Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add attested user and groups to process #2050

Merged
merged 6 commits into from
Sep 20, 2022
Merged
Show file tree
Hide file tree
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.next.md
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ Thanks, you're awesome :-) -->
* Adding `risk.*` fields as experimental. #1994, #2010
* Adding `process.io.*` as beta fields. #1956, #2031
* Adding `process.tty.rows` and `process.tty.columns` as beta fields. #2031
* `process.attested_user` and `process.attested_groups` as beta fields. #2050

#### Improvements

Expand Down
22 changes: 22 additions & 0 deletions docs/fields/field-details.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -4621,6 +4621,8 @@ type: keyword
The `group` fields are expected to be nested at:


* `process.attested_groups`

* `process.group`

* `process.real_group`
Expand Down Expand Up @@ -7759,6 +7761,24 @@ Note also that the `process` fields may be used directly at the root of the even
// ===============================================================


| `process.attested_groups.*`
| <<ecs-group,group>>| beta:[ Reusing the `group` fields in this location is currently considered beta.]

The externally attested groups based on an external source such as the Kube API.

Note: this reuse should contain an array of group field set objects.

// ===============================================================


| `process.attested_user.*`
| <<ecs-user,user>>| beta:[ Reusing the `user` fields in this location is currently considered beta.]

The externally attested user based on an external source such as the Kube API.

// ===============================================================


| `process.code_signature.*`
| <<ecs-code_signature,code_signature>>
| These fields contain information about binary code signatures.
Expand Down Expand Up @@ -11498,6 +11518,8 @@ The `user` fields are expected to be nested at:

* `destination.user`

* `process.attested_user`

* `process.real_user`

* `process.saved_user`
Expand Down
28 changes: 28 additions & 0 deletions experimental/generated/ecs/ecs_nested.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6029,6 +6029,14 @@ group:
normalize:
- array
short_override: An array of supplemental groups.
- as: attested_groups
at: process
beta: Reusing the `group` fields in this location is currently considered beta.
full: process.attested_groups
normalize:
- array
short_override: The externally attested groups based on an external source such
as the Kube API.
top_level: true
short: User's group relevant to the event.
title: Group
Expand Down Expand Up @@ -12344,6 +12352,8 @@ process:
group: 2
name: process
nestings:
- process.attested_groups
- process.attested_user
- process.code_signature
- process.elf
- process.entry_leader
Expand Down Expand Up @@ -12458,6 +12468,13 @@ process:
- array
schema_name: group
short: An array of supplemental groups.
- beta: Reusing the `group` fields in this location is currently considered beta.
full: process.attested_groups
normalize:
- array
schema_name: group
short: The externally attested groups based on an external source such as the
Kube API.
- full: process.hash
schema_name: hash
short: Hashes, usually file hashes.
Expand Down Expand Up @@ -12487,6 +12504,11 @@ process:
full: process.real_user
schema_name: user
short: The real user (ruid). Identifies the real owner of the process.
- beta: Reusing the `user` fields in this location is currently considered beta.
full: process.attested_user
schema_name: user
short: The externally attested user based on an external source such as the Kube
API.
- full: process.parent
schema_name: process
short: Information about the parent process.
Expand Down Expand Up @@ -21668,6 +21690,12 @@ user:
beta: Reusing the `user` fields in this location is currently considered beta.
full: process.real_user
short_override: The real user (ruid). Identifies the real owner of the process.
- as: attested_user
at: process
beta: Reusing the `user` fields in this location is currently considered beta.
full: process.attested_user
short_override: The externally attested user based on an external source such
as the Kube API.
top_level: true
reused_here:
- full: user.group
Expand Down
28 changes: 28 additions & 0 deletions generated/ecs/ecs_nested.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5949,6 +5949,14 @@ group:
normalize:
- array
short_override: An array of supplemental groups.
- as: attested_groups
at: process
beta: Reusing the `group` fields in this location is currently considered beta.
full: process.attested_groups
normalize:
- array
short_override: The externally attested groups based on an external source such
as the Kube API.
top_level: true
short: User's group relevant to the event.
title: Group
Expand Down Expand Up @@ -12180,6 +12188,8 @@ process:
group: 2
name: process
nestings:
- process.attested_groups
- process.attested_user
- process.code_signature
- process.elf
- process.entry_leader
Expand Down Expand Up @@ -12294,6 +12304,13 @@ process:
- array
schema_name: group
short: An array of supplemental groups.
- beta: Reusing the `group` fields in this location is currently considered beta.
full: process.attested_groups
normalize:
- array
schema_name: group
short: The externally attested groups based on an external source such as the
Kube API.
- full: process.hash
schema_name: hash
short: Hashes, usually file hashes.
Expand Down Expand Up @@ -12323,6 +12340,11 @@ process:
full: process.real_user
schema_name: user
short: The real user (ruid). Identifies the real owner of the process.
- beta: Reusing the `user` fields in this location is currently considered beta.
full: process.attested_user
schema_name: user
short: The externally attested user based on an external source such as the Kube
API.
- full: process.parent
schema_name: process
short: Information about the parent process.
Expand Down Expand Up @@ -21091,6 +21113,12 @@ user:
beta: Reusing the `user` fields in this location is currently considered beta.
full: process.real_user
short_override: The real user (ruid). Identifies the real owner of the process.
- as: attested_user
at: process
beta: Reusing the `user` fields in this location is currently considered beta.
full: process.attested_user
short_override: The externally attested user based on an external source such
as the Kube API.
top_level: true
reused_here:
- full: user.group
Expand Down
6 changes: 6 additions & 0 deletions schemas/group.yml
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,12 @@
beta: Reusing the `group` fields in this location is currently considered beta.
normalize:
- array
- at: process
as: attested_groups
short_override: The externally attested groups based on an external source such as the Kube API.
beta: Reusing the `group` fields in this location is currently considered beta.
normalize:
- array

fields:

Expand Down
4 changes: 4 additions & 0 deletions schemas/user.yml
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,10 @@
as: real_user
short_override: The real user (ruid). Identifies the real owner of the process.
beta: Reusing the `user` fields in this location is currently considered beta.
- at: process
as: attested_user
short_override: The externally attested user based on an external source such as the Kube API.
beta: Reusing the `user` fields in this location is currently considered beta.

type: group
fields:
Expand Down