Set event category for event types ending with 'Written'

Author: navnit-elastic

packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log-expected.json

@@ -2805,6 +2805,9 @@
             },
             "event": {
                 "action": "GzipFileWritten",
+                "category": [
+                    "file"
+                ],
                 "created": "2021-07-07T17:05:04.614Z",
                 "id": "ffffffff-1111-11eb-9320-06d410e6f705|fffffffffc2c4e4fa9c08e1a8388e5f9|ffffffff15754bcfb5f9152ec7ac90ac",
                 "original": "{\"event_simpleName\":\"GzipFileWritten\",\"ContextTimeStamp\":\"1625677504.542\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"362897421906895953\",\"ContextThreadId\":\"0\",\"aip\":\"67.43.156.14\",\"FileIdentifier\":\"04000001000000000000000000000000501f510700000000\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"GzipFileWrittenMacV1\",\"id\":\"ffffffff-1111-11eb-9320-06d410e6f705\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"fffffffffc2c4e4fa9c08e1a8388e5f9\",\"timestamp\":\"1625677504614\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/private/var/db/powerlog/Library/BatteryLife/Archives/powerlog_2021-07-05_CC5F9FC1.PLSQL.gz\"}"
@@ -6106,6 +6109,9 @@
             },
             "event": {
                 "action": "ELFFileWritten",
+                "category": [
+                    "file"
+                ],
                 "created": "2021-07-07T17:05:27.114Z",
                 "id": "ffffffff-1111-11eb-985c-02152dd35bc1|ffffffff28414c2293e35c360213e723|ffffffff15754bcfb5f9152ec7ac90ac",
                 "original": "{\"event_simpleName\":\"ELFFileWritten\",\"ContextTimeStamp\":\"1625677526.828\",\"ConfigStateHash\":\"1620585913\",\"ContextProcessId\":\"363122200934575406\",\"Size\":\"38798952\",\"ContextThreadId\":\"0\",\"aip\":\"67.43.156.14\",\"SHA256HashData\":\"35e590a61d32b72651b0cd23594d04f4671d79a843106136cf6abc324cc19027\",\"FileIdentifier\":\"040000010000000000000000000000006793f80200000000\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"ELFFileWrittenMacV1\",\"id\":\"ffffffff-1111-11eb-985c-02152dd35bc1\",\"ELFSubType\":\"4\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff28414c2293e35c360213e723\",\"timestamp\":\"1625677527114\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/private/var/folders/3c/z7j1h7dx3nz3xkl10c1vyxgh0000gp/T/.com.google.Chrome.M2zGjQ/_platform_specific/x86-64/zoom_x86_64.nexe\"}"
@@ -11175,6 +11181,9 @@
             },
             "event": {
                 "action": "creation",
+                "category": [
+                    "file"
+                ],
                 "created": "2020-11-08T15:57:11.298Z",
                 "id": "ffffffff-1111-11eb-800a-06cecfd73923|ffffffff16bf4c7bb5ad755a4722025c|ffffffff30a3407dae27d0503611022d",
                 "original": "{\"AuthenticationId\":\"703298\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"2642284486\",\"ContextProcessId\":\"1161025471861\",\"ContextThreadId\":\"34929528116709\",\"ContextTimeStamp\":\"1604851030.593\",\"DiskParentDeviceInstanceId\":\"USB\\\\VID_1058\\u0026PID_2621\\\\57583431453939315A4C5255\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileEcpBitmask\":\"0\",\"FileIdentifier\":\"262fbc677256cf4c8d6c6a227285a072c06830873b000000\",\"FileObject\":\"18446664963104449168\",\"IrpFlags\":\"1028\",\"IsOnNetwork\":\"0\",\"IsOnRemovableDisk\":\"1\",\"MajorFunction\":\"18\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"Size\":\"517029\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume5\\\\01.png.tmp$$\",\"TokenType\":\"1\",\"UserName\":\"user9\",\"aid\":\"ffffffff16bf4c7bb5ad755a4722025c\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"GenericFileWritten\",\"id\":\"ffffffff-1111-11eb-800a-06cecfd73923\",\"name\":\"GenericFileWrittenV11\",\"timestamp\":\"1604851031298\"}"
@@ -11932,6 +11941,9 @@
             },
             "event": {
                 "action": "creation",
+                "category": [
+                    "file"
+                ],
                 "created": "2020-11-08T15:57:11.298Z",
                 "id": "ffffffff-1111-11eb-800a-06cecfd73923|ffffffff16bf4c7bb5ad755a4722025c|ffffffff30a3407dae27d0503611022d",
                 "original": "{\"AuthenticationId\":\"703298\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"2642284486\",\"ContextProcessId\":\"1161025471861\",\"ContextThreadId\":\"34929528116709\",\"ContextTimeStamp\":\"1604851030.593\",\"DiskParentDeviceInstanceId\":\"USB\\\\VID_1058\\u0026PID_2621\\\\57583431453939315A4C5255\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileEcpBitmask\":\"0\",\"FileIdentifier\":\"262fbc677256cf4c8d6c6a227285a072c06830873b000000\",\"FileObject\":\"18446664963104449168\",\"IrpFlags\":\"1028\",\"IsOnNetwork\":\"0\",\"IsOnRemovableDisk\":\"1\",\"MajorFunction\":\"18\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"Size\":\"517029\",\"TargetFileName\":\"c:\\\\Device\\\\HarddiskVolume5\\\\01.png.tmp$$\",\"TokenType\":\"1\",\"UserName\":\"user9\",\"aid\":\"ffffffff16bf4c7bb5ad755a4722025c\",\"aip\":\"67.43.156.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"GenericFileWritten\",\"id\":\"ffffffff-1111-11eb-800a-06cecfd73923\",\"name\":\"GenericFileWrittenV11\",\"timestamp\":\"1604851031298\"}"

packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-windows.log

@@ -106,3 +106,5 @@
 {"aip":"89.160.20.128","event_platform":"Win","TokenType":"1","EventOrigin":"17","InterfaceGuid":"12ABC-345-56D7-X","RpcClientProcessId":"000000000000","id":"aaaaaaaaaa-c6b5-499a-a494-cccccccccc","EffectiveTransmissionClass":"3","timestamp":"1757935009450","LocalAddressIP4":"89.160.20.128","event_simpleName":"ServiceStarted","ContextTimeStamp":"1757935008.880","UserName":"redacted-computer-name","ConfigStateHash":"00000000","InterfaceVersion":"1111111","RpcClientThreadId":"2222222222222","AuthenticationId":"333","ServiceDisplayName":"<redacted>","ConfigBuild":"1007.3.0019907.15","CommandLine":"C:\\Windows\\system32\\<redacted>.exe","TargetProcessId":"444444444444","ImageFileName":"\\Device\\Volume\\Windows\\System32\\<redacted>.exe","RpcOpNum":"19","Entitlements":"15","name":"ServiceStartedV2","ComputerName":"redacted-user-name","aid":"11111aaaaaaaaaaaaacccccccccddddd","RpcNestingLevel":"0","cid":"22222bbbbbbbbbbbbbdddddddddd1233"}
 {"AuthenticodeHashDataSHA256":"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa","ContextThreadId":"1111111111111","CertificateIssuer":"Microsoft Windows Production PCA 2011","aip":"89.160.20.128","CertificateSignatureHash":"bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb","CertificatePublisher":"Microsoft Windows","CompanyName":"Microsoft Corporation","event_platform":"Win","AuthenticodeHashData":"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa","OriginalFilename":"wdnisdrv.sys","FileVersion":"4.18.25070.5 (1abbbbbbccccccccccddddddd444444444422222)","ImageCheckSum":"123456","EventOrigin":"17","RpcClientProcessId":"000000000000","id":"aaaaaaaa-3328-4c62-b151-bbbbbbbbbbb","EffectiveTransmissionClass":"3","timestamp":"1757905962256","LocalAddressIP4":"89.160.20.128","event_simpleName":"DriverLoad","ContextTimeStamp":"1757905958.885","ConfigStateHash":"111111111","ContextProcessId":"000000000000","DriverLoadFlags":"0","ImageEntryPoint":"94208","MD5HashData":"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa","RpcClientThreadId":"1908581779603","SHA256HashData":"cccccccccccccccccccccccccccccccccccccccccccccccccccccc","ServiceDisplayName":"WdNisDrv","ConfigBuild":"1007.3.0019907.15","FixedFileVersion":"4.18.25070.5","RegistryPath":"","ImageFileName":"\\Device\\Volume\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.25070.5-0\\Drivers\\WdNisDrv.sys","ImageTimeStamp":"2448850720","Entitlements":"15","name":"DriverLoadV6","ComputerName":"redacted-computer-name","CertificateSignatureHashAlgorithm":"32780","aid":"11111aaaaaaaaaaaaacccccccccddddd","cid":"22222bbbbbbbbbbbbbdddddddddd1233","HashAlgorithm":"32780"}
