.png){kind=logo}
AgileSec Cryptographic Data Fields
The following describes the cryptographic data model used by AgileSec Analytics to represent cryptographic findings collected across an infrastructure. It defines the structure, categories, and meaning of the fields exposed in cryptographic events and cryptographic objects.
1. Summary
This document provides a reference for the ISG data model used by AgileSec Analytics to define cryptographic findings. It explains the types of cryptographic events captured by the platform and the categories of fields used to describe each finding.
1.1 Type of events
AgileSec Analytics captures different types of cryptographic events.
ISG Events. Summary information of cryptographic findings combined with its contextual information (i.e. location).
ISG Objects. Detailed information about cryptographic objects independently from their context.
1.2 Type of fields
AgileSec Analytics captures different types of information for every cryptographic event collected. The principal types are the following :
Base Fields. Root fields that are used for all cryptographic events
Date Fields. Root fields including timestamp and first_found
Crypto Object Fields. Summary Information about the crypto events collected
Source Fileds. Summary information about the source that generated the crypto event.
Sensor Fields. Information about the sensors used to retrieve the crypto event
Location Fields. Contextual fields define the cryptographic event and its location within the infrastructure
Host Fields. Information about hosts that contain crypto events
File Fields. Information about the files that contain the crypto event
Application Fields. Information about applications
Process Fields. Information about the processes that contain crypto event
Status Fields. Additional fields define the status of the cryptographic event.
Resolution Fields. Information about the resolution status of the finding.
Crypto Artifact Fields. Information about cryptographic objects related to the event
X509 CertificateFields. Subset metadata about X.509 Certificate reported in the crypto event
Crypto Key Fields. Subset metadata about Crypto Key reported in the crypto event
Crypto Algorithm Fields. Subset metadata about the Algorithm reported in the crypto event
Crypto Libraries Fields. Subset metadata about Crypto Library reported in the crypto event
Network Cipher Fields. Subset metadata about Cipher Suite reported in the crypto event
Token Fields. Subset metadata about Tokens reported in the crypto event
Crypto Policy Fields. Information about the policy and controls executed on the crypto event
2. Events Fields
2.1 Root Fields
Root Fields are mandatory for all cryptographic events. They enable the homogenized view of any cryptographic event and its location based on the fields.
Name | Type | Example | Description |
|---|---|---|---|
Date Fields | |||
@timestamp | Date | 22-03-2023 | The last time the finding was found |
first_found | Date | 21-01-2023 | The first time the finding was found |
Crypto Object fields | |||
object.type | String | Certificate | The type of cryptographic object |
object.fingerprint | String | 76c2b8g...b0f7 | The unique hash of the finding |
object.location | String | file://c:/windows/file.pem | The unique location of the finding |
object.summary | String | Certificate: RSA-SHA-256 | Defines the friendly name of the finding |
object.uid | String | 76c2b8g...b0f7 | The unique id of the finding |
Source Fields | |||
source.type | String | Host, Network | The type of source |
source.subtype | String | Filesystem, Connection, CertStore, ... | The subtype of the source |
source.name | String | ISGTORTAN002 | The name of the source |
Sensor fields | |||
sensor.id | String | 19230123124 | The id of the sensor |
sensor.name | String | Sensor-CICD-2 | The name of the sensor |
sensor.version | String | 1.5.12 | The version of the sensor |
sensor.type | String | Host Sensor | The type of sensor |
2.2 Location Fields
Location Fields are dependent on the type of source that contains the cryptographic objects. The location fields include information about the source.
