name: public_key_size + normalize: [] + order: 20 + original_fieldset: x509 + short: The size of the public key space in bits. + type: long + x509.serial_number: + dashed_name: file-x509-serial-number + description: Unique serial number issued by the certificate authority. + example: 55:fb:b9:c7:de:bf:09:80:9d:12:cc:aa + flat_name: file.x509.serial_number + ignore_above: 1024 + level: extended + name: serial_number + normalize: [] + order: 1 + original_fieldset: x509 + short: Unique serial number issued by the certificate authority. + type: keyword + x509.signature_algorithm: + dashed_name: file-x509-signature-algorithm + description: Identifier for certificate signature algorithm. Recommend using + names found in Go Lang Crypto library (https://golang.org/src/crypto/x509/x509.go). + example: SHA256-RSA + flat_name: file.x509.signature_algorithm + ignore_above: 1024 + level: extended + name: signature_algorithm + normalize: [] + order: 9 + original_fieldset: x509 + short: Identifier for certificate signature algorithm. Recommend using names + found in Go Lang Crypto library (https://golang.org/src/crypto/x509/x509.go). + type: keyword + x509.subject.common_name: + dashed_name: file-x509-subject-common-name + description: Common name (CN) of subject. + example: r2.shared.global.fastly.net + flat_name: file.x509.subject.common_name + ignore_above: 1024 + level: extended + name: subject.common_name + normalize: [] + order: 13 + original_fieldset: x509 + short: Common name (CN) of subject. + type: keyword + x509.subject.country: + dashed_name: file-x509-subject-country + description: Country (C) code + example: US + flat_name: file.x509.subject.country + ignore_above: 1024 + level: extended + name: subject.country + normalize: [] + order: 18 + original_fieldset: x509 + short: Country (C) code + type: keyword + x509.subject.distinguished_name: + dashed_name: file-x509-subject-distinguished-name + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net + flat_name: file.x509.subject.distinguished_name + ignore_above: 1024 + level: extended + name: subject.distinguished_name + normalize: [] + order: 12 + original_fieldset: x509 + short: Distinguished name (DN) of the certificate subject entity. + type: keyword + x509.subject.locality: + dashed_name: file-x509-subject-locality + description: Locality name (L) + example: San Francisco + flat_name: file.x509.subject.locality + ignore_above: 1024 + level: extended + name: subject.locality + normalize: [] + order: 16 + original_fieldset: x509 + short: Locality name (L) + type: keyword + x509.subject.organization: + dashed_name: file-x509-subject-organization + description: Organizational units (O) of subject. + example: Fastly, Inc. + flat_name: file.x509.subject.organization + ignore_above: 1024 + level: extended + name: subject.organization + normalize: [] + order: 15 + original_fieldset: x509 + short: Organizational units (O) of subject. + type: keyword + x509.subject.organizational_unit: + dashed_name: file-x509-subject-organizational-unit + description: List of organizational units (OU) of subject. + flat_name: file.x509.subject.organizational_unit + ignore_above: 1024 + level: extended + name: subject.organizational_unit + normalize: [] + order: 14 + original_fieldset: x509 + short: List of organizational units (OU) of subject. + type: keyword + x509.subject.state_or_province: + dashed_name: file-x509-subject-state-or-province + description: State or province name (ST, S, or P) + example: California + flat_name: file.x509.subject.state_or_province + ignore_above: 1024 + level: extended + name: subject.state_or_province + normalize: [] + order: 17 + original_fieldset: x509 + short: State or province name (ST, S, or P) + type: keyword + x509.version_number: + dashed_name: file-x509-version-number + description: Version of x509 format. + example: 3 + flat_name: file.x509.version_number + level: extended + name: version_number + normalize: [] + order: 0 + original_fieldset: x509 + short: Version of x509 format. + type: long group: 2 name: file nestings: - code_signature - hash - pe + - x509 prefix: file. short: Fields describing files. title: File @@ -8323,8 +8639,325 @@ tls: order: 1 short: Normalized lowercase protocol name parsed from original string. type: keyword + x509.alternative_names: + dashed_name: tls-x509-alternative-names + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' + flat_name: tls.x509.alternative_names + ignore_above: 1024 + level: extended + name: alternative_names + normalize: [] + order: 23 + original_fieldset: x509 + short: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + type: keyword + x509.issuer.common_name: + dashed_name: tls-x509-issuer-common-name + description: Common name (CN) of issuing certificate authority. + example: DigiCert SHA2 High Assurance Server CA + flat_name: tls.x509.issuer.common_name + ignore_above: 1024 + level: extended + name: issuer.common_name + normalize: [] + order: 3 + original_fieldset: x509 + short: Common name (CN) of issuing certificate authority. + type: keyword + x509.issuer.country: + dashed_name: tls-x509-issuer-country + description: Country (C) code + example: US + flat_name: tls.x509.issuer.country + ignore_above: 1024 + level: extended + name: issuer.country + normalize: [] + order: 8 + original_fieldset: x509 + short: Country (C) code + type: keyword + x509.issuer.distinguished_name: + dashed_name: tls-x509-issuer-distinguished-name + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance + Server CA + flat_name: tls.x509.issuer.distinguished_name + ignore_above: 1024 + level: extended + name: issuer.distinguished_name + normalize: [] + order: 2 + original_fieldset: x509 + short: Distinguished name (DN) of issuing certificate authority. + type: keyword + x509.issuer.locality: + dashed_name: tls-x509-issuer-locality + description: Locality name (L) + example: Mountain View + flat_name: tls.x509.issuer.locality + ignore_above: 1024 + level: extended + name: issuer.locality + normalize: [] + order: 6 + original_fieldset: x509 + short: Locality name (L) + type: keyword + x509.issuer.organization: + dashed_name: tls-x509-issuer-organization + description: Organizational units (O) of issuing certificate authority. + example: DigiCert Inc + flat_name: tls.x509.issuer.organization + ignore_above: 1024 + level: extended + name: issuer.organization + normalize: [] + order: 5 + original_fieldset: x509 + short: Organizational units (O) of issuing certificate authority. + type: keyword + x509.issuer.organizational_unit: + dashed_name: tls-x509-issuer-organizational-unit + description: List of organizational units (OU) of issuing certificate authority. + example: www.digicert.com + flat_name: tls.x509.issuer.organizational_unit + ignore_above: 1024 + level: extended + name: issuer.organizational_unit + normalize: [] + order: 4 + original_fieldset: x509 + short: List of organizational units (OU) of issuing certificate authority. + type: keyword + x509.issuer.state_or_province: + dashed_name: tls-x509-issuer-state-or-province + description: State or province name (ST, S, or P) + example: California + flat_name: tls.x509.issuer.state_or_province + ignore_above: 1024 + level: extended + name: issuer.state_or_province + normalize: [] + order: 7 + original_fieldset: x509 + short: State or province name (ST, S, or P) + type: keyword + x509.not_after: + dashed_name: tls-x509-not-after + description: Time at which the certificate is first considered valid. + example: 2020-07-16 03:15:39+00:00 + flat_name: tls.x509.not_after + level: extended + name: not_after + normalize: [] + order: 11 + original_fieldset: x509 + short: Time at which the certificate is first considered valid. + type: date + x509.not_before: + dashed_name: tls-x509-not-before + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + flat_name: tls.x509.not_before + level: extended + name: not_before + normalize: [] + order: 10 + original_fieldset: x509 + short: Time at which the certificate is first considered valid. + type: date + x509.public_key_algorithm: + dashed_name: tls-x509-public-key-algorithm + description: Algorithm used to generate the public key. + example: RSA, ECDSA + flat_name: tls.x509.public_key_algorithm + ignore_above: 1024 + level: extended + name: public_key_algorithm + normalize: [] + order: 19 + original_fieldset: x509 + short: Algorithm used to generate the public key. + type: keyword + x509.public_key_curve: + dashed_name: tls-x509-public-key-curve + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 + flat_name: tls.x509.public_key_curve + ignore_above: 1024 + level: extended + name: public_key_curve + normalize: [] + order: 22 + original_fieldset: x509 + short: The curve used by the elliptic curve public key algorithm. This is algorithm + specific. + type: keyword + x509.public_key_exponent: + dashed_name: tls-x509-public-key-exponent + description: Exponent used to derive the public key. This is algorithm specific. + example: 65537 + flat_name: tls.x509.public_key_exponent + level: extended + name: