From add0cadbd05b616e4e6b0e87761449e0d83a712f Mon Sep 17 00:00:00 2001 From: ferullo Date: Wed, 13 Sep 2023 11:40:34 -0400 Subject: [PATCH 1/2] add new windows fields --- .../data_stream/file/windows/windows_file_rename.yaml | 4 ++++ .../src/endpoint/data_stream/metrics/metrics.yaml | 2 ++ 2 files changed, 6 insertions(+) diff --git a/custom_documentation/src/endpoint/data_stream/file/windows/windows_file_rename.yaml b/custom_documentation/src/endpoint/data_stream/file/windows/windows_file_rename.yaml index a2c2129d5..16c3d0c64 100644 --- a/custom_documentation/src/endpoint/data_stream/file/windows/windows_file_rename.yaml +++ b/custom_documentation/src/endpoint/data_stream/file/windows/windows_file_rename.yaml @@ -15,6 +15,10 @@ identification: fields: endpoint: - '@timestamp' + - Effective_process.entity_id + - Effective_process.executable + - Effective_process.name + - Effective_process.pid - agent.id - agent.type - agent.version diff --git a/custom_documentation/src/endpoint/data_stream/metrics/metrics.yaml b/custom_documentation/src/endpoint/data_stream/metrics/metrics.yaml index b4f19a132..5561c00c5 100644 --- a/custom_documentation/src/endpoint/data_stream/metrics/metrics.yaml +++ b/custom_documentation/src/endpoint/data_stream/metrics/metrics.yaml @@ -125,6 +125,8 @@ fields: - Endpoint.metrics.system_impact.registry_events.week_ms - Endpoint.metrics.system_impact.threat_intelligence_events.week_idle_ms - Endpoint.metrics.system_impact.threat_intelligence_events.week_ms + - Endpoint.metrics.system_impact.win32k_events.week_idle_ms + - Endpoint.metrics.system_impact.win32k_events.week_ms - Endpoint.metrics.threads.cpu.mean - Endpoint.metrics.threads.name - Endpoint.metrics.uptime.endpoint From 58f4cd61eac7923f1d983dc78ee269a1a93c18f9 Mon Sep 17 00:00:00 2001 From: ferullo Date: Wed, 13 Sep 2023 11:44:04 -0400 Subject: [PATCH 2/2] add rendered files --- .../doc/endpoint/file/windows/windows_file_rename.md | 4 ++++ custom_documentation/doc/endpoint/metrics/metrics.md | 2 ++ 2 files changed, 6 insertions(+) diff --git a/custom_documentation/doc/endpoint/file/windows/windows_file_rename.md b/custom_documentation/doc/endpoint/file/windows/windows_file_rename.md index 684c7b1d0..91672a41d 100644 --- a/custom_documentation/doc/endpoint/file/windows/windows_file_rename.md +++ b/custom_documentation/doc/endpoint/file/windows/windows_file_rename.md @@ -10,6 +10,10 @@ This event is generated when a file is renamed. | Field | |---| | @timestamp | +| Effective_process.entity_id | +| Effective_process.executable | +| Effective_process.name | +| Effective_process.pid | | agent.id | | agent.type | | agent.version | diff --git a/custom_documentation/doc/endpoint/metrics/metrics.md b/custom_documentation/doc/endpoint/metrics/metrics.md index ad8ebc2c0..ced5a9691 100644 --- a/custom_documentation/doc/endpoint/metrics/metrics.md +++ b/custom_documentation/doc/endpoint/metrics/metrics.md @@ -118,6 +118,8 @@ This is an internal state management document that includes metrics on Endpoint' | Endpoint.metrics.system_impact.registry_events.week_ms | | Endpoint.metrics.system_impact.threat_intelligence_events.week_idle_ms | | Endpoint.metrics.system_impact.threat_intelligence_events.week_ms | +| Endpoint.metrics.system_impact.win32k_events.week_idle_ms | +| Endpoint.metrics.system_impact.win32k_events.week_ms | | Endpoint.metrics.threads.cpu.mean | | Endpoint.metrics.threads.name | | Endpoint.metrics.uptime.endpoint |