Name | Type | Example | Description |
|---|---|---|---|
Host fields | |||
host.name | String | ISGTORTAN002 | The name of the host |
host.ip | String | 10.0.1.12 | Theip of the host |
host.port | Integer | 443 | The port of the host |
host.os_name | String | Linux | The OS name of the host |
Application fields | |||
application.name | String | Payment App | The name of the application |
application.version | String | 1.4 | The version of the application |
application.fingerprint | String | 76c2b8g...b0f7 | The unique fingerprint of the app |
application.pipeline | String | Release/1.5.11 | The pipeline related to the app |
application.link | String | jenkins/build/release/... | The link to the application analyzed |
and more | |||
HSM fields | |||
hsm.manufacturer_id | String | Thales | |
hsm.flags | String | Encrypt | |
hsm.serial_number | String | hsm-44858 | |
and more | String | ||
File fields | |||
file.path | String | C:/test/cert/root.pem | The full path of the finding |
file.directory | String | C:/test/cert/ | The directory of the finding |
file.name | String | root.pem | The file name of the finding |
file.extension | String | pem | The file extension of the finding |
file.size | Integer | 10k | the file size of the finding |
file.type | String | Certificate File | the type of file containing the finding |
file.hash_sha256 | String | 76c2b8g...b0f7 | The unique fingerprint of the file |
file.hashset.exists | Bool | true | If the file is known |
file.owner | String | Admin | Owner of the file |
And more | |||
Process Fields | |||
process.name | String | Tomcat | The process using the finding |
And more |
2.3 Status Fields
Status fields contain extra information about the findings and their status.
Name | Type | Example | Description |
|---|---|---|---|
Resolution Fields | |||
object.resolution.resolved_date | Date | 21-01-2023 | When the finding has been resolved |
object.resolution.status | String | resolved, open | If the finding has been resolved |
2.4 Crypto Artifact Fields
The cryptographic artefacts fields are used to describe information related to the cryptographic finding. This information is collected by the multiple AgileSec Analytics sensors deployed across an infrastructure.
Field Name | Type | Value Sample | Description |
|---|---|---|---|
Certificate Fields | |||
x509.public_key_algorithm | String | rsaEncryption | The Public Key algorithm |
x509.public_key_size | Integer | 2048 | The size of the public key algorithm |
x509.signature_algorithm | String | RSA-SHA256 | The signature algorithm |
x509.subject.common_name | String | isg.local | The subject common name |
x509.issuer.common_name | String | ISG CA | The Issuer common name |
x509.usage | String | End-Entity | The Usage based on Basic Constraint CA field |
X509.self_signed | Boolean | True | If the X.509 Certificate is self signed |
x509.not_after | Date | 2024-01-21T11:36:54 | The expiration date |
x509.fingerprint_sha256 | String | 76c2b8g...b0f7 | The unique fingerprint (sha256) |
Key Fields | |||
key.type | String | Private | The Type of Key Public/Private |
key.algorithm | String | ssh_rsa | The Algorithm used by the Key |
key.size | Integer | 2048 | The size of the Key |
key.is_encypted | Boolean | False | If the storage of the key is protected |
key.fingerprint_sha256 | String | 76c2b8g...b0f7 | Fingerprint of the key |
key.format | String | pem, der, ssh | Format of the key |
key.hash_sha256 | String | 76c2b8g...b0f7 | Hash of the key |
Keystore Fields | |||
keystore.type | String | PFX | Type of keystore |
Library Fields | |||
library.name | String | OpenSSL | The vendor of the library |
library.version | String | 1.0.0 | The version of the library |
Algorithm Fields | |||
algorithm.name | String | ecc-brainpool-p192r1 | The name of the algorithm |
algorithm.type | String | ecc | The type of algorithm |
algorithm.implementation | String | Implementation | The type of implementation (JCA/Implementation) |
algorithm.name | String | ecc-brainpool-p192r1 | The name of the algorithm |
Network Fields | |||
network.cipher_suite | String | TLS_RSA_WITH_AES_128_SHA1 | The Cipher suite s |
network.protocol_name | String | TSLv1.2 | The Protocol version |
network.key_agreement | String | dh 4096 | The Key Agreement |
2.5 Policy Fields
The policy fields are usually post-processed by the AgileSec Analytics server based on the Contextual and Object Fields. The policy fields can be enriched dynamically through the creation of custom policies.
