From 589bcc938c6d6d6d702b75590dc7db3334e69d4e Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Mon, 26 Oct 2020 11:03:14 -0400 Subject: [PATCH 1/2] Add event.category session. --- docs/field-details.asciidoc | 2 +- docs/field-values.asciidoc | 13 +++++++++++++ experimental/generated/ecs/ecs_flat.yml | 10 ++++++++++ experimental/generated/ecs/ecs_nested.yml | 10 ++++++++++ generated/ecs/ecs_flat.yml | 10 ++++++++++ generated/ecs/ecs_nested.yml | 10 ++++++++++ schemas/event.yml | 9 +++++++++ 7 files changed, 63 insertions(+), 1 deletion(-) diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index f961b6fa89..a89a0bf6e1 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -1597,7 +1597,7 @@ Note: this field should contain an array of values. *Important*: The field value must be one of the following: -authentication, configuration, database, driver, file, host, iam, intrusion_detection, malware, network, package, process, web +authentication, configuration, database, driver, file, host, iam, intrusion_detection, malware, network, package, process, session, web To learn more about when to use which value, visit the page <> diff --git a/docs/field-values.asciidoc b/docs/field-values.asciidoc index 1ef4b8e072..653b031cc2 100644 --- a/docs/field-values.asciidoc +++ b/docs/field-values.asciidoc @@ -144,6 +144,7 @@ that will require subsequent breaking changes. * <> * <> * <> +* <> * <> [float] @@ -298,6 +299,18 @@ Use this category of events to visualize and analyze process-specific informatio access, change, end, info, start +[float] +[[ecs-event-category-session]] +==== session + +The session category is applied to events and metrics regarding logical persistent connections to hosts and services. Use this category to visualize and analyze interactive or automated persistent connections between assets. Data for this category may come from Windows Event logs, SSH logs, or stateless sessions such as HTTP cookie-based sessions, etc. + + +*Expected event types for category session:* + +start, end, info + + [float] [[ecs-event-category-web]] ==== web diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 13a7c32325..28898f42e2 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -1774,6 +1774,16 @@ event.category: - info - start name: process + - description: The session category is applied to events and metrics regarding logical + persistent connections to hosts and services. Use this category to visualize + and analyze interactive or automated persistent connections between assets. + Data for this category may come from Windows Event logs, SSH logs, or stateless + sessions such as HTTP cookie-based sessions, etc. + expected_event_types: + - start + - end + - info + name: session - description: 'Relating to web server access. Use this category to create a dashboard of web server/proxy activity from apache, IIS, nginx web servers, etc. Note: events from network observers such as Zeek http log may also be included in diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index bfb2df366d..f17cc20d19 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -2168,6 +2168,16 @@ event: - info - start name: process + - description: The session category is applied to events and metrics regarding + logical persistent connections to hosts and services. Use this category + to visualize and analyze interactive or automated persistent connections + between assets. Data for this category may come from Windows Event logs, + SSH logs, or stateless sessions such as HTTP cookie-based sessions, etc. + expected_event_types: + - start + - end + - info + name: session - description: 'Relating to web server access. Use this category to create a dashboard of web server/proxy activity from apache, IIS, nginx web servers, etc. Note: events from network observers such as Zeek http log may also diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 81a1ee4950..d085df9e87 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -1814,6 +1814,16 @@ event.category: - info - start name: process + - description: The session category is applied to events and metrics regarding logical + persistent connections to hosts and services. Use this category to visualize + and analyze interactive or automated persistent connections between assets. + Data for this category may come from Windows Event logs, SSH logs, or stateless + sessions such as HTTP cookie-based sessions, etc. + expected_event_types: + - start + - end + - info + name: session - description: 'Relating to web server access. Use this category to create a dashboard of web server/proxy activity from apache, IIS, nginx web servers, etc. Note: events from network observers such as Zeek http log may also be included in diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 1ca8779d5e..3bb3ce663b 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -2209,6 +2209,16 @@ event: - info - start name: process + - description: The session category is applied to events and metrics regarding + logical persistent connections to hosts and services. Use this category + to visualize and analyze interactive or automated persistent connections + between assets. Data for this category may come from Windows Event logs, + SSH logs, or stateless sessions such as HTTP cookie-based sessions, etc. + expected_event_types: + - start + - end + - info + name: session - description: 'Relating to web server access. Use this category to create a dashboard of web server/proxy activity from apache, IIS, nginx web servers, etc. Note: events from network observers such as Zeek http log may also diff --git a/schemas/event.yml b/schemas/event.yml index 6778790784..b4add99818 100644 --- a/schemas/event.yml +++ b/schemas/event.yml @@ -277,6 +277,15 @@ - end - info - start + - name: session + description: > + The session category is applied to events and metrics regarding logical persistent connections to hosts and services. + Use this category to visualize and analyze interactive or automated persistent connections between assets. + Data for this category may come from Windows Event logs, SSH logs, or stateless sessions such as HTTP cookie-based sessions, etc. + expected_event_types: + - start + - end + - info - name: web description: > Relating to web server access. Use this category to create a dashboard of From a2d5f0d3c4ac5e96c08fe9b7dd99f2b0983c74c3 Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Mon, 26 Oct 2020 11:07:06 -0400 Subject: [PATCH 2/2] Changelog --- CHANGELOG.next.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index c53e8cf33b..ef673a8d71 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -10,6 +10,8 @@ Thanks, you're awesome :-) --> ### Schema Changes +* Added `event.category` "session". #1049 + #### Breaking changes #### Bugfixes