forked from elastic/ecs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
x509.yml
193 lines (170 loc) · 5.98 KB
/
x509.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
---
- name: x509
title: x509 Certificate
group: 2
short_description: These fields contain x509 certificate metadata.
description: >
This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions,
digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk.
When only a single certificate is logged in an event, it should be nested under `file`. When hashes of the DER-encoded
certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). For events that
contain certificate information for both sides of the connection, the x509 object could be nested under the respective
side of the connection information (e.g. `tls.server.x509`).
type: group
reusable:
top_level: false
expected:
- file
- tls.client
- tls.server
fields:
- name: version_number
level: extended
type: keyword
description: Version of x509 format.
example: 3
- name: serial_number
level: extended
type: keyword
short_description: Unique serial number issued by the certificate authority.
description: >
Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be
formatted without colons and uppercase characters.
example: 55FBB9C7DEBF09809D12CCAA
- name: issuer.distinguished_name
level: extended
type: keyword
description: Distinguished name (DN) of issuing certificate authority.
example: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA
- name: issuer.common_name
level: extended
type: keyword
normalize:
- array
description: List of common name (CN) of issuing certificate authority.
example: DigiCert SHA2 High Assurance Server CA
- name: issuer.organizational_unit
level: extended
type: keyword
normalize:
- array
description: List of organizational units (OU) of issuing certificate authority.
example: www.digicert.com
- name: issuer.organization
level: extended
type: keyword
normalize:
- array
description: List of organizations (O) of issuing certificate authority.
example: DigiCert Inc
- name: issuer.locality
level: extended
type: keyword
normalize:
- array
description: List of locality names (L)
example: Mountain View
- name: issuer.state_or_province
level: extended
type: keyword
normalize:
- array
description: List of state or province names (ST, S, or P)
example: California
- name: issuer.country
level: extended
type: keyword
normalize:
- array
description: List of country (C) codes
example: US
- name: signature_algorithm
level: extended
type: keyword
description: Identifier for certificate signature algorithm. Recommend using names found in Go Lang Crypto library (See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).
example: SHA256-RSA
- name: not_before
level: extended
type: date
description: Time at which the certificate is first considered valid.
example: 2019-08-16T01:40:25Z
- name: not_after
level: extended
type: date
description: Time at which the certificate is no longer considered valid.
example: 2020-07-16T03:15:39Z
- name: subject.distinguished_name
level: extended
type: keyword
description: Distinguished name (DN) of the certificate subject entity.
example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net
- name: subject.common_name
level: extended
type: keyword
normalize:
- array
description: List of common names (CN) of subject.
example: r2.shared.global.fastly.net
- name: subject.organizational_unit
level: extended
type: keyword
normalize:
- array
description: List of organizational units (OU) of subject.
- name: subject.organization
level: extended
type: keyword
normalize:
- array
description: List of organizations (O) of subject.
example: Fastly, Inc.
- name: subject.locality
level: extended
type: keyword
normalize:
- array
description: List of locality names (L)
example: San Francisco
- name: subject.state_or_province
level: extended
type: keyword
normalize:
- array
description: List of state or province names (ST, S, or P)
example: California
- name: subject.country
level: extended
type: keyword
normalize:
- array
description: List of country (C) code
example: US
- name: public_key_algorithm
level: extended
type: keyword
description: Algorithm used to generate the public key.
example: RSA
- name: public_key_size
level: extended
type: long
description: The size of the public key space in bits.
example: 2048
- name: public_key_exponent
level: extended
type: long
index: false
description: Exponent used to derive the public key. This is algorithm specific.
example: 65537
- name: public_key_curve
level: extended
type: keyword
description: The curve used by the elliptic curve public key algorithm. This is algorithm specific.
example: nistp521
- name: alternative_names
level: extended
type: keyword
normalize:
- array
short_description: List of subject alternative names (SAN)
description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
example: "*.elastic.co"