Summary

Elastic Endpoint is working on expanding its data collection capabilities. Currently existing values for the event.category field don't match the nature of the events as we're collecting raw information from the host operating system. So using one of the existing values might lead to confusion.

Motivation:

We suggest adding a new value for event.category: api. The new value would be used to categorize information collected from various OS API or logging, and would offer access to the parameters passed to the API. This allows retrieving raw events as they happened on the host.

Detailed Design:

Provide additional details around the design of the proposed changes.

• Field names
• Example values for the fields
  • event.category: api
• event.type will use existing values
• Any example events that map to the proposed use case(s)
  Endpoint would use such type for in-memory credential dumping attempts on Windows through the OpenProcess/OpenThread API calls; or ETW event collections.