Fix type in code signature (#2382)

Change the type of code_signature.flags to keyword, which is what it should be. Also add a unit test that will verify all types are valid.
elastic · Sep 23, 2024 · 220ecee · 220ecee
1 parent 8be4ed7
commit 220ecee
Show file tree

Hide file tree

Showing 22 changed files with 175 additions and 78 deletions.
diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
@@ -873,7 +873,7 @@ a| beta:[ This field is beta and subject to change. ]
 
 The flags used to sign the process.
 
-type: string
+type: keyword
 
 
 

diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
@@ -1273,7 +1273,8 @@
       default_field: false
     - name: code_signature.flags
       level: extended
-      type: string
+      type: keyword
+      ignore_above: 1024
       description: The flags used to sign the process.
       example: 570522385
       default_field: false
@@ -2439,7 +2440,8 @@
       default_field: false
     - name: code_signature.flags
       level: extended
-      type: string
+      type: keyword
+      ignore_above: 1024
       description: The flags used to sign the process.
       example: 570522385
       default_field: false
@@ -4793,7 +4795,8 @@
       default_field: false
     - name: code_signature.flags
       level: extended
-      type: string
+      type: keyword
+      ignore_above: 1024
       description: The flags used to sign the process.
       example: 570522385
       default_field: false
@@ -6117,7 +6120,8 @@
       default_field: false
     - name: parent.code_signature.flags
       level: extended
-      type: string
+      type: keyword
+      ignore_above: 1024
       description: The flags used to sign the process.
       example: 570522385
       default_field: false
@@ -9177,7 +9181,8 @@
       default_field: false
     - name: enrichments.indicator.file.code_signature.flags
       level: extended
-      type: string
+      type: keyword
+      ignore_above: 1024
       description: The flags used to sign the process.
       example: 570522385
       default_field: false
@@ -10798,7 +10803,8 @@
       default_field: false
     - name: indicator.file.code_signature.flags
       level: extended
-      type: string
+      type: keyword
+      ignore_above: 1024
       description: The flags used to sign the process.
       example: 570522385
       default_field: false

diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv
@@ -149,7 +149,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev+exp,true,device,device.serial_number,keyword,core,,DJGAQS4CW5,Serial Number of the device
 8.12.0-dev+exp,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
 8.12.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.12.0-dev+exp,true,dll,dll.code_signature.flags,string,extended,,570522385,Code signing flags of the process
+8.12.0-dev+exp,true,dll,dll.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
 8.12.0-dev+exp,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
 8.12.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 8.12.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
@@ -280,7 +280,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
 8.12.0-dev+exp,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
 8.12.0-dev+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.12.0-dev+exp,true,file,file.code_signature.flags,string,extended,,570522385,Code signing flags of the process
+8.12.0-dev+exp,true,file,file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
 8.12.0-dev+exp,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
 8.12.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 8.12.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
@@ -593,7 +593,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array.
 8.12.0-dev+exp,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
 8.12.0-dev+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.12.0-dev+exp,true,process,process.code_signature.flags,string,extended,,570522385,Code signing flags of the process
+8.12.0-dev+exp,true,process,process.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
 8.12.0-dev+exp,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
 8.12.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 8.12.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
@@ -775,7 +775,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
 8.12.0-dev+exp,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
 8.12.0-dev+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.12.0-dev+exp,true,process,process.parent.code_signature.flags,string,extended,,570522385,Code signing flags of the process
+8.12.0-dev+exp,true,process,process.parent.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
 8.12.0-dev+exp,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
 8.12.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 8.12.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
@@ -1162,7 +1162,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.flags,string,extended,,570522385,Code signing flags of the process
+8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 8.12.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer
@@ -1381,7 +1381,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.12.0-dev+exp,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes.
 8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process.
 8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present.
-8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.flags,string,extended,,570522385,Code signing flags of the process
+8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.flags,keyword,extended,,570522385,Code signing flags of the process
 8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process.
 8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status.
 8.12.0-dev+exp,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer

diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
@@ -1806,12 +1806,13 @@ dll.code_signature.flags:
   description: The flags used to sign the process.
   example: 570522385
   flat_name: dll.code_signature.flags
+  ignore_above: 1024
   level: extended
   name: flags
   normalize: []
   original_fieldset: code_signature
   short: Code signing flags of the process
-  type: string
+  type: keyword
 dll.code_signature.signing_id:
   dashed_name: dll-code-signature-signing-id
   description: 'The identifier used to sign the process.
@@ -3957,12 +3958,13 @@ file.code_signature.flags:
   description: The flags used to sign the process.
   example: 570522385
   flat_name: file.code_signature.flags
+  ignore_above: 1024
   level: extended
   name: flags
   normalize: []
   original_fieldset: code_signature
   short: Code signing flags of the process
-  type: string
+  type: keyword
 file.code_signature.signing_id:
   dashed_name: file-code-signature-signing-id
   description: 'The identifier used to sign the process.
@@ -7787,12 +7789,13 @@ process.code_signature.flags:
   description: The flags used to sign the process.
   example: 570522385
   flat_name: process.code_signature.flags
+  ignore_above: 1024
   level: extended
   name: flags
   normalize: []
   original_fieldset: code_signature
   short: Code signing flags of the process
-  type: string
+  type: keyword
 process.code_signature.signing_id:
   dashed_name: process-code-signature-signing-id
   description: 'The identifier used to sign the process.
@@ -9956,12 +9959,13 @@ process.parent.code_signature.flags:
   description: The flags used to sign the process.
   example: 570522385
   flat_name: process.parent.code_signature.flags
+  ignore_above: 1024
   level: extended
   name: flags
   normalize: []
   original_fieldset: code_signature
   short: Code signing flags of the process
-  type: string
+  type: keyword
 process.parent.code_signature.signing_id:
   dashed_name: process-parent-code-signature-signing-id
   description: 'The identifier used to sign the process.
@@ -14782,12 +14786,13 @@ threat.enrichments.indicator.file.code_signature.flags:
   description: The flags used to sign the process.
   example: 570522385
   flat_name: threat.enrichments.indicator.file.code_signature.flags
+  ignore_above: 1024
   level: extended
   name: flags
   normalize: []
   original_fieldset: code_signature
   short: Code signing flags of the process
-  type: string
+  type: keyword
 threat.enrichments.indicator.file.code_signature.signing_id:
   dashed_name: threat-enrichments-indicator-file-code-signature-signing-id
   description: 'The identifier used to sign the process.
@@ -17518,12 +17523,13 @@ threat.indicator.file.code_signature.flags:
   description: The flags used to sign the process.
   example: 570522385
   flat_name: threat.indicator.file.code_signature.flags
+  ignore_above: 1024
   level: extended
   name: flags
   normalize: []
   original_fieldset: code_signature
   short: Code signing flags of the process
-  type: string
+  type: keyword
 threat.indicator.file.code_signature.signing_id:
   dashed_name: threat-indicator-file-code-signature-signing-id
   description: 'The identifier used to sign the process.

diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
@@ -1326,11 +1326,12 @@ code_signature:
       description: The flags used to sign the process.
       example: 570522385
       flat_name: code_signature.flags
+      ignore_above: 1024
       level: extended
       name: flags
       normalize: []
       short: Code signing flags of the process
-      type: string
+      type: keyword
     code_signature.signing_id:
       dashed_name: code-signature-signing-id
       description: 'The identifier used to sign the process.
@@ -2290,12 +2291,13 @@ dll:
       description: The flags used to sign the process.
       example: 570522385
       flat_name: dll.code_signature.flags
+      ignore_above: 1024
       level: extended
       name: flags
       normalize: []
       original_fieldset: code_signature
       short: Code signing flags of the process
-      type: string
+      type: keyword
     dll.code_signature.signing_id:
       dashed_name: dll-code-signature-signing-id
       description: 'The identifier used to sign the process.
@@ -5001,12 +5003,13 @@ file:
       description: The flags used to sign the process.
       example: 570522385
       flat_name: file.code_signature.flags
+      ignore_above: 1024
       level: extended
       name: flags
       normalize: []
       original_fieldset: code_signature
       short: Code signing flags of the process
-      type: string
+      type: keyword
     file.code_signature.signing_id:
       dashed_name: file-code-signature-signing-id
       description: 'The identifier used to sign the process.
@@ -10020,12 +10023,13 @@ process:
       description: The flags used to sign the process.
       example: 570522385
       flat_name: process.code_signature.flags
+      ignore_above: 1024
       level: extended
       name: flags
       normalize: []
       original_fieldset: code_signature
       short: Code signing flags of the process
-      type: string
+      type: keyword
     process.code_signature.signing_id:
       dashed_name: process-code-signature-signing-id
       description: 'The identifier used to sign the process.
@@ -12194,12 +12198,13 @@ process:
       description: The flags used to sign the process.
       example: 570522385
       flat_name: process.parent.code_signature.flags
+      ignore_above: 1024
       level: extended
       name: flags
       normalize: []
       original_fieldset: code_signature
       short: Code signing flags of the process
-      type: string
+      type: keyword
     process.parent.code_signature.signing_id:
       dashed_name: process-parent-code-signature-signing-id
       description: 'The identifier used to sign the process.
@@ -17482,12 +17487,13 @@ threat:
       description: The flags used to sign the process.
       example: 570522385
       flat_name: threat.enrichments.indicator.file.code_signature.flags
+      ignore_above: 1024
       level: extended
       name: flags
       normalize: []
       original_fieldset: code_signature
       short: Code signing flags of the process
-      type: string
+      type: keyword
     threat.enrichments.indicator.file.code_signature.signing_id:
       dashed_name: threat-enrichments-indicator-file-code-signature-signing-id
       description: 'The identifier used to sign the process.
@@ -20224,12 +20230,13 @@ threat:
       description: The flags used to sign the process.
       example: 570522385
       flat_name: threat.indicator.file.code_signature.flags
+      ignore_above: 1024
       level: extended
       name: flags
       normalize: []
       original_fieldset: code_signature
       short: Code signing flags of the process
-      type: string
+      type: keyword
     threat.indicator.file.code_signature.signing_id:
       dashed_name: threat-indicator-file-code-signature-signing-id
       description: 'The identifier used to sign the process.

diff --git a/experimental/generated/elasticsearch/composable/component/dll.json b/experimental/generated/elasticsearch/composable/component/dll.json
@@ -18,7 +18,8 @@
                   "type": "boolean"
                 },
                 "flags": {
-                  "type": "string"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "signing_id": {
                   "ignore_above": 1024,

diff --git a/experimental/generated/elasticsearch/composable/component/file.json b/experimental/generated/elasticsearch/composable/component/file.json
@@ -25,7 +25,8 @@
                   "type": "boolean"
                 },
                 "flags": {
-                  "type": "string"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "signing_id": {
                   "ignore_above": 1024,

diff --git a/experimental/generated/elasticsearch/composable/component/process.json b/experimental/generated/elasticsearch/composable/component/process.json
@@ -25,7 +25,8 @@
                   "type": "boolean"
                 },
                 "flags": {
-                  "type": "string"
+                  "ignore_above": 1024,
+                  "type": "keyword"
                 },
                 "signing_id": {
                   "ignore_above": 1024,
@@ -832,7 +833,8 @@
                       "type": "boolean"
                     },
                     "flags": {
-                      "type": "string"
+                      "ignore_above": 1024,
+                      "type": "keyword"
                     },
                     "signing_id": {
                       "ignore_above": 1024,

diff --git a/experimental/generated/elasticsearch/composable/component/threat.json b/experimental/generated/elasticsearch/composable/component/threat.json
@@ -67,7 +67,8 @@
                               "type": "boolean"
                             },
                             "flags": {
-                              "type": "string"
+                              "ignore_above": 1024,
+                              "type": "keyword"
                             },
                             "signing_id": {
                               "ignore_above": 1024,
@@ -995,7 +996,8 @@
                           "type": "boolean"
                         },
                         "flags": {
-                          "type": "string"
+                          "ignore_above": 1024,
+                          "type": "keyword"
                         },
                         "signing_id": {
                           "ignore_above": 1024,