Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Keylogging (Win32k ETW) API Event metrics #395

Merged
merged 7 commits into from
Aug 4, 2023
Merged

Keylogging (Win32k ETW) API Event metrics #395

merged 7 commits into from
Aug 4, 2023

Conversation

AsuNa-jp
Copy link
Contributor

@AsuNa-jp AsuNa-jp commented Jul 25, 2023
edited
Loading

Change Summary

Adds new metrics fields for the keylogging events (ETW Win32k API Event provider).

Endpoint.metrics.system_impact.win32k_events.week_idle_ms
Endpoint.metrics.system_impact.win32k_events.week_ms

Release Target

These events are diagnostic in 8.10 and will be released in a future version.

For mapping changes:

  • I ran make after making the schema changes, and committed all changes
  • If these field(s) are "exception"-able, I made a companion PR to Kibana adding it (see Readme)
  • If this is a metadata change, I also updated both transform destination schemas to match

@AsuNa-jp AsuNa-jp self-assigned this Jul 28, 2023
@elastic elastic deleted a comment from elasticmachine Jul 28, 2023
@AsuNa-jp AsuNa-jp marked this pull request as ready for review July 28, 2023 10:00
@AsuNa-jp AsuNa-jp requested a review from a team as a code owner July 28, 2023 10:00
@AsuNa-jp AsuNa-jp marked this pull request as draft July 28, 2023 11:12
@AsuNa-jp AsuNa-jp marked this pull request as ready for review August 1, 2023 10:48
@AsuNa-jp
Copy link
Contributor Author

AsuNa-jp commented Aug 3, 2023

Hi @parkiino @patrykkopycinski! I think this PR is ready to be merged, but please let me know if I need any modifications or something.

@pzl
Copy link
Member

pzl commented Aug 3, 2023

@AsuNa-jp can you please add example values for these new fields to package/endpoint/data_stream/metrics/sample_event.json?

It is run as part of automated testing, equivalent to adding tests for the mapping changes. The document is indexed and verifies that any fields in the sample_event.json has a mapping entry, and that the types match.

@elastic elastic deleted a comment from elasticmachine Aug 4, 2023
@elasticmachine
Copy link
Contributor

elasticmachine commented Aug 4, 2023
edited
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2023-08-04T13:48:45.741+0000

  • Duration: 8 min 32 sec

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

@AsuNa-jp
Copy link
Contributor Author

AsuNa-jp commented Aug 4, 2023

@pzl

It is run as part of automated testing, equivalent to adding tests for the mapping changes.
Thanks for letting me know about above.

I added the nessesary fields and values in the sample_event.json. Furthermore, I also found missing fields and values (the following), so I added these to the sample_event.json too.

  • Endpoint.metrics.system_impact.cred_access_events.week_ms
  • Endpoint.metrics.system_impact.threat_intelligence_events.week_ms

I think it is now ready to be merged, but if I need any additional fixes, please feel free to let me know.

pzl
pzl approved these changes Aug 4, 2023
View reviewed changes
Copy link
Member

@pzl pzl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks great, thanks for adding that. you're good to merge whenever you're ready

@AsuNa-jp AsuNa-jp merged commit 71c6d6a into main Aug 4, 2023
@elasticmachine
Copy link
Contributor

Package endpoint - 8.10.0 containing this change is available at https://epr.elastic.co/search?package=endpoint

@pzl pzl deleted the asuka_11924-win32k_metrics branch August 14, 2023 20:39
@AsuNa-jp AsuNa-jp mentioned this pull request May 30, 2024
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@matthewscherer matthewscherer matthewscherer approved these changes

@patrykkopycinski patrykkopycinski patrykkopycinski approved these changes

@pzl pzl pzl approved these changes

@parkiino parkiino Awaiting requested review from parkiino parkiino is a code owner automatically assigned from elastic/security-defend-workflows

Assignees

@AsuNa-jp AsuNa-jp

Labels
v8.10.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@AsuNa-jp @pzl @elasticmachine @patrykkopycinski @matthewscherer