[8.7] Add new data stream for API event types (#328)

* Define the schema for CredentialAccess events under  `process.Ext.api`

* Adds a generic schema for API

* Describes the schema of parameters for `Credential_access` API events

* Added missing files: manifest, ingest pipeline configuration and sample_Event

* Regenerated yamls: fields and api

Author: calladoum-elastic

custom_schemas/custom_api.yml

@@ -0,0 +1,23 @@
+---
+- name: api
+  title: API
+  group: 2
+  short: Fields describing an API call.
+  type: object
+  description: >
+    These fields describe an API call (function, or system call).
+
+  reusable:
+    top_level: true
+    expected:
+      - process.Ext
+
+  fields:
+    - name: name
+      level: custom
+      type: keyword
+      index: false
+      description: >
+        The name of the API, usually the name of the function or system call.
+
+

custom_schemas/custom_api_credential_access.yml

@@ -0,0 +1,39 @@
+---
+- name: Credential_access
+  title: Credential_access
+  group: 2
+  short: These fields contain information about API calls related to Credential Access.
+  description: >
+    These fields contain information about API calls related to a Credential Access event
+    on Windows.
+
+    Credential Access events are usually triggered by malicious programs in an attempt to
+    dump credential stored in the memory of targeted processes, such as `lsass.exe` on
+    Windows. To do, those programms will invoke specific API calls, such as `OpenProcess`
+    or `OpenThread` which can be detected.
+
+  reusable:
+    top_level: true
+    expected:
+      - { at: process.Ext.api, as: parameters }
+  type: group
+
+  fields:
+    - name: handle_type
+      level: custom
+      type: keyword
+      description: >
+        This parameter indicates whether the detected access was attempt against a process or a thread.
+      example: process
+
+    - name: desired_access_numeric
+      level: custom
+      type: long
+      description: >
+        This parameter indicates the numeric value of the `DesiredAccess` field passed to `OpenProcess` or `OpenThread`.
+
+    - name: desired_access
+      level: custom
+      type: keyword
+      description: >
+        This parameter indicates the string value of the `DesiredAccess` field  to `OpenProcess` or `OpenThread`.

custom_subsets/elastic_endpoint/api/api.yaml

@@ -0,0 +1,96 @@
+---
+name: api
+fields:
+  base:
+    fields:
+      "@timestamp": {}
+      message: {}
+  data_stream:
+    fields: "*"
+  ecs:
+    fields:
+      version: {}
+  event:
+    fields:
+      action: {}
+      category: {}
+      created: {}
+      end: {}
+      hash: {}
+      id: {}
+      ingested: {}
+      outcome: {}
+      start: {}
+      type: {}
+  user:
+    fields:
+      domain: {}
+      email: {}
+      full_name: {}
+      hash: {}
+      id: {}
+      name: {}
+  host:
+    fields:
+      architecture: {}
+      domain: {}
+      hostname: {}
+      id: {}
+      ip: {}
+      mac: {}
+      name: {}
+      type: {}
+      uptime: {}
+      os:
+        fields:
+          family: {}
+          full: {}
+          kernel: {}
+          platform: {}
+          version: {}
+          name: {}
+          type: {}
+          Ext:
+            fields:
+              variant: {}
+  Target:
+    fields:
+      process:
+        fields:
+          name: {}
+          pid: {}
+  process:
+    fields:
+      pid: {}
+      name: {}
+      executable: {}
+      entity_id: {}
+      thread:
+        fields:
+          id: {}
+      Ext:
+        fields:
+          ancestry: {}
+          api:
+            fields:
+              name: {}
+              parameters:
+                fields:
+                  desired_access: {}
+                  desired_access_numeric: {}
+                  handle_type: {}
+      thread:
+        fields:
+          id: {}
+          Ext:
+            fields:
+              call_stack:
+                enabled: false
+                fields:
+                  module_path: {}
+                  instruction_pointer: {}
+              call_stack_contains_unbacked: {}
+              call_stack_final_user_module:
+                fields:
+                  path: {}
+

go.sum

@@ -0,0 +1,2 @@
+dynamic_fields:
+  event.ingested: ".*"

package/endpoint/data_stream/api/_dev/test-common-config.yml

@@ -0,0 +1,5 @@
+{
+    "events": [
+        {}
+    ]
+}

package/endpoint/data_stream/api/_dev/test-ingest-timestamp.json

@@ -0,0 +1,12 @@
+{
+  "description": "Pipeline for setting event.ingested",
+  "processors": [
+    {
+      "set": {
+        "field": "event.ingested",
+        "value": "{{ _ingest.timestamp }}",
+        "ignore_failure": true
+      }
+    }
+  ]
+}