elastic · AsuNa-jp · Sep 24, 2024 · Sep 19, 2024 · Sep 19, 2024 · Sep 19, 2024
@@ -0,0 +1,93 @@
+# Windows Win32k API
+
+- OS: Windows
+- Data Stream: `logs-endpoint.events.api-*`
+- KQL: `event.dataset : "endpoint.events.api" and event.module : "endpoint" and event.provider : "Microsoft-Windows-Win32k" and host.os.type : "windows"`
+
+This event is generated when keylogging-related Win32k APIs are called.
+
+| Field |
+|---|
+| @timestamp |
+| Target.process.name |
+| Target.process.pid |
+| agent.id |
+| agent.type |
+| agent.version |
+| data_stream.dataset |
+| data_stream.namespace |
+| data_stream.type |
+| ecs.version |
+| elastic.agent.id |
+| event.category |
+| event.created |
+| event.dataset |
+| event.id |
+| event.kind |
+| event.module |
+| event.outcome |
+| event.provider |
+| event.sequence |
+| event.type |
+| host.architecture |
+| host.hostname |
+| host.id |
+| host.ip |
+| host.mac |
+| host.name |
+| host.os.Ext.variant |
+| host.os.family |
+| host.os.full |
+| host.os.kernel |
+| host.os.name |
+| host.os.platform |
+| host.os.type |
+| host.os.version |
+| message |
+| process.Ext.ancestry |
+| process.Ext.api.name |
+| process.Ext.api.summary |
+| process.Ext.api.behaviors |
+| process.Ext.api.metadata.target_address_name |
+| process.Ext.api.metadata.target_address_path |
+| process.Ext.api.metadata.return_value |
+| process.Ext.api.metadata.windows_count |
+| process.Ext.api.metadata.visible_windows_count |
+| process.Ext.api.metadata.thread_info_flags |
+| process.Ext.api.metadata.start_address_module |
+| process.Ext.api.metadata.start_address_allocation_protection |
+| process.Ext.api.metadata.procedure_symbol |
+| process.Ext.api.metadata.ms_since_last_keyevent |
+| process.Ext.api.metadata.background_callcount |
+| process.Ext.api.parameters.address |
+| process.Ext.api.parameters.size |
+| process.Ext.api.parameters.protection |
+| process.Ext.api.parameters.protection_old |
+| process.Ext.api.parameters.allocation_type |
+| process.Ext.api.parameters.procedure |
+| process.Ext.api.parameters.context_flags |
+| process.Ext.api.parameters.usage_page |
+| process.Ext.api.parameters.usage |
+| process.Ext.api.parameters.flags |
+| process.Ext.api.parameters.hook_type |
+| process.Ext.api.parameters.hook_module |
+| process.Ext.code_signature.exists |
+| process.Ext.code_signature.status |
+| process.Ext.code_signature.subject_name |
+| process.Ext.code_signature.trusted |
+| process.Ext.token.integrity_level_name |
+| process.code_signature.exists |
+| process.code_signature.status |
+| process.code_signature.subject_name |
+| process.code_signature.trusted |
+| process.parent.executable |
+| process.command_line |
+| process.entity_id |
+| process.executable |
+| process.name |
+| process.pid |
+| process.thread.id |
+| user.domain |
+| user.id |
+| user.name |
+
@@ -0,0 +1,78 @@
+# Windows API
+
+- OS: Windows
+- Data Stream: `logs-endpoint.events.api-*`
+- KQL: `event.dataset : "endpoint.events.api" and event.module : "endpoint" and event.provider : "Microsoft-Windows-WMI-Activity" and host.os.type : "windows"`
+
+This event is generated when WMI Activity-related APIs are called.
