Keylogging (Win32k ETW) API Event (production)

[AsuNa-jp]

Change Summary

Adds new custom api fields for the keylogging events (ETW Win32k API Event provider).

Sample values

Below are examples of the custom API fields that will be added by this PR. The sample of the document is here (sample_event.json)

GetAsyncKeyState API's custom API fields

            "message": "Endpoint API event - GetAsyncKeyState",
            "process": {
                "Ext": {
                    "ancestry": [
                        "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTEyMDg0LTE3MDA4MTI5MzguNzg0NzE0MjAw",
                        "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTExNTQwLTE3MDA4MTI5MzYuODYxNDY3MDAw",
                        "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTY2NC0xNzAwODExNzE1Ljk1MDA2NTIwMA==",
                        "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTUyOC0xNzAwODExNzE1LjgyMjg3MTUwMA=="
                    ],
                    "api": {
                        "behaviors": [
                            "rapid_background_polling",
                            "image_indirect_call"
                        ],
                        "metadata": {
                            "background_callcount": 223,
                            "ms_since_last_keyevent": 0
                        },
                        "name": "GetAsyncKeyState"
                    },

SetWindowsHookEx API's custom API fields

            "message": "Endpoint API event - SetWindowsHookEx",
            "process": {
                "Ext": {
                    "ancestry": [
                        "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTM4NTYtMTcwMDgxMTkyMS42ODI1MjYxMDA=",
                        "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTQ1NjgtMTcwMDgxMTkyMS42NzMxNjcwMDA=",
                        "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTE3MDQtMTcwMDgxMTY5MC40NzM1MjcyMDA=",
                        "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTQyMTYtMTcwMDgxMTYxNS45NTM2MzY3MDA=",
                        "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTYxMjQtMTcwMDgxMTYxNC44MjM5NzczMDA=",
                        "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTYwNTYtMTcwMDgxMTYxNC43NjkzODEzMDA=",
                        "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTY4OC0xNzAwODExNTcxLjc4NjAwNjUwMA==",
                        "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTU0OC0xNzAwODExNTcxLjY3NDEyOTcwMA=="
                    ],
                    "api": {
                        "metadata": {
                            "procedure_symbol": "dinput8.dll"
                        },
                        "name": "SetWindowsHookEx",
                        "parameters": {
                            "hook_module": "c:\\windows\\system32\\dinput8.dll",
                            "hook_type": "WH_MOUSE_LL",
                            "procedure": 140707050053760
                        },
                        "summary": "SetWindowsHookEx( WH_MOUSE_LL, dinput8.dll )"
                    },

RegisterRawInputDevices API's custom API fields

            "message": "Endpoint API event - RegisterRawInputDevices",
            "process": {
                "Ext": {
                    "ancestry": [
                        "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTM4NTYtMTcwMDgxMTkyMS42ODI1MjYxMDA=",
                        "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTQ1NjgtMTcwMDgxMTkyMS42NzMxNjcwMDA=",
                        "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTE3MDQtMTcwMDgxMTY5MC40NzM1MjcyMDA=",
                        "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTQyMTYtMTcwMDgxMTYxNS45NTM2MzY3MDA=",
                        "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTYxMjQtMTcwMDgxMTYxNC44MjM5NzczMDA=",
                        "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTYwNTYtMTcwMDgxMTYxNC43NjkzODEzMDA=",
                        "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTY4OC0xNzAwODExNTcxLjc4NjAwNjUwMA==",
                        "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTU0OC0xNzAwODExNTcxLjY3NDEyOTcwMA=="
                    ],
                    "api": {
                        "behaviors": [
                            "native_api",
                            "image_indirect_call"
                        ],
                        "metadata": {
                            "return_value": 1,
                            "start_address_allocation_protection": "RCX",
                            "start_address_module": "C:\\Python310\\python.exe",
                            "thread_info_flags": 16,
                            "visible_windows_count": 0,
                            "windows_count": 2
                        },
                        "name": "RegisterRawInputDevices",
                        "parameters": {
                            "flags": "INPUTSINK",
                            "usage": "KEYBOARD",
                            "usage_page": "GENERIC"
                        }
                    },

Sample document:

Release Target

8.12

Q/A

For mapping changes:

• I ran make after making the schema changes, and committed all changes
• If these field(s) are "exception"-able, I made a companion PR to Kibana adding it (see Readme)
• If this is a metadata change, I also updated both transform destination schemas to match

For Transform changes:

• The new transform successfully starts in Kibana
• The corresponding transform destination schema was updated if necessary

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-11-24T08:00:55.664+0000

• Duration: 7 min 11 sec

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[jdu2600]

We should also add sample entries for each of the new fields to package/endpoint/data_stream/api/sample_event.json
See #445 (comment)

[AsuNa-jp]

@jdu2600

We should also add sample entries for each of the new fields to

Thanks for letting me know about above. I was wondering how to add the sample event for my apis, so this was very helpful. Thank you!

[AsuNa-jp]

Hi @ashokaditya @tomsonpl
This PR is now ready to review & merge. When you have a moment could you take a look at this PR?
and, please let me know if I need any modifications or something.

(+ it seem that there is a bug in the buildkite side?)

  | kibana_version_condition = manifest_doc["conditions"]["kibana.version"]
  | KeyError: 'kibana.version'
  | 🚨 Error: The command exited with status 1

[AsuNa-jp]

CC: @elastic/security-defend-workflows

[tomsonpl]

@pzl Hey Dan, I hope you don't mind that I assigned you here. Could you help with the review? I am not familiar with endpoint-package enough. Thanks!

[ashokaditya]

Looks good to me. The CI steps need to pass though.

@pzl do you know why

endpoint-package/.buildkite/scripts/find_oldest_supported_version.py

Line 119 in 99d116c

kibana_version_condition = manifest_doc["conditions"]["kibana.version"]

doesn't work anymore. Looks like now manifest_doc["conditions"]["kibana"]["version"] works instead.

[pzl]

the required CI passes. Buildkite is always broken

this is ok to merge @AsuNa-jp

[AsuNa-jp]

@pzl @ashokaditya
Thank you very much for reviewing & approving this PR!

[elasticmachine]

Package endpoint - 8.12.0 containing this change is available at https://epr.elastic.co/search?package=endpoint