From db3698076bc57957d76735633071c796fef4cfec Mon Sep 17 00:00:00 2001 From: Michelle Bennett Date: Fri, 27 Jan 2023 14:10:46 -0600 Subject: [PATCH 1/7] Adding library category to the schema --- .gitignore | 1 + schemas/event.yml | 7 +++++++ 2 files changed, 8 insertions(+) diff --git a/.gitignore b/.gitignore index b914e71392..b20f4e953f 100644 --- a/.gitignore +++ b/.gitignore @@ -19,3 +19,4 @@ experimental/generated/ecs/subset # patches are vital to cross-branch testing but don't want in GitHub *.patch +/.vs diff --git a/schemas/event.yml b/schemas/event.yml index 497d4e9898..f6e8768abd 100644 --- a/schemas/event.yml +++ b/schemas/event.yml @@ -265,6 +265,13 @@ - allowed - denied - info + - name: library + description: > + Events in this category refer to the loading of a library, such as (dll / so / dynlib), into a process. + Use this category to visualize and analyze library loading related activity on + hosts. Keep in mind that driver related activity will be captured under the "driver" category above. + expected_event_types: + - start - name: malware description: > Malware detection events and alerts. Use this category to visualize and analyze From ba4ffeaf25d4907cb441686c9d884edc3c7e3ad9 Mon Sep 17 00:00:00 2001 From: Michelle Bennett Date: Fri, 27 Jan 2023 14:32:26 -0600 Subject: [PATCH 2/7] Change log --- CHANGELOG.next.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index ae99bd76f4..1f14ef0fc2 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -16,6 +16,8 @@ Thanks, you're awesome :-) --> #### Added +* adding `library` option to `event.category` #2154 + #### Improvements #### Deprecated From a0a081a0daf436e9d4c313d7ec4a76cdcd921663 Mon Sep 17 00:00:00 2001 From: Michelle Bennett <39916526+softengchick@users.noreply.github.com> Date: Fri, 27 Jan 2023 14:33:48 -0600 Subject: [PATCH 3/7] revert accidental commit --- .gitignore | 42 ++++++++++++++++++++---------------------- 1 file changed, 20 insertions(+), 22 deletions(-) diff --git a/.gitignore b/.gitignore index b20f4e953f..fe540a461d 100644 --- a/.gitignore +++ b/.gitignore @@ -1,22 +1,20 @@ -.DS_Store -*.pyc -env -*.sw? - -build -.idea -*.iml -.vscode/* - -# experimental exclusions -experimental/generated/elasticsearch/6 -experimental/generated/docs - -# subset exclusions -generated/ecs/subset -experimental/generated/ecs/subset - -# patches are vital to cross-branch testing but don't want in GitHub -*.patch - -/.vs +.DS_Store +*.pyc +env +*.sw? + +build +.idea +*.iml +.vscode/* + +# experimental exclusions +experimental/generated/elasticsearch/6 +experimental/generated/docs + +# subset exclusions +generated/ecs/subset +experimental/generated/ecs/subset + +# patches are vital to cross-branch testing but don't want in GitHub +*.patch From c7fc3506e01555f1c7abe62ea9a092730012adee Mon Sep 17 00:00:00 2001 From: Michelle Bennett Date: Fri, 27 Jan 2023 14:37:41 -0600 Subject: [PATCH 4/7] Correct gitignore --- .gitignore | 40 +++++++++++++++++++--------------------- 1 file changed, 19 insertions(+), 21 deletions(-) diff --git a/.gitignore b/.gitignore index b20f4e953f..e76f9a1a49 100644 --- a/.gitignore +++ b/.gitignore @@ -1,22 +1,20 @@ -.DS_Store -*.pyc -env -*.sw? - -build -.idea -*.iml -.vscode/* - -# experimental exclusions -experimental/generated/elasticsearch/6 -experimental/generated/docs - -# subset exclusions -generated/ecs/subset -experimental/generated/ecs/subset - -# patches are vital to cross-branch testing but don't want in GitHub +.DS_Store +*.pyc +env +*.sw? + +build +.idea +*.iml +.vscode/* + +# experimental exclusions +experimental/generated/elasticsearch/6 +experimental/generated/docs + +# subset exclusions +generated/ecs/subset +experimental/generated/ecs/subset + +# patches are vital to cross-branch testing but don't want in GitHub *.patch - -/.vs From 0b1128969cfeb83f32205746014ba469833b45a7 Mon Sep 17 00:00:00 2001 From: Michelle Bennett Date: Fri, 27 Jan 2023 14:45:34 -0600 Subject: [PATCH 5/7] ignore from main to correct line endings, etc --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 721f216fa7..b914e71392 100644 --- a/.gitignore +++ b/.gitignore @@ -18,3 +18,4 @@ experimental/generated/ecs/subset # patches are vital to cross-branch testing but don't want in GitHub *.patch + From d4e6c6525c8777e7a2e16eb5346045669083d183 Mon Sep 17 00:00:00 2001 From: mo Date: Mon, 30 Jan 2023 11:48:23 -0500 Subject: [PATCH 6/7] make / make test / git add / commit / push --- docs/fields/field-details.asciidoc | 2 +- docs/fields/field-values.asciidoc | 13 +++++++++++++ experimental/generated/ecs/ecs_flat.yml | 7 +++++++ experimental/generated/ecs/ecs_nested.yml | 7 +++++++ generated/ecs/ecs_flat.yml | 7 +++++++ generated/ecs/ecs_nested.yml | 7 +++++++ 6 files changed, 42 insertions(+), 1 deletion(-) diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc index e62c6fa213..77b65dd85c 100644 --- a/docs/fields/field-details.asciidoc +++ b/docs/fields/field-details.asciidoc @@ -3389,7 +3389,7 @@ Note: this field should contain an array of values. *Important*: The field value must be one of the following: -authentication, configuration, database, driver, email, file, host, iam, intrusion_detection, malware, network, package, process, registry, session, threat, vulnerability, web +authentication, configuration, database, driver, email, file, host, iam, intrusion_detection, library, malware, network, package, process, registry, session, threat, vulnerability, web To learn more about when