+
+| Field |
+|---|
+| @timestamp |
+| Target.process.name |
+| Target.process.pid |
+| agent.id |
+| agent.type |
+| agent.version |
+| data_stream.dataset |
+| data_stream.namespace |
+| data_stream.type |
+| ecs.version |
+| elastic.agent.id |
+| event.category |
+| event.created |
+| event.dataset |
+| event.id |
+| event.kind |
+| event.module |
+| event.outcome |
+| event.provider |
+| event.sequence |
+| event.type |
+| host.architecture |
+| host.hostname |
+| host.id |
+| host.ip |
+| host.mac |
+| host.name |
+| host.os.Ext.variant |
+| host.os.family |
+| host.os.full |
+| host.os.kernel |
+| host.os.name |
+| host.os.platform |
+| host.os.type |
+| host.os.version |
+| message |
+| process.Ext.ancestry |
+| process.Ext.api.name |
+| process.Ext.api.summary |
+| process.Ext.api.behaviors |
+| process.Ext.api.metadata.client_machine |
+| process.Ext.api.metadata.client_machine_fqdn |
+| process.Ext.api.metadata.client_process_id |
+| process.Ext.api.metadata.client_is_local |
+| process.Ext.api.parameters.event_filter_name |
+| process.Ext.api.parameters.event_filter_details |
+| process.Ext.api.parameters.consumer_name |
+| process.Ext.api.parameters.consumer_type |
+| process.Ext.api.parameters.consumer_details |
+| process.Ext.api.parameters.namespace |
+| process.Ext.api.parameters.operation |
+| process.Ext.code_signature.exists |
+| process.Ext.code_signature.status |
+| process.Ext.code_signature.subject_name |
+| process.Ext.code_signature.trusted |
+| process.code_signature.exists |
+| process.code_signature.status |
+| process.code_signature.subject_name |
+| process.code_signature.trusted |
+| process.entity_id |
+| process.executable |
+| process.name |
+| process.pid |
+| process.thread.id |
+| user.domain |
+| user.id |
+| user.name |
+
@@ -39,6 +39,8 @@ This event is generated when a file is created.
 | file.extension |
 | file.hash.sha256 |
 | file.name |
+| file.origin_referrer_url |
+| file.origin_url |
 | file.path |
 | file.size |
 | host.architecture |

@@ -0,0 +1,96 @@
+overview:
+ name: Windows Win32k API
+ description: 'This event is generated when keylogging-related Win32k APIs are called.'
+identification:
+ filter:
+ event.dataset: endpoint.events.api
+ event.module: endpoint
+ event.provider: Microsoft-Windows-Win32k
+ host.os.type: windows
+ os:
+ - windows
+ data_stream: logs-endpoint.events.api-*
+fields:
+ endpoint:
+ - '@timestamp'
+ - Target.process.name
+ - Target.process.pid
+ - agent.id
+ - agent.type
+ - agent.version
+ - data_stream.dataset
+ - data_stream.namespace
+ - data_stream.type
+ - ecs.version
+ - elastic.agent.id
+ - event.category
+ - event.created
+ - event.dataset
+ - event.id
+ - event.kind
+ - event.module
+ - event.outcome
+ - event.provider
+ - event.sequence
+ - event.type
+ - host.architecture
+ - host.hostname
+ - host.id
+ - host.ip
+ - host.mac
+ - host.name
+ - host.os.Ext.variant
+ - host.os.family
+ - host.os.full
+ - host.os.kernel
+ - host.os.name
+ - host.os.platform
+ - host.os.type
+ - host.os.version
+ - message
+ - process.Ext.ancestry
+ - process.Ext.api.name
+ - process.Ext.api.summary
+ - process.Ext.api.behaviors
+ - process.Ext.api.metadata.target_address_name
+ - process.Ext.api.metadata.target_address_path
+ - process.Ext.api.metadata.return_value
+ - process.Ext.api.metadata.windows_count
+ - process.Ext.api.metadata.visible_windows_count
+ - process.Ext.api.metadata.thread_info_flags
+ - process.Ext.api.metadata.start_address_module