Field Name | Type | Value Sample | Description |
|---|---|---|---|
Policy Field | |||
policy.severity_score | Integer | 1-3 | The Integer value of the severity |
policy.flag | String List | certificate_self_signed_end_entity | The name of the policy(s) that was triggered for the crypto event |
policy.priority_score | Integer | 1-3 | The priority of the finding |
policy.score_value | Integer | 1-10 | The cryptographic score |
3. Extended Object Fields
The object fields contain detailed information about cryptographic objects detected within an infrastructure. The Object fields are stored individually without contextual information. ISG objects are important to benefit from a centralized view of all cryptographic objects discovered with their complete details.
Field Name | Type | Example | Description |
|---|---|---|---|
Common Fields | |||
object.type | String | Certificate | The type of crypto event |
object.fingerprint | String | 76c2b8g...b0f7 | The unique fingerprint of the crypto object itself |
object.encoded | String | Base64 | The encoded value of the crypto object |
X509 Certificates Information | |||
x509.usage | String | End-Entity | The calculated usage of the X.509 Certificate |
x509.basic_constraints_is_ca | Boolean | False | The Basic Contraints is CA field of the X.509 Certificate |
X509.self_signed | Boolean | False | If the X.509 Certificate is self-signed |
x509.serial_number | String | 8734015E694EEC70 | The Serial Number of the X.509 Certificate |
x509.not_after | Date | 2028-09-01T21:52:08Z | The Expiration date of the X.509 Certificate |
x509.not_before | Date | 2018-09-04T21:52:08Z | The start data of the X.509 Certificate |
x509.fingerprint_sha256 | String | 76c2b8g...b0f7 | The sha256 fingerprint (Lowercase) of the X.509 Certificate |
x509.fingerprint_sha1 | String | 76cg...b0f7 | The sha1 fingerprint (Lowercase) of the X.509 Certificate |
X509 Cryptography | |||
x509.public_key_algorithm | String | rsaEncryption | The public key algorithm of the X.509 Certificate |
x509.public_key_size | Integer | 2048 | The public key algorithm of the X.509 Certificate |
x509.signature_algorithm | String | RSA-SHA1 | The public key algorithm of the X.509 Certificate |
x509.public_key_exponent | String | 76c2b8g...b0f7 | The public key algorithm of the X.509 Certificate |
x509.public_key_curve | String | 76c2..b0f7 | The public key algorithm of the X.509 Certificate |
x509.key_usage | String List | Digital Signature, Non Repudiation | The public key algorithm of the X.509 Certificate |
x509.extended_key_usage | String List | Certificate Sign, CRL Sign | The public key algorithm of the X.509 Certificate |
X509 Subject | |||
x509.alternative_names | String | http://www.keyfactor.com | The Subject name of the X.509 Certificate |
x509.subject.common_name | String | http://keyfactor.com | The Subject name of the X.509 Certificate |
x509.subject.country | String | Canada | The Country of the X.509 Certificate |
x509.subject.locality | String | ON | The Locality of the X.509 Certificate |
x509.subject.state_or_province | String | ON | The State of the X.509 Certificate |
x509.subject.organization | String | ISG | The Organization of the X.509 Certificate |
x509.subject.organizational_unit | String | Business | The Organization Unit of the X.509 Certificate |
x509.subject.distinguished_name | String | http://keyfactor.com | The DN of the X.509 Certificate |
X509 Issuer | |||
x509.issuer.common_name | String | ISG CA | The Issuer Subject name of the X.509 Certificate |
x509.issuer.country | String | Canada | The Issuer Country of the X.509 Certificate |
x509.issuer.locality | String | ON | The Issuer Locality of the X.509 Certificate |
x509.issuer.state_or_province | String | ON | The Issuer State of the X.509 Certificate |
x509.issuer.organization | String | ISG | The Issuer Organization of the X.509 Certificate |
x509.issuer.organizational_unit | String | Business | The Issuer Organization Unit of the X.509 Certificate |
x509.issuer.distinguished_name | String | ISG CA | The Issuer DN of the X.509 Certificate |