Summary
Endpoint currently uses the term "library" as an event.category but it does not actually exist in the allow list. There's really no ither category that these types of events fits into and it was determined that removing this classification will break existing rules, etc.
See: https://github.com/elastic/endpoint-dev/issues/11513 - for a discussion on the matter.
Motivation:
Already used in Endpoint and not feasible to remove, so we need to add it to ECS as an allowed category.
Detailed Design:
- name: library
description: >
Events in this category refer to the loading of a library, such as (dll / so / dynlib), into a process.
Use this category to visualize and analyze library loading related activity on
hosts. Keep in mind that driver related activity will be captured under the "driver" category above.
expected_event_types:
- start
See the endpoint-dev issue above for samples of events already generated and used in rules, etc.
Summary
Endpoint currently uses the term "library" as an event.category but it does not actually exist in the allow list. There's really no ither category that these types of events fits into and it was determined that removing this classification will break existing rules, etc.
See: https://github.com/elastic/endpoint-dev/issues/11513 - for a discussion on the matter.
Motivation:
Already used in Endpoint and not feasible to remove, so we need to add it to ECS as an allowed category.
Detailed Design:
See the endpoint-dev issue above for samples of events already generated and used in rules, etc.