Adding library category to the schema (#2154)

* Adding library category to the schema * Change log * revert accidental commit * Correct gitignore * ignore from main to correct line endings, etc * make / make test / git add / commit / push * Update CHANGELOG.next.md --------- Co-authored-by: mo <[email protected]> Co-authored-by: Kylie Geller <[email protected]> Co-authored-by: Marc Guasch <[email protected]>
elastic · Feb 8, 2023 · d6c7c79 · d6c7c79
1 parent c6872ad
commit d6c7c79
Show file tree

Hide file tree

Showing 8 changed files with 50 additions and 1 deletion.
diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
@@ -45,6 +45,7 @@ Thanks, you're awesome :-) -->
 #### Added
 
 * adding `name` field to `threat.indicator` #2121
+* adding `library` option to `event.category` #2154
 
 #### Improvements
 

diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc
@@ -3389,7 +3389,7 @@ Note: this field should contain an array of values.
 
 *Important*: The field value must be one of the following:
 
-api, authentication, configuration, database, driver, email, file, host, iam, intrusion_detection, malware, network, package, process, registry, session, threat, vulnerability, web
+api, authentication, configuration, database, driver, email, file, host, iam, intrusion_detection, library, malware, network, package, process, registry, session, threat, vulnerability, web
 
 To learn more about when to use which value, visit the page
 <<ecs-allowed-values-event-category,allowed values for event.category>>

diff --git a/docs/fields/field-values.asciidoc b/docs/fields/field-values.asciidoc
@@ -142,6 +142,7 @@ This field is an array. This will allow proper categorization of some events tha
 * <<ecs-event-category-host,host>>
 * <<ecs-event-category-iam,iam>>
 * <<ecs-event-category-intrusion_detection,intrusion_detection>>
+* <<ecs-event-category-library,library>>
 * <<ecs-event-category-malware,malware>>
 * <<ecs-event-category-network,network>>
 * <<ecs-event-category-package,package>>
@@ -282,6 +283,18 @@ Relating to intrusion detections from IDS/IPS systems and functions, both networ
 allowed, denied, info
 
 
+[float]
+[[ecs-event-category-library]]
+==== library
+
+Events in this category refer to the loading of a library, such as (dll / so / dynlib), into a process. Use this category to visualize and analyze library loading related activity on hosts.  Keep in mind that driver related activity will be captured under the "driver" category above.
+
+
+*Expected event types for category library:*
+
+start
+
+
 [float]
 [[ecs-event-category-malware]]
 ==== malware

diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
@@ -3064,6 +3064,13 @@ event.category:
     - denied
     - info
     name: intrusion_detection
+  - description: Events in this category refer to the loading of a library, such as
+      (dll / so / dynlib), into a process. Use this category to visualize and analyze
+      library loading related activity on hosts.  Keep in mind that driver related
+      activity will be captured under the "driver" category above.
+    expected_event_types:
+    - start
+    name: library
   - description: Malware detection events and alerts. Use this category to visualize
       and analyze malware detections from EDR/EPP systems such as Elastic Endpoint
       Security, Symantec Endpoint Protection, Crowdstrike, and network IDS/IPS systems

diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
@@ -4056,6 +4056,13 @@ event:
         - denied
         - info
         name: intrusion_detection
+      - description: Events in this category refer to the loading of a library, such
+          as (dll / so / dynlib), into a process. Use this category to visualize and
+          analyze library loading related activity on hosts.  Keep in mind that driver
+          related activity will be captured under the "driver" category above.
+        expected_event_types:
+        - start
+        name: library
       - description: Malware detection events and alerts. Use this category to visualize
           and analyze malware detections from EDR/EPP systems such as Elastic Endpoint
           Security, Symantec Endpoint Protection, Crowdstrike, and network IDS/IPS

diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
@@ -2995,6 +2995,13 @@ event.category:
     - denied
     - info
     name: intrusion_detection
+  - description: Events in this category refer to the loading of a library, such as
+      (dll / so / dynlib), into a process. Use this category to visualize and analyze
+      library loading related activity on hosts.  Keep in mind that driver related
+      activity will be captured under the "driver" category above.
+    expected_event_types:
+    - start
+    name: library
   - description: Malware detection events and alerts. Use this category to visualize
       and analyze malware detections from EDR/EPP systems such as Elastic Endpoint
       Security, Symantec Endpoint Protection, Crowdstrike, and network IDS/IPS systems

diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
@@ -3976,6 +3976,13 @@ event:
         - denied
         - info
         name: intrusion_detection
+      - description: Events in this category refer to the loading of a library, such
+          as (dll / so / dynlib), into a process. Use this category to visualize and
+          analyze library loading related activity on hosts.  Keep in mind that driver
+          related activity will be captured under the "driver" category above.
+        expected_event_types:
+        - start
+        name: library
       - description: Malware detection events and alerts. Use this category to visualize
           and analyze malware detections from EDR/EPP systems such as Elastic Endpoint
           Security, Symantec Endpoint Protection, Crowdstrike, and network IDS/IPS

diff --git a/schemas/event.yml b/schemas/event.yml
@@ -283,6 +283,13 @@
             - allowed
             - denied
             - info
+        - name: library
+          description: >
+            Events in this category refer to the loading of a library, such as (dll / so / dynlib), into a process.
+            Use this category to visualize and analyze library loading related activity on
+            hosts.  Keep in mind that driver related activity will be captured under the "driver" category above.
+          expected_event_types:
+            - start
         - name: malware
           description: >
             Malware detection events and alerts. Use this category to visualize and analyze