 {"ContextThreadId":"1945182997323","aip":"81.2.69.192","RegObjectName":"\\REGISTRY\\MACHINE\\SYSTEM\\REDACTED\\Services\\REDACTED\\Keyword\\REDACTED\\Keyword\\REDACTED","RegClassificationFlags":"257","RegOperationType":"2","event_platform":"Win","TokenType":"1","EventOrigin":"1","id":"8f2302b7d2a07c5d5568941494e0368e0144","EffectiveTransmissionClass":"3","RegStringValue":"","timestamp":"1757920331466","LocalAddressIP4":"81.2.69.192","event_simpleName":"RegCrowdstrikeValueUpdate","ContextTimeStamp":"1757920329.062","ConfigStateHash":"2080600092","ContextProcessId":"100704500092","RegType":"0","RegClassificationIndex":"405","AuthenticationId":"997","ConfigBuild":"1007.3.0019907.15","RegValueName":"{aaaaaaaaaaaaaa-aaaaaaaaaaaa-aaaaaaaaaa}","RegClassification":"102","Entitlements":"15","name":"RegCrowdstrikeValueUpdateV1","ComputerName":"redacted-computer-name","aid":"be027d4cbada339f804f9c19f5a2d5a6","cid":"4092825518eaf67377a6e4492ae44577"}
+{"FileOperatorSid":"S-1-5-18","ContextBaseFileName":"svchost.exe","FileCategory":"3","Size":"22929","ContextThreadId":"1111111111111","MinorFunction":"0","aip":"89.160.20.128","IsOnNetwork":"0","FileIdentifier":"9c3110248de4f0a68f2fe668e59ed821d7d987845cd51ed1","event_platform":"Win","TokenType":"2","EventOrigin":"1","DiskParentDeviceInstanceId":"61f\\cd4242a2\\a3fcbe35","id":"9c458f0ddfe1293cd356445b2c473d0a0ef4","FileObject":"0","EffectiveTransmissionClass":"3","timestamp":"1757906530446","LocalAddressIP4":"89.160.20.112","event_simpleName":"PngFileWritten","ContextTimeStamp":"1757906529.857","UserName":"dev-win10-3$","ConfigStateHash":"1234437812","ContextProcessId":"111122223333","IrpFlags":"0","AuthenticationId":"999","FileWrittenFlags":"0","ConfigBuild":"1002.2.0019609.21","FileEcpBitmask":"0","MajorFunction":"0","IsOnRemovableDisk":"0","Entitlements":"15","name":"PngFileWrittenV3","ComputerName":"dev-win10-3","OperationFlags":"0","Attacks":[{"Tactic":"Command and Control","Technique":"Data Obfuscation"}],"aid":"bae5bafaeb93295d398bf55b8ba1cf01","cid":"4092825518eaf67377a6e4492ae44577","TargetFileName":"\\Device\\Images\\qwert.png"}
+{"event_simpleName":"MotwWritten","ConfigStateHash":"0222222222","ContextProcessId":"1111111111","aip":"89.160.20.128","FileIdentifier":"9c3110248de4f0a68f2fe668e59ed821d7d987845cd51ed1","ConfigBuild":"1007.3.0019907.15","event_platform":"Win","HostUrl":"","Entitlements":"15","name":"MotwWrittenV2","EventOrigin":"1","ReferrerUrl":"","id":"9c458f-ddfe1293cd-56445b2c4-3d0a0ef4","EffectiveTransmissionClass":"3","aid":"bae5bafaeb93295d398bf55b8ba1cf01","timestamp":"1755541882619","cid":"4092825518eaf67377a6e4492ae44577","TargetFileName":"\\Device\\Local\\Default\\Files\\asdf-ghkl"}