to use which value, visit the page <> diff --git a/docs/fields/field-values.asciidoc b/docs/fields/field-values.asciidoc index 3e784a7279..e9b56651ed 100644 --- a/docs/fields/field-values.asciidoc +++ b/docs/fields/field-values.asciidoc @@ -141,6 +141,7 @@ This field is an array. This will allow proper categorization of some events tha * <> * <> * <> +* <> * <> * <> * <> @@ -269,6 +270,18 @@ Relating to intrusion detections from IDS/IPS systems and functions, both networ allowed, denied, info +[float] +[[ecs-event-category-library]] +==== library + +Events in this category refer to the loading of a library, such as (dll / so / dynlib), into a process. Use this category to visualize and analyze library loading related activity on hosts. Keep in mind that driver related activity will be captured under the "driver" category above. + + +*Expected event types for category library:* + +start + + [float] [[ecs-event-category-malware]] ==== malware diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 8760da8d66..2b37fc8f10 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -3046,6 +3046,13 @@ event.category: - denied - info name: intrusion_detection + - description: Events in this category refer to the loading of a library, such as + (dll / so / dynlib), into a process. Use this category to visualize and analyze + library loading related activity on hosts. Keep in mind that driver related + activity will be captured under the "driver" category above. + expected_event_types: + - start + name: library - description: Malware detection events and alerts. Use this category to visualize and analyze malware detections from EDR/EPP systems such as Elastic Endpoint Security, Symantec Endpoint Protection, Crowdstrike, and network IDS/IPS systems diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 9d49aca473..71e9f177aa 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -4038,6 +4038,13 @@ event: - denied - info name: intrusion_detection + - description: Events in this category refer to the loading of a library, such + as (dll / so / dynlib), into a process. Use this category to visualize and + analyze library loading related activity on hosts. Keep in mind that driver + related activity will be captured under the "driver" category above. + expected_event_types: + - start + name: library - description: Malware detection events and alerts. Use this category to visualize and analyze malware detections from EDR/EPP systems such as Elastic Endpoint Security, Symantec Endpoint Protection, Crowdstrike, and network IDS/IPS diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 213111250e..55b0939704 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -2977,6 +2977,13 @@ event.category: - denied - info name: intrusion_detection + - description: Events in this category refer to the loading of a library, such as + (dll / so / dynlib), into a process. Use this category to visualize and analyze + library loading related activity on hosts. Keep in mind that driver related + activity will be captured under the "driver" category above. + expected_event_types: + - start + name: library - description: Malware detection events and alerts. Use this category to visualize and analyze malware detections from EDR/EPP systems such as Elastic Endpoint Security, Symantec Endpoint Protection, Crowdstrike, and network IDS/IPS systems diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 021257cc6c..1186504ad3 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -3958,6 +3958,13 @@ event: - denied - info name: intrusion_detection + - description: Events in this category refer to the loading of a library, such + as (dll / so / dynlib), into a process. Use this category to visualize and + analyze library loading related activity on hosts. Keep in mind that driver + related activity will be captured under the "driver" category above. + expected_event_types: + - start + name: library - description: Malware detection events and alerts. Use this category to visualize and analyze malware detections from EDR/EPP systems such as Elastic Endpoint Security, Symantec Endpoint Protection, Crowdstrike, and network IDS/IPS From 98bda67a750a824960f5a1955a24e293822b95c6 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Wed, 8 Feb 2023 12:04:37 +0100 Subject: [PATCH 7/7] Update CHANGELOG.next.md --- CHANGELOG.next.md | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index a5df061d76..cb97279ef2 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -16,6 +16,8 @@ Thanks, you're awesome :-) --> #### Added +* adding `api` option to `event.category` #2147 + #### Improvements #### Deprecated @@ -36,8 +38,6 @@ Thanks, you're awesome :-) --> ## 8.7.0 (Soft Feature Freeze) -### Schema Changes - #### Bugfixes * remove duplicated `client.domain` definition #2120 @@ -45,13 +45,20 @@ Thanks, you're awesome :-) --> #### Added * adding `name` field to `threat.indicator` #2121 +* adding `library` option to `event.category` #2154 #### Improvements * Updated usage docs to include `threat.indicator.url.domain` and changed `indicator.marking.tlp` and `indicator.enrichments.marking.tlp` from "WHITE" to "CLEAR" to align with TLP 2.0. #2124 * description for `host.name` definition updated to encourage use of FDQN #2122 -* adding `api` option to `event.category` #2147 -* adding `library` option to `event.category` #2154 + +## 8.6.1 + +### Schema Changes + +#### Bugfixes + +* Fixing `tlp_version` and `tlp` field for threat. #2156