[8.7] Add new data stream for API event types #328
Conversation
💚 Build Succeeded
Expand to view the summary
Build stats
🤖 GitHub commentsExpand to view the GitHub comments
To re-run your PR in the CI, just comment with:
|
calladoum-elastic
changed the title
Credential Access event schema
|
Hi @pzl - could you take a look when you get a chance? 🙏 |
|
@paul-tavares @pzl - I've been working with @calladoum-elastic on this - I can do the review. I added myself to the reviewers |
| fields: | ||
| - name: handle_type | ||
| level: custom | ||
| type: keywork |
There was a problem hiding this comment.
a typo here, should be keyword
There was a problem hiding this comment.
fixed by f355012
| - name: desired_access | ||
| level: custom | ||
| type: keywork |
There was a problem hiding this comment.
same here, should be keyword
There was a problem hiding this comment.
fixed by f355012
package/endpoint/manifest.yml
Outdated
| version: 8.7.0-next | ||
| categories: ["security", "cloud"] | ||
| # The package type. The options for now are [integration, input], more type might be added in the future. | ||
|
|
There was a problem hiding this comment.
can you remove the whitespace from here so that we don't have a diff on the manifest?
There was a problem hiding this comment.
reverted by 029ffaf
.bumpversion.cfg
Outdated
| commit = True | ||
| parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(\-(?P<release>[a-z]+)\.(?P<build>\d+))? | ||
| serialize = | ||
| serialize = |
There was a problem hiding this comment.
can you revert the whitespace here so that we don't have a diff in this file?
There was a problem hiding this comment.
reverted by 6b58626
|
@calladoum-elastic thank you for the changes. This LGTM! I also checked out the package and tried it in a stack. The template is created: Also, when I stream your example document, the datastream is also created: |
|
Hi! Is it ok to merge this PR or should there be a 2nd review? Thanks, |
@calladoum-elastic - it's OK to merge with one review, thanks! |
* Define the schema for CredentialAccess events under `process.Ext.api` * Adds a generic schema for API * Describes the schema of parameters for `Credential_access` API events * Added missing files: manifest, ingest pipeline configuration and sample_Event * Regenerated yamls: fields and api
|
Package endpoint - 8.7.0 containing this change is available at https://epr.elastic.co/search?package=endpoint |
Related issues:
Change Summary
This PR adds a new data stream for collecting API events.
It also adds the fields for credential access events using the API data stream.
Sample values
Sample document:
{ "@timestamp": "2023-01-09T19:38:51.5141503Z", "Target": { "process": { "name": "lsass.exe", "pid": 956 } }, "event": { "category": [ "api" ], "created": "2023-01-09T19:38:51.5141503Z", "id": "MvlgiHxIZtj1+Abi++++++ul", "kind": "event", "type": [ "credential_access" ] }, "host": { "architecture": "x86_64", "hostname": "DESKTOP-OCG8CR6", "id": "dabadaba-0000-0000-0000-000000000000", "ip": [ "169.254.104.226", "fe80::6037:d589:2ee9:772f", "172.22.6.230", "fe80::80ea:8e8d:e1f2:6622", "169.254.74.35", "fe80::900c:a9d3:fd8:9345", "127.0.0.1", "::1" ], "mac": [ "00:15:5d:00:09:18", "00:15:5d:00:09:19", "00:15:5d:00:09:17" ], "name": "DESKTOP-OCG8CR6", "os": { "Ext": { "variant": "Windows 11 Enterprise N" }, "family": "windows", "full": "Windows 11 Enterprise N 22H2 (10.0.22621.963)", "kernel": "22H2 (10.0.22621.963)", "name": "Windows", "platform": "windows", "type": "windows", "version": "22H2 (10.0.22621.963)" } }, "message": "Endpoint credential access event", "process": { "Ext": { "ancestry": [ "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTgxMi0xNjczMjkxNTMzLjcxNjczMTgwMA==", "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTQ5NjAtMTY3Mjk2NTgzMC4yODc0OTYxMDA=", "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTY2MjgtMTY3Mjk2NTc3Mi41MTg4MDA1MDA=", "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTQ2MDAtMTY3Mjk2NTcxMy40NzY1NDUyMDA=" ], "api": { "name": "OpenProcess", "parameters": { "desired_access": [ "PROCESS_QUERY_LIMITED_INFORMATION", "PROCESS_VM_READ" ], "desired_access_numeric": 4112, "handle_type": "process" } } }, "entity_id": "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTkxNi0xNjczMjkzMTMwLjk0NjAwMjAw", "executable": "c\\git\\endpoint-dev\\Tools\\Leia\\modules\\exe_malware\\mimikatz.exe", "name": "mimikatz.exe", "pid": 916, "thread": { "Ext": { "call_stack": [ { "instruction_pointer": 140717353267908, "module_path": "C:\\Windows\\System32\\ntdll.dll" }, { "instruction_pointer": 140717309764254, "module_path": "C:\\Windows\\System32\\KernelBase.dll" }, { "instruction_pointer": 140697175487234, "module_path": "c\\users\\user\\desktop\\mimikatz.exe" }, { "instruction_pointer": 140697175488197, "module_path": "c\\users\\user\\desktop\\mimikatz.exe" }, { "instruction_pointer": 140697175487041, "module_path": "c\\users\\user\\desktop\\mimikatz.exe" }, { "instruction_pointer": 140697175277748, "module_path": "c\\users\\user\\desktop\\mimikatz.exe" }, { "instruction_pointer": 140697175277292, "module_path": "c\\users\\user\\desktop\\mimikatz.exe" }, { "instruction_pointer": 140697175276599, "module_path": "c\\users\\user\\desktop\\mimikatz.exe" }, { "instruction_pointer": 140697175514281, "module_path": "c\\users\\user\\desktop\\mimikatz.exe" } ], "call_stack_contains_unbacked": false, "call_stack_final_user_module": { "path": "mimikatz.exe" } }, "id": 11628 } }, "user": { "domain": "DESKTOP-OCG8CR6", "id": "S-1-5-21-3820246941-898183108-3095036578-1001", "name": "User" } }Release Target
8.7
Q/A
For mapping changes:
makeafter making the schema changes, and committed all changesmetadatachange, I also updated both transform destination schemas to matchFor Transform changes: