Code Signature Fields

edit

These fields contain information about binary code signatures.

Code Signature Field Details

edit
Field Description Level

code_signature.exists

Boolean to capture if a signature is present.

type: boolean

example: true

core

code_signature.signing_id

The identifier used to sign the process.

This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.

type: keyword

example: com.apple.xpc.proxy

extended

code_signature.status

Additional information about the certificate status.

This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.

type: keyword

example: ERROR_UNTRUSTED_ROOT

extended

code_signature.subject_name

Subject name of the code signer

type: keyword

example: Microsoft Corporation

core

code_signature.team_id

The team identifier used to sign the process.

This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.

type: keyword

example: EQHXZ8M8AV

extended

code_signature.trusted

Stores the trust status of the certificate chain.

Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.

type: boolean

example: true

extended

code_signature.valid

Boolean to capture if the digital signature is verified against the binary content.

Leave unpopulated if a certificate was unchecked.

type: boolean

example: true

extended

Field Reuse

edit

The code_signature fields are expected to be nested at:

  • dll.code_signature
  • file.code_signature
  • process.code_signature

Note also that the code_signature fields are not expected to be used directly at the root of the events.