+ - process.Ext.api.metadata.start_address_allocation_protection
+ - process.Ext.api.metadata.procedure_symbol
+ - process.Ext.api.metadata.ms_since_last_keyevent
+ - process.Ext.api.metadata.background_callcount
+ - process.Ext.api.parameters.address
+ - process.Ext.api.parameters.size
+ - process.Ext.api.parameters.protection
+ - process.Ext.api.parameters.protection_old
+ - process.Ext.api.parameters.allocation_type
+ - process.Ext.api.parameters.procedure
+ - process.Ext.api.parameters.context_flags
+ - process.Ext.api.parameters.usage_page
+ - process.Ext.api.parameters.usage
+ - process.Ext.api.parameters.flags
+ - process.Ext.api.parameters.hook_type
+ - process.Ext.api.parameters.hook_module
+ - process.Ext.code_signature.exists
+ - process.Ext.code_signature.status
+ - process.Ext.code_signature.subject_name
+ - process.Ext.code_signature.trusted
+ - process.Ext.token.integrity_level_name
+ - process.code_signature.exists
+ - process.code_signature.status
+ - process.code_signature.subject_name
+ - process.code_signature.trusted
+ - process.parent.executable
+ - process.command_line
+ - process.entity_id
+ - process.executable
+ - process.name
+ - process.pid
+ - process.thread.id
+ - user.domain
+ - user.id
+ - user.name
@@ -0,0 +1,81 @@
+overview:
+ name: Windows API
+ description: 'This event is generated when WMI Activity-related APIs are called.'
+identification:
+ filter:
+ event.dataset: endpoint.events.api
+ event.module: endpoint
+ event.provider: Microsoft-Windows-WMI-Activity
+ host.os.type: windows
+ os:
+ - windows
+ data_stream: logs-endpoint.events.api-*
+fields:
+ endpoint:
+ - '@timestamp'
+ - Target.process.name
+ - Target.process.pid
+ - agent.id
+ - agent.type
+ - agent.version
+ - data_stream.dataset
+ - data_stream.namespace
+ - data_stream.type
+ - ecs.version
+ - elastic.agent.id
+ - event.category
+ - event.created
+ - event.dataset
+ - event.id
+ - event.kind
+ - event.module
+ - event.outcome
+ - event.provider
+ - event.sequence
+ - event.type
+ - host.architecture
+ - host.hostname
+ - host.id
+ - host.ip
+ - host.mac
+ - host.name
+ - host.os.Ext.variant
+ - host.os.family
+ - host.os.full
+ - host.os.kernel
+ - host.os.name
+ - host.os.platform
+ - host.os.type
+ - host.os.version
+ - message
+ - process.Ext.ancestry
+ - process.Ext.api.name
+ - process.Ext.api.summary
+ - process.Ext.api.behaviors
+ - process.Ext.api.metadata.client_machine
+ - process.Ext.api.metadata.client_machine_fqdn
+ - process.Ext.api.metadata.client_process_id
+ - process.Ext.api.metadata.client_is_local
+ - process.Ext.api.parameters.event_filter_name
+ - process.Ext.api.parameters.event_filter_details
+ - process.Ext.api.parameters.consumer_name
+ - process.Ext.api.parameters.consumer_type
+ - process.Ext.api.parameters.consumer_details
+ - process.Ext.api.parameters.namespace
+ - process.Ext.api.parameters.operation
+ - process.Ext.code_signature.exists
+ - process.Ext.code_signature.status
+ - process.Ext.code_signature.subject_name
+ - process.Ext.code_signature.trusted
+ - process.code_signature.exists
+ - process.code_signature.status
+ - process.code_signature.subject_name
+ - process.code_signature.trusted
+ - process.entity_id
+ - process.executable
+ - process.name
+ - process.pid
+ - process.thread.id
+ - user.domain
+ - user.id
+ - user.name
@@ -44,6 +44,8 @@ fields:
  - file.extension
  - file.hash.sha256
  - file.name
+ - file.origin_referrer_url
+ - file.origin_url
  - file.path
  - file.size
  - host.architecture