New value for event.category: api
#2138
Labels
8.7.0
categorization
discuss
endpoint
Relevant to elastic endpoint security
enhancement
New feature or request
Comments
jdu2600
added
categorization
endpoint
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Summary
Elastic Endpoint is working on expanding its data collection capabilities. Currently existing values for the
event.categoryfield don't match the nature of the events as we're collecting raw information from the host operating system. So using one of the existing values might lead to confusion.Motivation:
We suggest adding a new value for
event.category:api. The new value would be used to categorize information collected from various OS API or logging, and would offer access to the parameters passed to the API. This allows retrieving raw events as they happened on the host.Detailed Design:
Provide additional details around the design of the proposed changes.
event.category: apievent.typewill use existing valuesEndpoint would use such type for in-memory credential dumping attempts on Windows through the
OpenProcess/OpenThreadAPI calls; or ETW event collections.The text was updated successfully, but these errors were encountered: