[9.0.1] AMSI API changes for behavior rule alerts - process.Ext.api.parameters.content_name (#609)

magermark · pzl · commit 75b784fce771 · 2025-05-05T09:59:14.000-04:00
* Entries for process.Ext.api.parameters and process.Ext.api.parameters.content_name

* Added process.Ext.api.parameters.app_name

* custom_subsets changes for process.Ext.api.parameters.content_name and process.Ext.api.parameters.app_name

* Add fields under parameters

* testing

* Test Windows

* Revert Windows change

* Revert .bat

* Remove test

* Remove test_name

* Generated changes
diff --git a/custom_subsets/elastic_endpoint/alerts/rule_detection_event.yaml b/custom_subsets/elastic_endpoint/alerts/rule_detection_event.yaml
@@ -30,6 +30,10 @@ fields:
               name: {}
               summary: {}
               behaviors: {}
+              parameters:
+                fields:
+                  app_name: {}
+                  content_name: {}
           created_suspended: {}
           token:
             fields:
diff --git a/package/endpoint/data_stream/alerts/fields/fields.yml b/package/endpoint/data_stream/alerts/fields/fields.yml
@@ -4553,6 +4553,25 @@
       description: The name of the API, usually the name of the function or system call.
       example: VirtualAlloc
       default_field: false
+    - name: Ext.api.parameters
+      level: custom
+      type: object
+      description: Parameter values passed to the API call.
+      default_field: false
+    - name: Ext.api.parameters.app_name
+      level: custom
+      type: keyword
+      ignore_above: 1024
+      description: The application name requesting the AMSI scan.
+      example: PowerShell
+      default_field: false
+    - name: Ext.api.parameters.content_name
+      level: custom
+      type: keyword
+      ignore_above: 1024
+      description: The content name, typically a filename, associated with an AMSI scan.
+      example: C:\script.ps1
+      default_field: false
     - name: Ext.api.summary
       level: custom
       type: keyword
diff --git a/package/endpoint/docs/README.md b/package/endpoint/docs/README.md
@@ -653,6 +653,9 @@ sent by the endpoint.
 | process.Ext.ancestry | An array of entity_ids indicating the ancestors for this event | keyword |
 | process.Ext.api.behaviors | A list of observed behaviors.   "cross-process" - the observed activity was between two processes   "parent-child" - the observed activity was between a parent process and its child   "native_api" - a call was made directly to the Native API rather than the Win32 API   "direct_syscall" - a syscall instruction originated outside of the Native API layer   "proxy_call" - the call stack may indicate of a proxied API call to mask the true source   "sensitive_api" - executable non-image memory is unexpectedly calling a sensitive API   "shellcode" - suspicious executable non-image memory is calling a sensitive API   "image_hooked" - an entry in the callstack appears to have been hooked   "image_indirect_call" - an entry in the callstack was preceded by a call to a dynamically resolved function   "image_rop" - no call instruction preceded an entry in the call stack   "image_rwx" - an entry in the callstack is writable   "unbacked_rwx" - an entry in the callstack is non-image and writable   "truncated_stack" - call stack is unexpected truncated due to malicious tampering or system load   "allocate_shellcode" - a region of non-image executable memory allocated more executable memory   "execute_fluctuation" - the PAGE_EXECUTE protection is unexpectedly fluctuating   "write_fluctuation" - the PAGE_WRITE protection of executable memory is unexpectedly fluctuating   "hook_api" - a change to the memory protection of a small executable image memory region was made   "hollow_image" - a change to the memory protection of a large executable image memory region was made   "hook_unbacked" - a change to the memory protection of a small executable non-image memory was made   "hollow_unbacked" - a change to the memory protection of a large executable non-image memory was made   "guarded_code" - executable memory was unexpectedly marked as PAGE_GUARD   "hidden_code" - executable memory was unexpectedly marked as PAGE_NOACCESS   "execute_shellcode" - a region of non-image executable memory was unexpectedly transferred control   "hardware_breakpoint_set" - a hardware breakpoint was set   "rapid_background_polling" - a suspicious process which does rapid input polling via GetAsyncKeyState API was observed   "multiple_polling_processes" - multiple suspicious processes which do rapid input polling via the GetAsyncKeyState API were observed   "pid_spoofing" - The acting process details may have been spoofed to hide the true origin   "legacy_api" - a deprecated or superseded API was called | keyword |
 | process.Ext.api.name | The name of the API, usually the name of the function or system call. | keyword |
+| process.Ext.api.parameters | Parameter values passed to the API call. | object |
+| process.Ext.api.parameters.app_name | The application name requesting the AMSI scan. | keyword |
+| process.Ext.api.parameters.content_name | The content name, typically a filename, associated with an AMSI scan. | keyword |
 | process.Ext.api.summary | The summary of the API call and its parameters. | keyword |
 | process.Ext.architecture | Process architecture.  It can differ from host architecture. | keyword |
 | process.Ext.authentication_id | Process authentication ID | keyword |
diff --git a/schemas/v1/alerts/rule_detection_event.yaml b/schemas/v1/alerts/rule_detection_event.yaml
