EDR-Telemetry icon indicating copy to clipboard operation
EDR-Telemetry copied to clipboard
verified publisher icon tsale

Add Windows API Telemetry Category

Open jdu2600 opened this issue 1 year ago • 1 comments

A Category for Win32 API telemetry would be useful.

These are a primary data source for most EDRs. This data is available from Kernel ETW (especially Threat-Intelligence) or user-mode hooks.

Possible APIs to include are -

  • Local Executable Memory Events
    • VirtualAlloc
    • VirtualProtect
    • MapViewOfFile
  • Remote Executable Memory Events
    • VirtualAllocEx
    • VirtualProtectEx
    • MapViewOfFile2
  • Remote Process Manipulation Events
    • QueueUserAPC
    • SuspendThread
    • SetThreadContext
    • WriteProcessMemory
  • Remote Process Collection Events
    • ReadProcessMemory
  • Driver Events
    • DeviceIoControl
  • Keylogging Events
    • RegisterRawInputDevices
    • SetWindowsHookEx
    • GetAsyncKeyState

jdu2600 avatar Oct 19 '24 09:10 jdu2600

I see you like API telemetry too. 😃

jdu2600 avatar Jan 23 '25 08:01 jdu2600

Apologies for the delay on this. We needed to find a way to introduce new telemetry categories and subcategories without affecting the overall score. I'm now looking into implementing this as a new subcategory very soon.

tsale avatar Aug 25 '25 16:08 tsale