Skip to content

Move Thumbprint enrichment to production #706

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
soolidsnake merged 4 commits into from
Dec 8, 2025
Merged

Move Thumbprint enrichment to production #706

soolidsnake merged 4 commits into from
Dec 8, 2025

Conversation

@soolidsnake
Copy link
Contributor

@soolidsnake soolidsnake commented Dec 5, 2025
edited
Loading

Change Summary

Added thumbprint_sha256 field to the following, the enrichement feature is moving to production, this are some fields missing that are currently generating schemas violation in EAF of some tests.

  • *.thread.Ext.call_stack_final_hook_module.code_signature
  • *.thread.Ext.call_stack_final_user_module.code_signature
  • threat.*.code_signature.thumbprint_sha256
  • Target.*.code_signature.thumbprint_sha256
  • process.Ext.dll.*.code_signature.thumbprint_sha256
  • enrichments.indicator.file.code_signature.thumbprint_sha256
  • enrichments.indicator.file.Ext.code_signature.thumbprint_sha256
  • indicator.file.Ext.code_signature.thumbprint_sha256
  • indicator.filecode_signature.thumbprint_sha256

Sample values

Sample document:

"call_stack_final_user_module": {
    "path": "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\clr.dll",
    "code_signature": [
        {
            "thumbprint_sha256": "e4ab39116a7dc57d073164eb1c840b1fb8334a8c920b92efafea19112dce643b",
            "trusted": true,
            "subject_name": "Microsoft Corporation",
            "exists": true,
            "status": "trusted"
        }
    ],

"call_stack_final_hook_module": {
    "path": "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\clr.dll",
    "code_signature": [
        {
            "thumbprint_sha256": "e4ab39116a7dc57d073164eb1c840b1fb8334a8c920b92efafea19112dce643b",
            "trusted": true,
            "subject_name": "Microsoft Corporation",
            "exists": true,
            "status": "trusted"
        }
    ],

Release Target

9.3

For mapping changes:

  • I ran make after making the schema changes, and committed all changes

soolidsnake and others added 3 commits December 5, 2025 11:25
@soolidsnake
Adding thumbprint field to:
207652a 
- thread.Ext.call_stack_final_hook_module.code_signature
- thread.Ext.call_stack_final_user_module.code_signature
- threat.*
- Target.*
- process.Ext.dll
@soolidsnake
Adding generates files
b20b679
@soolidsnake
Adding missing fields in sample_event.json files
b2af070
@soolidsnake soolidsnake requested review from intxgo and pzl December 5, 2025 17:16
@soolidsnake soolidsnake self-assigned this Dec 5, 2025
@soolidsnake soolidsnake requested review from a team as code owners December 5, 2025 17:16
@pzl
Copy link
Member

pzl commented Dec 5, 2025

discussed elsewhere, but adding here:

CI should be unblocked once #707 merges

@soolidsnake
Copy link
Contributor Author

soolidsnake commented Dec 8, 2025

discussed elsewhere, but adding here:

CI should be unblocked once #707 merges

thanks @pzl , it is fixed now

pzl
pzl approved these changes Dec 8, 2025
View reviewed changes
Copy link
Member

@pzl pzl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good, thank you for adding this to all the sample_event.json files!

@soolidsnake soolidsnake merged commit d587d79 into main Dec 8, 2025
4 checks passed
@soolidsnake soolidsnake deleted the thumbprint_to_prod branch December 8, 2025 14:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pzl pzl pzl approved these changes

@gabriellandau gabriellandau gabriellandau approved these changes

@intxgo intxgo Awaiting requested review from intxgo

@paul-tavares paul-tavares Awaiting requested review from paul-tavares paul-tavares is a code owner automatically assigned from elastic/security-defend-workflows

Assignees

@soolidsnake soolidsnake

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@soolidsnake @pzl @gabriellandau