Mitigation policies

custom_schemas/custom_process.yml

@@ -330,6 +330,14 @@
         Leave unpopulated if the validity or trust of the certificate was unchecked.
       example: ERROR_UNTRUSTED_ROOT
 
+    - name: Ext.mitigation_policies
+      level: custom
+      type: keyword
+      short: Process mitigation policies.
+      description: >
+        Process mitigation policies include SignaturePolicy, DynamicCodePolicy, UserShadowStackPolicy, ControlFlowGuardPolicy, etc.
+        Examples include Microsoft only, CF Guard, User Shadow Stack enabled
+
     - name: Ext.real
       level: custom
       type: object

custom_subsets/elastic_endpoint/process/process.yaml

@@ -162,6 +162,7 @@ fields:
               trusted: {}
               valid: {}
           defense_evasions: {}
+          mitigation_policies: {}
           dll:
             fields:
               name: {}

package/endpoint/data_stream/process/fields/fields.yml

@@ -875,6 +875,12 @@
       description: Process ID.
       example: 4242
       default_field: false
+    - name: Ext.mitigation_policies
+      level: custom
+      type: keyword
+      ignore_above: 1024
+      description: Process mitigation policies include SignaturePolicy, DynamicCodePolicy, UserShadowStackPolicy, ControlFlowGuardPolicy, etc. Examples include Microsoft only, CF Guard, User Shadow Stack enabled
+      default_field: false
     - name: Ext.protection
       level: custom
       type: keyword

package/endpoint/data_stream/process/sample_event.json

@@ -72,6 +72,11 @@
                     "status": "trusted"
                 }
             ],
+            "mitigation_policies": [
+                "Microsoft only, Opt-in to restrict to Microsoft, Windows Store and WHQL",
+                "CET dynamic APIs can only be called out of proc",
+                "CF Guard"
+            ],
             "device": {
                 "volume_device_type": "Disk File System"
             },

package/endpoint/docs/README.md

@@ -2093,6 +2093,7 @@ sent by the endpoint.
 | process.Ext.effective_parent.executable | Executable name for the effective process. | keyword |
 | process.Ext.effective_parent.name | Process name for the effective process. | keyword |
 | process.Ext.effective_parent.pid | Process ID. | long |
+| process.Ext.mitigation_policies | Process mitigation policies include SignaturePolicy, DynamicCodePolicy, UserShadowStackPolicy, ControlFlowGuardPolicy, etc. Examples include Microsoft only, CF Guard, User Shadow Stack enabled | keyword |
 | process.Ext.protection | Indicates the protection level of this process.  Uses the same syntax as Process Explorer. Examples include PsProtectedSignerWinTcb, PsProtectedSignerWinTcb-Light, and PsProtectedSignerWindows-Light. | keyword |
 | process.Ext.relative_file_creation_time | Number of seconds since the process's file was created. This number may be negative if the file's timestamp is in the future. | double |
 | process.Ext.relative_file_name_modify_time | Number of seconds since the process's name was modified. This information can come from the NTFS MFT. This number may be negative if the file's timestamp is in the future. | double |