- Elastic Common Schema (ECS) Reference: other versions:
- Overview
- Using ECS
- ECS Field Reference
- Base Fields
- Agent Fields
- Autonomous System Fields
- Client Fields
- Cloud Fields
- Code Signature Fields
- Container Fields
- Destination Fields
- DLL Fields
- DNS Fields
- ECS Fields
- Error Fields
- Event Fields
- File Fields
- Geo Fields
- Group Fields
- Hash Fields
- Host Fields
- HTTP Fields
- Interface Fields
- Log Fields
- Network Fields
- Observer Fields
- Organization Fields
- Operating System Fields
- Package Fields
- PE Header Fields
- Process Fields
- Registry Fields
- Related Fields
- Rule Fields
- Server Fields
- Service Fields
- Source Fields
- Threat Fields
- TLS Fields
- Tracing Fields
- URL Fields
- User Fields
- User agent Fields
- VLAN Fields
- Vulnerability Fields
- x509 Certificate Fields
- ECS Categorization Fields
- Migrating to ECS
- Additional Information
Code Signature Fields
editCode Signature Fields
editThese fields contain information about binary code signatures.
Code Signature Field Details
editField | Description | Level |
---|---|---|
Boolean to capture if a signature is present. type: boolean example: |
core |
|
Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. type: keyword example: |
extended |
|
Subject name of the code signer type: keyword example: |
core |
|
Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. type: boolean example: |
extended |
|
Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. type: boolean example: |
extended |
Field Reuse
editThe code_signature
fields are expected to be nested at: dll.code_signature
, file.code_signature
, process.code_signature
.
Note also that the code_signature
fields are not expected to be used directly at the root of the events.
On this page