diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 9613fb89e..70a4a3e0a 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -25,6 +25,8 @@ Thanks, you're awesome :-) --> #### Improvements +* Define base encoding of `x509.serial_number`. #2383 + #### Deprecated ### Tooling and Artifact Changes diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc index 23ae02e99..489828f76 100644 --- a/docs/fields/field-details.asciidoc +++ b/docs/fields/field-details.asciidoc @@ -13803,7 +13803,7 @@ example: `2048` [[field-x509-serial-number]] <> -a| Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. +a| Unique serial number issued by the certificate authority. For consistency, this should be encoded in base 16 and formatted without colons and uppercase characters. type: keyword diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index ee0ecb5e3..932f19906 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -3339,7 +3339,7 @@ type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false @@ -9984,7 +9984,7 @@ type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false @@ -10541,7 +10541,7 @@ type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false @@ -11606,7 +11606,7 @@ type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false @@ -12174,7 +12174,7 @@ type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false @@ -12590,7 +12590,7 @@ type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false @@ -12872,7 +12872,7 @@ type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index e529df5f9..d7b749d18 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -5510,8 +5510,7 @@ file.x509.public_key_size: file.x509.serial_number: dashed_name: file-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: file.x509.serial_number ignore_above: 1024 @@ -16160,8 +16159,7 @@ threat.enrichments.indicator.file.x509.public_key_size: threat.enrichments.indicator.file.x509.serial_number: dashed_name: threat-enrichments-indicator-file-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.enrichments.indicator.file.x509.serial_number ignore_above: 1024 @@ -17087,8 +17085,7 @@ threat.enrichments.indicator.x509.public_key_size: threat.enrichments.indicator.x509.serial_number: dashed_name: threat-enrichments-indicator-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.enrichments.indicator.x509.serial_number ignore_above: 1024 @@ -18897,8 +18894,7 @@ threat.indicator.file.x509.public_key_size: threat.indicator.file.x509.serial_number: dashed_name: threat-indicator-file-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.indicator.file.x509.serial_number ignore_above: 1024 @@ -19840,8 +19836,7 @@ threat.indicator.x509.public_key_size: threat.indicator.x509.serial_number: dashed_name: threat-indicator-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.indicator.x509.serial_number ignore_above: 1024 @@ -20531,8 +20526,7 @@ tls.client.x509.public_key_size: tls.client.x509.serial_number: dashed_name: tls-client-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: tls.client.x509.serial_number ignore_above: 1024 @@ -21008,8 +21002,7 @@ tls.server.x509.public_key_size: tls.server.x509.serial_number: dashed_name: tls-server-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: tls.server.x509.serial_number ignore_above: 1024 diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index f4a284451..28fbb237c 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -6558,7 +6558,7 @@ file: file.x509.serial_number: dashed_name: file-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: file.x509.serial_number @@ -18863,7 +18863,7 @@ threat: threat.enrichments.indicator.file.x509.serial_number: dashed_name: threat-enrichments-indicator-file-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.enrichments.indicator.file.x509.serial_number @@ -19794,7 +19794,7 @@ threat: threat.enrichments.indicator.x509.serial_number: dashed_name: threat-enrichments-indicator-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.enrichments.indicator.x509.serial_number @@ -21606,7 +21606,7 @@ threat: threat.indicator.file.x509.serial_number: dashed_name: threat-indicator-file-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.indicator.file.x509.serial_number @@ -22553,7 +22553,7 @@ threat: threat.indicator.x509.serial_number: dashed_name: threat-indicator-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.indicator.x509.serial_number @@ -23308,7 +23308,7 @@ tls: tls.client.x509.serial_number: dashed_name: tls-client-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: tls.client.x509.serial_number @@ -23788,7 +23788,7 @@ tls: tls.server.x509.serial_number: dashed_name: tls-server-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: tls.server.x509.serial_number @@ -25706,7 +25706,7 @@ x509: x509.serial_number: dashed_name: x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: x509.serial_number diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 3883c5b04..fc1cab589 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -3289,7 +3289,7 @@ type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false @@ -9934,7 +9934,7 @@ type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false @@ -10491,7 +10491,7 @@ type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false @@ -11556,7 +11556,7 @@ type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false @@ -12124,7 +12124,7 @@ type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false @@ -12540,7 +12540,7 @@ type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false @@ -12822,7 +12822,7 @@ type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index bad8611fa..b58c35d5f 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -5441,8 +5441,7 @@ file.x509.public_key_size: file.x509.serial_number: dashed_name: file-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: file.x509.serial_number ignore_above: 1024 @@ -16091,8 +16090,7 @@ threat.enrichments.indicator.file.x509.public_key_size: threat.enrichments.indicator.file.x509.serial_number: dashed_name: threat-enrichments-indicator-file-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.enrichments.indicator.file.x509.serial_number ignore_above: 1024 @@ -17018,8 +17016,7 @@ threat.enrichments.indicator.x509.public_key_size: threat.enrichments.indicator.x509.serial_number: dashed_name: threat-enrichments-indicator-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.enrichments.indicator.x509.serial_number ignore_above: 1024 @@ -18828,8 +18825,7 @@ threat.indicator.file.x509.public_key_size: threat.indicator.file.x509.serial_number: dashed_name: threat-indicator-file-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.indicator.file.x509.serial_number ignore_above: 1024 @@ -19771,8 +19767,7 @@ threat.indicator.x509.public_key_size: threat.indicator.x509.serial_number: dashed_name: threat-indicator-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.indicator.x509.serial_number ignore_above: 1024 @@ -20462,8 +20457,7 @@ tls.client.x509.public_key_size: tls.client.x509.serial_number: dashed_name: tls-client-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: tls.client.x509.serial_number ignore_above: 1024 @@ -20939,8 +20933,7 @@ tls.server.x509.public_key_size: tls.server.x509.serial_number: dashed_name: tls-server-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: tls.server.x509.serial_number ignore_above: 1024 diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index a401fa7b0..8c8aa6b1a 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -6478,7 +6478,7 @@ file: file.x509.serial_number: dashed_name: file-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: file.x509.serial_number @@ -18783,7 +18783,7 @@ threat: threat.enrichments.indicator.file.x509.serial_number: dashed_name: threat-enrichments-indicator-file-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.enrichments.indicator.file.x509.serial_number @@ -19714,7 +19714,7 @@ threat: threat.enrichments.indicator.x509.serial_number: dashed_name: threat-enrichments-indicator-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.enrichments.indicator.x509.serial_number @@ -21526,7 +21526,7 @@ threat: threat.indicator.file.x509.serial_number: dashed_name: threat-indicator-file-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.indicator.file.x509.serial_number @@ -22473,7 +22473,7 @@ threat: threat.indicator.x509.serial_number: dashed_name: threat-indicator-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.indicator.x509.serial_number @@ -23228,7 +23228,7 @@ tls: tls.client.x509.serial_number: dashed_name: tls-client-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: tls.client.x509.serial_number @@ -23708,7 +23708,7 @@ tls: tls.server.x509.serial_number: dashed_name: tls-server-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: tls.server.x509.serial_number @@ -25626,7 +25626,7 @@ x509: x509.serial_number: dashed_name: x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: x509.serial_number diff --git a/schemas/x509.yml b/schemas/x509.yml index be03f7c68..40f8aa71d 100644 --- a/schemas/x509.yml +++ b/schemas/x509.yml @@ -52,8 +52,8 @@ type: keyword short: Unique serial number issued by the certificate authority. description: > - Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be - formatted without colons and uppercase characters. + Unique serial number issued by the certificate authority. For consistency, this should be + encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA - name: issuer.distinguished_name