[Security Solution][Endpoint Exceptions] Fixes bug where behavior alerts do not show nested code signatures with subject name and trusted field

src/platform/packages/shared/kbn-securitysolution-ecs/src/dll/index.ts

@@ -7,10 +7,11 @@
  * License v3.0 only", or the "Server Side Public License, v 1".
  */
 
-import type { CodeSignature } from '../file';
+import type { CodeSignature, Ext } from '../file';
 import type { ProcessPe } from '../process';
 
 export interface DllEcs {
+  Ext?: Ext;
   path?: string;
   code_signature?: CodeSignature;
   pe?: ProcessPe;

src/platform/packages/shared/kbn-securitysolution-ecs/src/file/index.ts

@@ -14,7 +14,7 @@ interface Original {
 
 export interface CodeSignature {
   subject_name: string[];
-  trusted: string[];
+  trusted: boolean;
 }
 
 export interface Token {
@@ -72,6 +72,8 @@ export interface FileEcs {
 
   type?: string[];
 
+  code_signature?: CodeSignature;
+
   device?: string[];
 
   inode?: string[];

x-pack/solutions/security/plugins/security_solution/common/endpoint/generate_data.ts

@@ -529,6 +529,10 @@ export class EndpointDocGenerator extends BaseDataGenerator {
               trusted: false,
               subject_name: 'bad signer',
             },
+            {
+              trusted: true,
+              subject_name: 'a good signer',
+            },
           ],
           malware_classification: {
             identifier: 'endpointpe',
@@ -900,6 +904,10 @@ export class EndpointDocGenerator extends BaseDataGenerator {
               trusted: false,
               subject_name: 'bad signer',
             },
+            {
+              trusted: true,
+              subject_name: 'good signer',
+            },
           ],
           user: 'SYSTEM',
           token: {
@@ -921,36 +929,34 @@ export class EndpointDocGenerator extends BaseDataGenerator {
    * Returns the default DLLs used in alerts
    */
   private getAlertsDefaultDll() {
-    return [
-      {
-        pe: {
-          architecture: 'x64',
-        },
-        code_signature: {
-          subject_name: 'Cybereason Inc',
-          trusted: true,
-        },
+    return {
+      pe: {
+        architecture: 'x64',
+      },
+      code_signature: {
+        subject_name: 'Cybereason Inc',
+        trusted: true,
+      },
 
-        hash: {
-          md5: '1f2d082566b0fc5f2c238a5180db7451',
-          sha1: 'ca85243c0af6a6471bdaa560685c51eefd6dbc0d',
-          sha256: '8ad40c90a611d36eb8f9eb24fa04f7dbca713db383ff55a03aa0f382e92061a2',
-        },
+      hash: {
+        md5: '1f2d082566b0fc5f2c238a5180db7451',
+        sha1: 'ca85243c0af6a6471bdaa560685c51eefd6dbc0d',
+        sha256: '8ad40c90a611d36eb8f9eb24fa04f7dbca713db383ff55a03aa0f382e92061a2',
+      },
 
-        path: 'C:\\Program Files\\Cybereason ActiveProbe\\AmSvc.exe',
-        Ext: {
-          compile_time: 1534424710,
-          mapped_address: 5362483200,
-          mapped_size: 0,
-          malware_classification: {
-            identifier: 'Whitelisted',
-            score: 0,
-            threshold: 0,
-            version: '3.0.0',
-          },
+      path: 'C:\\Program Files\\Cybereason ActiveProbe\\AmSvc.exe',
+      Ext: {
+        compile_time: 1534424710,
+        mapped_address: 5362483200,
+        mapped_size: 0,
+        malware_classification: {
+          identifier: 'Whitelisted',
+          score: 0,
+          threshold: 0,
+          version: '3.0.0',
         },
       },
-    ];
+    };
   }
 
   /**