public_key_exponent + normalize: [] + order: 21 + original_fieldset: x509 + short: Exponent used to derive the public key. This is algorithm specific. + type: long + x509.public_key_size: + dashed_name: tls-x509-public-key-size + description: The size of the public key space in bits. + example: 2048 + flat_name: tls.x509.public_key_size + level: extended + name: public_key_size + normalize: [] + order: 20 + original_fieldset: x509 + short: The size of the public key space in bits. + type: long + x509.serial_number: + dashed_name: tls-x509-serial-number + description: Unique serial number issued by the certificate authority. + example: 55:fb:b9:c7:de:bf:09:80:9d:12:cc:aa + flat_name: tls.x509.serial_number + ignore_above: 1024 + level: extended + name: serial_number + normalize: [] + order: 1 + original_fieldset: x509 + short: Unique serial number issued by the certificate authority. + type: keyword + x509.signature_algorithm: + dashed_name: tls-x509-signature-algorithm + description: Identifier for certificate signature algorithm. Recommend using + names found in Go Lang Crypto library (https://golang.org/src/crypto/x509/x509.go). + example: SHA256-RSA + flat_name: tls.x509.signature_algorithm + ignore_above: 1024 + level: extended + name: signature_algorithm + normalize: [] + order: 9 + original_fieldset: x509 + short: Identifier for certificate signature algorithm. Recommend using names + found in Go Lang Crypto library (https://golang.org/src/crypto/x509/x509.go). + type: keyword + x509.subject.common_name: + dashed_name: tls-x509-subject-common-name + description: Common name (CN) of subject. + example: r2.shared.global.fastly.net + flat_name: tls.x509.subject.common_name + ignore_above: 1024 + level: extended + name: subject.common_name + normalize: [] + order: 13 + original_fieldset: x509 + short: Common name (CN) of subject. + type: keyword + x509.subject.country: + dashed_name: tls-x509-subject-country + description: Country (C) code + example: US + flat_name: tls.x509.subject.country + ignore_above: 1024 + level: extended + name: subject.country + normalize: [] + order: 18 + original_fieldset: x509 + short: Country (C) code + type: keyword + x509.subject.distinguished_name: + dashed_name: tls-x509-subject-distinguished-name + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net + flat_name: tls.x509.subject.distinguished_name + ignore_above: 1024 + level: extended + name: subject.distinguished_name + normalize: [] + order: 12 + original_fieldset: x509 + short: Distinguished name (DN) of the certificate subject entity. + type: keyword + x509.subject.locality: + dashed_name: tls-x509-subject-locality + description: Locality name (L) + example: San Francisco + flat_name: tls.x509.subject.locality + ignore_above: 1024 + level: extended + name: subject.locality + normalize: [] + order: 16 + original_fieldset: x509 + short: Locality name (L) + type: keyword + x509.subject.organization: + dashed_name: tls-x509-subject-organization + description: Organizational units (O) of subject. + example: Fastly, Inc. + flat_name: tls.x509.subject.organization + ignore_above: 1024 + level: extended + name: subject.organization + normalize: [] + order: 15 + original_fieldset: x509 + short: Organizational units (O) of subject. + type: keyword + x509.subject.organizational_unit: + dashed_name: tls-x509-subject-organizational-unit + description: List of organizational units (OU) of subject. + flat_name: tls.x509.subject.organizational_unit + ignore_above: 1024 + level: extended + name: subject.organizational_unit + normalize: [] + order: 14 + original_fieldset: x509 + short: List of organizational units (OU) of subject. + type: keyword + x509.subject.state_or_province: + dashed_name: tls-x509-subject-state-or-province + description: State or province name (ST, S, or P) + example: California + flat_name: tls.x509.subject.state_or_province + ignore_above: 1024 + level: extended + name: subject.state_or_province + normalize: [] + order: 17 + original_fieldset: x509 + short: State or province name (ST, S, or P) + type: keyword + x509.version_number: + dashed_name: tls-x509-version-number + description: Version of x509 format. + example: 3 + flat_name: tls.x509.version_number + level: extended + name: version_number + normalize: [] + order: 0 + original_fieldset: x509 + short: Version of x509 format. + type: long group: 2 name: tls + nestings: + - x509 prefix: tls. short: Fields describing a TLS connection. title: TLS @@ -9135,3 +9768,308 @@ vulnerability: short: Fields to describe the vulnerability relevant to an event. title: Vulnerability type: group +x509: + description: These fields contain x509 certificate metadata. + fields: + alternative_names: + dashed_name: x509-alternative-names + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' + flat_name: x509.alternative_names + ignore_above: 1024 + level: extended + name: alternative_names + normalize: [] + order: 23 + short: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + type: keyword + issuer.common_name: + dashed_name: x509-issuer-common-name + description: Common name (CN) of issuing certificate authority. + example: DigiCert SHA2 High Assurance Server CA + flat_name: x509.issuer.common_name + ignore_above: 1024 + level: extended + name: issuer.common_name + normalize: [] + order: 3 + short: Common name (CN) of issuing certificate authority. + type: keyword + issuer.country: + dashed_name: x509-issuer-country + description: Country (C) code + example: US + flat_name: x509.issuer.country + ignore_above: 1024 + level: extended + name: issuer.country + normalize: [] + order: 8 + short: Country (C) code + type: keyword + issuer.distinguished_name: + dashed_name: x509-issuer-distinguished-name + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance + Server CA + flat_name: x509.issuer.distinguished_name + ignore_above: 1024 + level: extended + name: issuer.distinguished_name + normalize: [] + order: 2 + short: Distinguished name (DN) of issuing certificate authority. + type: keyword + issuer.locality: + dashed_name: x509-issuer-locality + description: Locality name (L) + example: Mountain View + flat_name: x509.issuer.locality + ignore_above: 1024 + level: extended + name: issuer.locality + normalize: [] + order: 6 + short: Locality name (L) + type: keyword + issuer.organization: + dashed_name: x509-issuer-organization + description: Organizational units (O) of issuing certificate authority. + example: DigiCert Inc + flat_name: x509.issuer.organization + ignore_above: 1024 + level: extended + name: issuer.organization + normalize: [] + order: 5 + short: Organizational units (O) of issuing certificate authority. + type: keyword + issuer.organizational_unit: + dashed_name: x509-issuer-organizational-unit + description: List of organizational units (OU) of issuing certificate authority. + example: www.digicert.com + flat_name: x509.issuer.organizational_unit + ignore_above: 1024 + level: extended + name: issuer.organizational_unit + normalize: [] + order: 4 + short: List of organizational units (OU) of issuing certificate authority. + type: keyword + issuer.state_or_province: + dashed_name: x509-issuer-state-or-province + description: State or province name (ST, S, or P) + example: California + flat_name: x509.issuer.state_or_province + ignore_above: 1024 + level: extended + name: issuer.state_or_province + normalize: [] + order: 7 + short: State or province name (ST, S, or P) + type: keyword + not_after: + dashed_name: x509-not-after + description: Time at which the certificate is first considered valid. + example: 2020-07-16 03:15:39+00:00 + flat_name: x509.not_after + level: extended + name: not_after + normalize: [] + order: 11 + short: Time at which the certificate is first considered valid. + type: date + not_before: + dashed_name: x509-not-before + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + flat_name: x509.not_before + level: extended + name: not_before + normalize: [] + order: 10 + short: Time at which the certificate is first considered valid. + type: date + public_key_algorithm: + dashed_name: x509-public-key-algorithm + description: Algorithm used to generate the public key. + example: RSA, ECDSA + flat_name: x509.public_key_algorithm + ignore_above: 1024 + level: extended + name: public_key_algorithm + normalize: [] + order: 19 + short: Algorithm used to generate the public key. + type: keyword + public_key_curve: + dashed_name: x509-public-key-curve + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 + flat_name: x509.public_key_curve + ignore_above: 1024 + level: extended + name: public_key_curve + normalize: [] + order: 22 + short: The curve used by the elliptic curve public key algorithm. This is algorithm + specific. + type: keyword + public_key_exponent: + dashed_name: x509-public-key-exponent + description: Exponent used to derive the public key. This is algorithm specific. + example: 65537 + flat_name: x509.public_key_exponent + level: extended + name: public_key_exponent + normalize: [] + order: 21 + short: Exponent used