Keylogging (Win32k ETW) API Event metrics (#395)

* add metrics for keylogging events * generate the yaml files * update the yml file based on the prereview * add sample values to sample_event.json * fix the typo * update the sample_event.json * update the name

Author: AsuNa-jp

custom_schemas/custom_endpoint.yml

@@ -908,6 +908,18 @@
  index: false
  description: The total milliseconds spent queueing ETW Threat-Intelligence events for the process over the last week
 
+ - name: metrics.system_impact.win32k_events.week_ms
+ level: custom
+ type: unsigned_long
+ index: false
+ description: The total milliseconds spent on ETW Win32k events (currently, only keylogging events) for the process over the last week
+
+ - name: metrics.system_impact.win32k_events.week_idle_ms
+ level: custom
+ type: unsigned_long
+ index: false
+ description: The total milliseconds spent queueing ETW Win32k events (currently, only keylogging events) for the process over the last week
+
  - name: metrics.system_impact.process.executable
  level: custom
  type: unsigned_long

package/endpoint/data_stream/metrics/fields/fields.yml

@@ -640,6 +640,20 @@
  index: false
  doc_values: false
  default_field: false
+ - name: metrics.system_impact.win32k_events.week_idle_ms
+ level: custom
+ type: unsigned_long
+ description: The total milliseconds spent queueing ETW Win32k events (currently, only keylogging events) for the process over the last week
+ index: false
+ doc_values: false
+ default_field: false
+ - name: metrics.system_impact.win32k_events.week_ms
+ level: custom
+ type: unsigned_long
+ description: The total milliseconds spent on ETW Win32k events (currently, only keylogging events) for the process over the last week
+ index: false
+ doc_values: false
+ default_field: false
  - name: metrics.threads
  level: custom
  type: object

package/endpoint/data_stream/metrics/sample_event.json

@@ -43,13 +43,22 @@
  "week_ms": 8
  },
  "overall": {
- "week_ms": 11434
+ "week_ms": 11744
  },
  "authentication_events": {
  "week_ms": 155
  },
  "library_load_events": {
  "week_ms": 3028
+ },
+ "cred_access_events": {
+ "week_ms": 10
+ },
+ "threat_intelligence_events": {
+ "week_ms": 250
+ },
+ "win32k_events": {
+ "week_ms": 50
  }
  },
  {
@@ -77,10 +86,19 @@
  "week_ms": 3
  },
  "overall": {
- "week_ms": 7960
+ "week_ms": 8290
  },
  "library_load_events": {
  "week_ms": 7890
+ },
+ "cred_access_events": {
+ "week_ms": 20
+ },
+ "threat_intelligence_events": {
+ "week_ms": 300
+ },
+ "win32k_events": {
+ "week_ms": 10
  }
  },
  {
@@ -111,10 +129,13 @@
  "week_ms": 32
  },
  "overall": {
- "week_ms": 4686
+ "week_ms": 5046
  },
  "library_load_events": {
  "week_ms": 4
+ },
+ "threat_intelligence_events": {
+ "week_ms": 360
  }
  },
  {
@@ -139,13 +160,19 @@
  "week_ms": 83
  },
  "overall": {
- "week_ms": 3291
+ "week_ms": 4761
  },
  "authentication_events": {
  "week_ms": 3177
  },
  "library_load_events": {
  "week_ms": 26
+ },
+ "cred_access_events": {
+ "week_ms": 1350
+ },
+ "threat_intelligence_events": {
+ "week_ms": 120
  }
  },
  {
@@ -170,10 +197,13 @@
  "week_ms": 3
  },
  "overall": {
- "week_ms": 3011
+ "week_ms": 3261
  },
  "library_load_events": {
  "week_ms": 2966
+ },
+ "threat_intelligence_events": {
+ "week_ms": 250
  }
  },
  {
@@ -237,10 +267,13 @@
  "week_ms": 1
  },
  "overall": {
- "week_ms": 1012
+ "week_ms": 1162
  },
  "library_load_events": {
  "week_ms": 417
+ },
+ "threat_intelligence_events": {
+ "week_ms": 150
  }
  },
  {
@@ -271,10 +304,13 @@
  "week_ms": 8
  },
  "overall": {
- "week_ms": 818
+ "week_ms": 1068
  },
  "library_load_events": {
  "week_ms": 85
+ },
+ "threat_intelligence_events": {
+ "week_ms": 250
  }
  },
  {
@@ -321,10 +357,13 @@
  "week_ms": 4
  },
  "overall": {
- "week_ms": 694
+ "week_ms": 744
  },
  "library_load_events": {
  "week_ms": 3
+ },
+ "threat_intelligence_events": {
+ "week_ms": 50
  }
  },
  {
@@ -346,10 +385,13 @@
  "week_ms": 40
  },
  "overall": {
- "week_ms": 675
+ "week_ms": 795
  },
  "library_load_events": {
  "week_ms": 627
+ },
+ "threat_intelligence_events": {
+ "week_ms": 120
  }
  },
  {
@@ -377,10 +419,13 @@
  "week_ms": 1
  },
  "overall": {
- "week_ms": 569
+ "week_ms": 599
  },
  "library_load_events": {
  "week_ms": 61
+ },
+ "threat_intelligence_events": {
+ "week_ms": 30
  }
  },
  {
@@ -414,10 +459,13 @@
  "week_ms": 1
  },
  "overall": {
- "week_ms": 460
+ "week_ms": 480
  },
  "library_load_events": {
  "week_ms": 70
+ },
+ "threat_intelligence_events": {
+ "week_ms": 20
  }
  },
  {
@@ -445,7 +493,10 @@
  "week_ms": 2
  },
  "overall": {
- "week_ms": 454
+ "week_ms": 494
+ },
+ "threat_intelligence_events": {
+ "week_ms": 40
  }
  },
  {
@@ -489,13 +540,16 @@
  "week_ms": 124
  },
  "overall": {
- "week_ms": 406
+ "week_ms": 476
  },
  "authentication_events": {
  "week_ms": 8
  },
  "library_load_events": {
  "week_ms": 216
+ },
+ "threat_intelligence_events": {
+ "week_ms": 70
  }
  },
  {
@@ -558,10 +612,13 @@
  "week_ms": 5
  },
  "overall": {
- "week_ms": 295
+ "week_ms": 345
  },
  "library_load_events": {
  "week_ms": 14
+ },
+ "threat_intelligence_events": {
+ "week_ms": 50
  }
  }
  ],