diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 5c0ee29b14..cb97279ef2 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -45,6 +45,7 @@ Thanks, you're awesome :-) --> #### Added * adding `name` field to `threat.indicator` #2121 +* adding `library` option to `event.category` #2154 #### Improvements diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc index 55da09ba4b..2ad84cbb5b 100644 --- a/docs/fields/field-details.asciidoc +++ b/docs/fields/field-details.asciidoc @@ -3389,7 +3389,7 @@ Note: this field should contain an array of values. *Important*: The field value must be one of the following: -api, authentication, configuration, database, driver, email, file, host, iam, intrusion_detection, malware, network, package, process, registry, session, threat, vulnerability, web +api, authentication, configuration, database, driver, email, file, host, iam, intrusion_detection, library, malware, network, package, process, registry, session, threat, vulnerability, web To learn more about when to use which value, visit the page <> diff --git a/docs/fields/field-values.asciidoc b/docs/fields/field-values.asciidoc index a9d9837e36..3027b87c01 100644 --- a/docs/fields/field-values.asciidoc +++ b/docs/fields/field-values.asciidoc @@ -142,6 +142,7 @@ This field is an array. This will allow proper categorization of some events tha * <> * <> * <> +* <> * <> * <> * <> @@ -282,6 +283,18 @@ Relating to intrusion detections from IDS/IPS systems and functions, both networ allowed, denied, info +[float] +[[ecs-event-category-library]] +==== library + +Events in this category refer to the loading of a library, such as (dll / so / dynlib), into a process. Use this category to visualize and analyze library loading related activity on hosts. Keep in mind that driver related activity will be captured under the "driver" category above. + + +*Expected event types for category library:* + +start + + [float] [[ecs-event-category-malware]] ==== malware diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 86a3f53dee..cefedf2246 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -3064,6 +3064,13 @@ event.category: - denied - info name: intrusion_detection + - description: Events in this category refer to the loading of a library, such as + (dll / so / dynlib), into a process. Use this category to visualize and analyze + library loading related activity on hosts. Keep in mind that driver related + activity will be captured under the "driver" category above. + expected_event_types: + - start + name: library - description: Malware detection events and alerts. Use this category to visualize and analyze malware detections from EDR/EPP systems such as Elastic Endpoint Security, Symantec Endpoint Protection, Crowdstrike, and network IDS/IPS systems diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 8730030db0..a07b20d01c 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -4056,6 +4056,13 @@ event: - denied - info name: intrusion_detection + - description: Events in this category refer to the loading of a library, such + as (dll / so / dynlib), into a process. Use this category to visualize and + analyze library loading related activity on hosts. Keep in mind that driver + related activity will be captured under the "driver" category above. + expected_event_types: + - start + name: library - description: Malware detection events and alerts. Use this category to visualize and analyze malware detections from EDR/EPP systems such as Elastic Endpoint Security, Symantec Endpoint Protection, Crowdstrike, and network IDS/IPS diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index bf315beb1c..d16cb491d7 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -2995,6 +2995,13 @@ event.category: - denied - info name: intrusion_detection + - description: Events in this category refer to the loading of a library, such as + (dll / so / dynlib), into a process. Use this category to visualize and analyze + library loading related activity on hosts. Keep in mind that driver related + activity will be captured under the "driver" category above. + expected_event_types: + - start + name: library - description: Malware detection events and alerts. Use this category to visualize and analyze malware detections from EDR/EPP systems such as Elastic Endpoint Security, Symantec Endpoint Protection, Crowdstrike, and network IDS/IPS systems diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 9e498aec5b..19800a8c22 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -3976,6 +3976,13 @@ event: - denied - info name: intrusion_detection + - description: Events in this category refer to the loading of a library, such + as (dll / so / dynlib), into a process. Use this category to visualize and + analyze library loading related activity on hosts. Keep in mind that driver + related activity will be captured under the "driver" category above. + expected_event_types: + - start + name: library - description: Malware detection events and alerts. Use this category to visualize and analyze malware detections from EDR/EPP systems such as Elastic Endpoint Security, Symantec Endpoint Protection, Crowdstrike, and network IDS/IPS diff --git a/schemas/event.yml b/schemas/event.yml index 765a250661..7082a7c2fd 100644 --- a/schemas/event.yml +++ b/schemas/event.yml @@ -283,6 +283,13 @@ - allowed - denied - info + - name: library + description: > + Events in this category refer to the loading of a library, such as (dll / so / dynlib), into a process. + Use this category to visualize and analyze library loading related activity on + hosts. Keep in mind that driver related activity will be captured under the "driver" category above. + expected_event_types: + - start - name: malware description: > Malware detection events and alerts. Use this category to visualize and analyze