elastic · ebeahan · Aug 5, 2021 · Aug 4, 2021 · Aug 4, 2021 · Aug 4, 2021
diff --git a/code/go/ecs/code_signature.go b/code/go/ecs/code_signature.go
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
@@ -787,6 +787,24 @@ These fields contain information about binary code signatures.
 
 // ===============================================================
 
+|
+[[field-code-signature-digest-algorithm]]
+<<field-code-signature-digest-algorithm, code_signature.digest_algorithm>>
+
+| The hashing algorithm used to sign the process.
+
+This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
+
+type: keyword
+
+
+
+example: `sha256`
+
+| extended
+
+// ===============================================================
+
 |
 [[field-code-signature-exists]]
 <<field-code-signature-exists, code_signature.exists>>
@@ -873,6 +891,22 @@ example: `EQHXZ8M8AV`
 
 // ===============================================================
 
+|
+[[field-code-signature-timestamp]]
+<<field-code-signature-timestamp, code_signature.timestamp>>
+
+| Date and time when the code signature was generated and signed.
+
+type: date
+
+
+
+example: `2021-01-01T12:10:30Z`
+
+| extended
+
+// ===============================================================
+
 |
 [[field-code-signature-trusted]]
 <<field-code-signature-trusted, code_signature.trusted>>

diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml
@@ -528,6 +528,16 @@
     description: These fields contain information about binary code signatures.
     type: group
     fields:
+    - name: digest_algorithm
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      default_field: false
     - name: exists
       level: core
       type: boolean
@@ -572,6 +582,12 @@
         is relevant to Apple *OS only.'
       example: EQHXZ8M8AV
       default_field: false
+    - name: timestamp
+      level: extended
+      type: date
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      default_field: false
     - name: trusted
       level: extended
       type: boolean
@@ -1012,6 +1028,16 @@
       * Dynamic library (`.dylib`) commonly used on macOS'
     type: group
     fields:
+    - name: code_signature.digest_algorithm
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      default_field: false
     - name: code_signature.exists
       level: core
       type: boolean
@@ -1056,6 +1082,12 @@
         is relevant to Apple *OS only.'
       example: EQHXZ8M8AV
       default_field: false
+    - name: code_signature.timestamp
+      level: extended
+      type: date
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      default_field: false
     - name: code_signature.trusted
       level: extended
       type: boolean
@@ -2148,6 +2180,16 @@
         execute, hidden, read, readonly, system, write.'
       example: '["readonly", "system"]'
       default_field: false
+    - name: code_signature.digest_algorithm
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      default_field: false
     - name: code_signature.exists
       level: core
       type: boolean
@@ -2192,6 +2234,12 @@
         is relevant to Apple *OS only.'
       example: EQHXZ8M8AV
       default_field: false
+    - name: code_signature.timestamp
+      level: extended
+      type: date
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      default_field: false
     - name: code_signature.trusted
       level: extended
       type: boolean
@@ -4727,6 +4775,16 @@
         indication of suspicious activity.'
       example: 4
       default_field: false
+    - name: code_signature.digest_algorithm
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      default_field: false
     - name: code_signature.exists
       level: core
       type: boolean
@@ -4771,6 +4829,12 @@
         is relevant to Apple *OS only.'
       example: EQHXZ8M8AV
       default_field: false
+    - name: code_signature.timestamp
+      level: extended
+      type: date
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      default_field: false
     - name: code_signature.trusted
       level: extended
       type: boolean
@@ -5078,6 +5142,16 @@
         indication of suspicious activity.'
       example: 4
       default_field: false
+    - name: parent.code_signature.digest_algorithm
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      default_field: false
     - name: parent.code_signature.exists
       level: core
       type: boolean
@@ -5122,6 +5196,12 @@
         is relevant to Apple *OS only.'
       example: EQHXZ8M8AV
       default_field: false
+    - name: parent.code_signature.timestamp
+      level: extended
+      type: date
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      default_field: false
     - name: parent.code_signature.trusted
       level: extended
       type: boolean
@@ -6049,6 +6129,16 @@
         indication of suspicious activity.'
       example: 4
       default_field: false
+    - name: target.code_signature.digest_algorithm
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      default_field: false
     - name: target.code_signature.exists
       level: core
       type: boolean
@@ -6093,6 +6183,12 @@
         is relevant to Apple *OS only.'
       example: EQHXZ8M8AV
       default_field: false
+    - name: target.code_signature.timestamp
+      level: extended
+      type: date
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      default_field: false
     - name: target.code_signature.trusted
       level: extended
       type: boolean
@@ -6404,6 +6500,16 @@
         indication of suspicious activity.'
       example: 4
       default_field: false
+    - name: target.parent.code_signature.digest_algorithm
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      default_field: false
     - name: target.parent.code_signature.exists
       level: core
       type: boolean
@@ -6448,6 +6554,12 @@
         is relevant to Apple *OS only.'
       example: EQHXZ8M8AV
       default_field: false
+    - name: target.parent.code_signature.timestamp
+      level: extended
+      type: date
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      default_field: false
     - name: target.parent.code_signature.trusted
       level: extended
       type: boolean
@@ -8389,6 +8501,16 @@
         execute, hidden, read, readonly, system, write.'
       example: '["readonly", "system"]'
       default_field: false
+    - name: enrichments.indicator.file.code_signature.digest_algorithm
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      default_field: false
     - name: enrichments.indicator.file.code_signature.exists
       level: core
       type: boolean
@@ -8433,6 +8555,12 @@
         is relevant to Apple *OS only.'
       example: EQHXZ8M8AV
       default_field: false
+    - name: enrichments.indicator.file.code_signature.timestamp
+      level: extended
+      type: date
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      default_field: false
     - name: enrichments.indicator.file.code_signature.trusted
       level: extended
       type: boolean
@@ -9778,6 +9906,16 @@
         execute, hidden, read, readonly, system, write.'
       example: '["readonly", "system"]'
       default_field: false
+    - name: indicator.file.code_signature.digest_algorithm
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The hashing algorithm used to sign the process.
+
+        This value can distinguish signatures when a file is signed multiple times
+        by the same signer but with a different digest algorithm.'
+      example: sha256
+      default_field: false
     - name: indicator.file.code_signature.exists
       level: core
       type: boolean
@@ -9822,6 +9960,12 @@
         is relevant to Apple *OS only.'
       example: EQHXZ8M8AV
       default_field: false
+    - name: indicator.file.code_signature.timestamp
+      level: extended
+      type: date
+      description: Date and time when the code signature was generated and signed.
+      example: '2021-01-01T12:10:30Z'
+      default_field: false
     - name: indicator.file.code_signature.trusted
       level: extended
       type: boolean