From 48df13ed161fcaa8c087e08845ad2a44ec276a8b Mon Sep 17 00:00:00 2001
From: Jonathan Buttner <56361221+jonathan-buttner@users.noreply.github.com>
Date: Tue, 17 Mar 2020 20:12:28 -0400
Subject: [PATCH] Changing default type to start and allowing it to be
 configured by the event category (#60323) (#60448)

---
 .../endpoint/common/generate_data.test.ts     |  6 +++--
 .../plugins/endpoint/common/generate_data.ts  | 24 ++++++++++++++++---
 x-pack/plugins/endpoint/common/types.ts       |  1 +
 3 files changed, 26 insertions(+), 5 deletions(-)

diff --git a/x-pack/plugins/endpoint/common/generate_data.test.ts b/x-pack/plugins/endpoint/common/generate_data.test.ts
index e14f506c825f2c..a687d7af1c5905 100644
--- a/x-pack/plugins/endpoint/common/generate_data.test.ts
+++ b/x-pack/plugins/endpoint/common/generate_data.test.ts
@@ -62,10 +62,11 @@ describe('data generator', () => {
     expect(processEvent['@timestamp']).toEqual(timestamp);
     expect(processEvent.event.category).toEqual('process');
     expect(processEvent.event.kind).toEqual('event');
-    expect(processEvent.event.type).toEqual('creation');
+    expect(processEvent.event.type).toEqual('start');
     expect(processEvent.agent).not.toBeNull();
     expect(processEvent.host).not.toBeNull();
     expect(processEvent.process.entity_id).not.toBeNull();
+    expect(processEvent.process.name).not.toBeNull();
   });
 
   it('creates other event documents', () => {
@@ -74,10 +75,11 @@ describe('data generator', () => {
     expect(processEvent['@timestamp']).toEqual(timestamp);
     expect(processEvent.event.category).toEqual('dns');
     expect(processEvent.event.kind).toEqual('event');
-    expect(processEvent.event.type).toEqual('creation');
+    expect(processEvent.event.type).toEqual('start');
     expect(processEvent.agent).not.toBeNull();
     expect(processEvent.host).not.toBeNull();
     expect(processEvent.process.entity_id).not.toBeNull();
+    expect(processEvent.process.name).not.toBeNull();
   });
 
   describe('creates alert ancestor tree', () => {
diff --git a/x-pack/plugins/endpoint/common/generate_data.ts b/x-pack/plugins/endpoint/common/generate_data.ts
index b539e309d76f72..36896e5af6810d 100644
--- a/x-pack/plugins/endpoint/common/generate_data.ts
+++ b/x-pack/plugins/endpoint/common/generate_data.ts
@@ -16,6 +16,7 @@ interface EventOptions {
   parentEntityID?: string;
   eventType?: string;
   eventCategory?: string;
+  processName?: string;
 }
 
 const Windows: OSFields[] = [
@@ -64,8 +65,22 @@ const POLICIES: Array<{ name: string; id: string }> = [
 
 const FILE_OPERATIONS: string[] = ['creation', 'open', 'rename', 'execution', 'deletion'];
 
+interface EventInfo {
+  category: string;
+  /**
+   * This denotes the `event.type` field for when an event is created, this can be `start` or `creation`
+   */
+  creationType: string;
+}
+
 // These are from the v1 schemas and aren't all valid ECS event categories, still in flux
-const OTHER_EVENT_CATEGORIES: string[] = ['driver', 'file', 'library', 'network', 'registry'];
+const OTHER_EVENT_CATEGORIES: EventInfo[] = [
+  { category: 'driver', creationType: 'start' },
+  { category: 'file', creationType: 'creation' },
+  { category: 'library', creationType: 'start' },
+  { category: 'network', creationType: 'start' },
+  { category: 'registry', creationType: 'creation' },
+];
 
 interface HostInfo {
   agent: {
@@ -240,13 +255,14 @@ export class EndpointDocGenerator {
       event: {
         category: options.eventCategory ? options.eventCategory : 'process',
         kind: 'event',
-        type: options.eventType ? options.eventType : 'creation',
+        type: options.eventType ? options.eventType : 'start',
         id: this.seededUUIDv4(),
       },
       host: this.commonInfo.host,
       process: {
         entity_id: options.entityID ? options.entityID : this.randomString(10),
         parent: options.parentEntityID ? { entity_id: options.parentEntityID } : undefined,
+        name: options.processName ? options.processName : 'powershell.exe',
       },
     };
   }
@@ -352,12 +368,14 @@ export class EndpointDocGenerator {
     const ts = node['@timestamp'] + 1000;
     const relatedEvents: EndpointEvent[] = [];
     for (let i = 0; i < numRelatedEvents; i++) {
+      const eventInfo = this.randomChoice(OTHER_EVENT_CATEGORIES);
       relatedEvents.push(
         this.generateEvent({
           timestamp: ts,
           entityID: node.process.entity_id,
           parentEntityID: node.process.parent?.entity_id,
-          eventCategory: this.randomChoice(OTHER_EVENT_CATEGORIES),
+          eventCategory: eventInfo.category,
+          eventType: eventInfo.creationType,
         })
       );
     }
diff --git a/x-pack/plugins/endpoint/common/types.ts b/x-pack/plugins/endpoint/common/types.ts
index 4664c8f4bb7b3d..5c14ba4d9ecf6d 100644
--- a/x-pack/plugins/endpoint/common/types.ts
+++ b/x-pack/plugins/endpoint/common/types.ts
@@ -326,6 +326,7 @@ export interface EndpointEvent {
   };
   process: {
     entity_id: string;
+    name: string;
     parent?: {
       entity_id: string;
     };