to derive the public key. This is algorithm specific. + type: long + public_key_size: + dashed_name: x509-public-key-size + description: The size of the public key space in bits. + example: 2048 + flat_name: x509.public_key_size + level: extended + name: public_key_size + normalize: [] + order: 20 + short: The size of the public key space in bits. + type: long + serial_number: + dashed_name: x509-serial-number + description: Unique serial number issued by the certificate authority. + example: 55:fb:b9:c7:de:bf:09:80:9d:12:cc:aa + flat_name: x509.serial_number + ignore_above: 1024 + level: extended + name: serial_number + normalize: [] + order: 1 + short: Unique serial number issued by the certificate authority. + type: keyword + signature_algorithm: + dashed_name: x509-signature-algorithm + description: Identifier for certificate signature algorithm. Recommend using + names found in Go Lang Crypto library (https://golang.org/src/crypto/x509/x509.go). + example: SHA256-RSA + flat_name: x509.signature_algorithm + ignore_above: 1024 + level: extended + name: signature_algorithm + normalize: [] + order: 9 + short: Identifier for certificate signature algorithm. Recommend using names + found in Go Lang Crypto library (https://golang.org/src/crypto/x509/x509.go). + type: keyword + subject.common_name: + dashed_name: x509-subject-common-name + description: Common name (CN) of subject. + example: r2.shared.global.fastly.net + flat_name: x509.subject.common_name + ignore_above: 1024 + level: extended + name: subject.common_name + normalize: [] + order: 13 + short: Common name (CN) of subject. + type: keyword + subject.country: + dashed_name: x509-subject-country + description: Country (C) code + example: US + flat_name: x509.subject.country + ignore_above: 1024 + level: extended + name: subject.country + normalize: [] + order: 18 + short: Country (C) code + type: keyword + subject.distinguished_name: + dashed_name: x509-subject-distinguished-name + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net + flat_name: x509.subject.distinguished_name + ignore_above: 1024 + level: extended + name: subject.distinguished_name + normalize: [] + order: 12 + short: Distinguished name (DN) of the certificate subject entity. + type: keyword + subject.locality: + dashed_name: x509-subject-locality + description: Locality name (L) + example: San Francisco + flat_name: x509.subject.locality + ignore_above: 1024 + level: extended + name: subject.locality + normalize: [] + order: 16 + short: Locality name (L) + type: keyword + subject.organization: + dashed_name: x509-subject-organization + description: Organizational units (O) of subject. + example: Fastly, Inc. + flat_name: x509.subject.organization + ignore_above: 1024 + level: extended + name: subject.organization + normalize: [] + order: 15 + short: Organizational units (O) of subject. + type: keyword + subject.organizational_unit: + dashed_name: x509-subject-organizational-unit + description: List of organizational units (OU) of subject. + flat_name: x509.subject.organizational_unit + ignore_above: 1024 + level: extended + name: subject.organizational_unit + normalize: [] + order: 14 + short: List of organizational units (OU) of subject. + type: keyword + subject.state_or_province: + dashed_name: x509-subject-state-or-province + description: State or province name (ST, S, or P) + example: California + flat_name: x509.subject.state_or_province + ignore_above: 1024 + level: extended + name: subject.state_or_province + normalize: [] + order: 17 + short: State or province name (ST, S, or P) + type: keyword + version_number: + dashed_name: x509-version-number + description: Version of x509 format. + example: 3 + flat_name: x509.version_number + level: extended + name: version_number + normalize: [] + order: 0 + short: Version of x509 format. + type: long + group: 2 + name: x509 + prefix: x509. + reusable: + expected: + - file + - tls + top_level: false + short: These fields contain x509 certificate metadata. + title: x509 Certificate + type: group diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index 0691d11a79..7ee171693e 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -926,6 +926,109 @@ "uid": { "ignore_above": 1024, "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "type": "long" + } + } } } }, @@ -2675,6 +2778,109 @@ "version_protocol": { "ignore_above": 1024, "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "type": "long" + } + } } } }, @@ -2965,6 +3171,109 @@ "type": "keyword" } } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "type": "long" + } + } } } } diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index c12cc8fe78..25802e7212 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -925,6 +925,109 @@ "uid": { "ignore_above": 1024, "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "type": "long" + } + } } } }, @@ -2674,6 +2777,109 @@ "version_protocol": { "ignore_above": 1024, "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "type": "long" + } + } } } }, @@ -2964,6 +3170,109 @@ "type": "keyword" } } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "type": "long" + } + } } } }, diff --git a/schemas/x509.yml b/schemas/x509.yml new file mode 100644 index 0000000000..a7faf42740 --- /dev/null +++ b/schemas/x509.yml @@ -0,0 +1,154 @@ +--- +- name: x509 + title: x509 Certificate + group: 2 + description: These fields contain x509 certificate metadata. + type: group + reusable: + top_level: false + expected: + - file + - tls + fields: + - name: version_number + level: extended + type: long + description: Version of x509 format. + example: 3 + + - name: serial_number + level: extended + type: keyword + description: Unique serial number issued by the certificate authority. + example: 55:fb:b9:c7:de:bf:09:80:9d:12:cc:aa + + - name: issuer.distinguished_name + level: extended + type: keyword + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA + + - name: issuer.common_name + level: extended + type: keyword + description: Common name (CN) of issuing certificate authority. + example: DigiCert SHA2 High Assurance Server CA + + - name: issuer.organizational_unit + level: extended + type: keyword + description: List of organizational units (OU) of issuing certificate authority. + example: www.digicert.com + + - name: issuer.organization + level: extended + type: keyword + description: Organizational units (O) of issuing certificate authority. + example: DigiCert Inc + + - name: issuer.locality + level: extended + type: keyword + description: Locality name (L) + example: Mountain View + + - name: issuer.state_or_province + level: extended + type: keyword + description: State or province name (ST, S, or P) + example: California + + - name: issuer.country + level: extended + type: keyword + description: Country (C) code + example: US + + - name: signature_algorithm + level: extended + type: keyword + description: Identifier for certificate signature algorithm. Recommend using names found in Go Lang Crypto library (https://golang.org/src/crypto/x509/x509.go). + example: SHA256-RSA + + - name: not_before + level: extended + type: date + description: Time at which the certificate is first considered valid. + example: 2019-08-16T01:40:25Z + + - name: not_after + level: extended + type: date + description: Time at which the certificate is first considered valid. + example: 2020-07-16T03:15:39Z + + - name: subject.distinguished_name + level: extended + type: keyword + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net + + - name: subject.common_name + level: extended + type: keyword + description: Common name (CN) of subject. + example: r2.shared.global.fastly.net + + - name: subject.organizational_unit + level: extended + type: keyword + description: List of organizational units (OU) of subject. + + - name: subject.organization + level: extended + type: keyword + description: Organizational units (O) of subject. + example: Fastly, Inc. + + - name: subject.locality + level: extended + type: keyword + description: Locality name (L) + example: San Francisco + + - name: subject.state_or_province + level: extended + type: keyword + description: State or province name (ST, S, or P) + example: California + + - name: subject.country + level: extended + type: keyword + description: Country (C) code + example: US + + - name: public_key_algorithm + level: extended + type: keyword + description: Algorithm used to generate the public key. + example: RSA, ECDSA + + - name: public_key_size + level: extended + type: long + description: The size of the public key space in bits. + example: 2048 + + - name: public_key_exponent + level: extended + type: long + description: Exponent used to derive the public key. This is algorithm specific. + example: 65537 + + - name: public_key_curve + level: extended + type: keyword + description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. + example: nistp521 + + - name: alternative_names + level: extended + type: keyword + description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + example: "*.elastic.co"