From 563c0b8afa974002bc1de58e828cbc1fcd2b66fa Mon Sep 17 00:00:00 2001
From: Mathieu Martin <mathieu.martin@elastic.co>
Date: Tue, 27 Oct 2020 13:07:03 -0400
Subject: [PATCH] Add event.category session. (#1049)

---
 CHANGELOG.next.md                         |  2 ++
 docs/field-details.asciidoc               |  2 +-
 docs/field-values.asciidoc                | 13 +++++++++++++
 experimental/generated/ecs/ecs_flat.yml   | 10 ++++++++++
 experimental/generated/ecs/ecs_nested.yml | 10 ++++++++++
 generated/ecs/ecs_flat.yml                | 10 ++++++++++
 generated/ecs/ecs_nested.yml              | 10 ++++++++++
 schemas/event.yml                         |  9 +++++++++
 8 files changed, 65 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 78dad60ec5..099d9a5037 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -10,6 +10,8 @@ Thanks, you're awesome :-) -->
 
 ### Schema Changes
 
+* Added `event.category` "session". #1049
+
 #### Breaking changes
 
 #### Bugfixes
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
index f961b6fa89..a89a0bf6e1 100644
--- a/docs/field-details.asciidoc
+++ b/docs/field-details.asciidoc
@@ -1597,7 +1597,7 @@ Note: this field should contain an array of values.
 
 *Important*: The field value must be one of the following:
 
-authentication, configuration, database, driver, file, host, iam, intrusion_detection, malware, network, package, process, web
+authentication, configuration, database, driver, file, host, iam, intrusion_detection, malware, network, package, process, session, web
 
 To learn more about when to use which value, visit the page
 <<ecs-allowed-values-event-category,allowed values for event.category>>
diff --git a/docs/field-values.asciidoc b/docs/field-values.asciidoc
index 1ef4b8e072..653b031cc2 100644
--- a/docs/field-values.asciidoc
+++ b/docs/field-values.asciidoc
@@ -144,6 +144,7 @@ that will require subsequent breaking changes.
 * <<ecs-event-category-network,network>>
 * <<ecs-event-category-package,package>>
 * <<ecs-event-category-process,process>>
+* <<ecs-event-category-session,session>>
 * <<ecs-event-category-web,web>>
 
 [float]
@@ -298,6 +299,18 @@ Use this category of events to visualize and analyze process-specific informatio
 access, change, end, info, start
 
 
+[float]
+[[ecs-event-category-session]]
+==== session
+
+The session category is applied to events and metrics regarding logical persistent connections to hosts and services. Use this category to visualize and analyze interactive or automated persistent connections between assets. Data for this category may come from Windows Event logs, SSH logs, or stateless sessions such as HTTP cookie-based sessions, etc.
+
+
+*Expected event types for category session:*
+
+start, end, info
+
+
 [float]
 [[ecs-event-category-web]]
 ==== web
diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml
index 13a7c32325..28898f42e2 100644
--- a/experimental/generated/ecs/ecs_flat.yml
+++ b/experimental/generated/ecs/ecs_flat.yml
@@ -1774,6 +1774,16 @@ event.category:
     - info
     - start
     name: process
+  - description: The session category is applied to events and metrics regarding logical
+      persistent connections to hosts and services. Use this category to visualize
+      and analyze interactive or automated persistent connections between assets.
+      Data for this category may come from Windows Event logs, SSH logs, or stateless
+      sessions such as HTTP cookie-based sessions, etc.
+    expected_event_types:
+    - start
+    - end
+    - info
+    name: session
   - description: 'Relating to web server access. Use this category to create a dashboard
       of web server/proxy activity from apache, IIS, nginx web servers, etc. Note:
       events from network observers such as Zeek http log may also be included in
diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml
index bfb2df366d..f17cc20d19 100644
--- a/experimental/generated/ecs/ecs_nested.yml
+++ b/experimental/generated/ecs/ecs_nested.yml
@@ -2168,6 +2168,16 @@ event:
         - info
         - start
         name: process
+      - description: The session category is applied to events and metrics regarding
+          logical persistent connections to hosts and services. Use this category
+          to visualize and analyze interactive or automated persistent connections
+          between assets. Data for this category may come from Windows Event logs,
+          SSH logs, or stateless sessions such as HTTP cookie-based sessions, etc.
+        expected_event_types:
+        - start
+        - end
+        - info
+        name: session
       - description: 'Relating to web server access. Use this category to create a
           dashboard of web server/proxy activity from apache, IIS, nginx web servers,
           etc. Note: events from network observers such as Zeek http log may also
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 81a1ee4950..d085df9e87 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -1814,6 +1814,16 @@ event.category:
     - info
     - start
     name: process
+  - description: The session category is applied to events and metrics regarding logical
+      persistent connections to hosts and services. Use this category to visualize
+      and analyze interactive or automated persistent connections between assets.
+      Data for this category may come from Windows Event logs, SSH logs, or stateless
+      sessions such as HTTP cookie-based sessions, etc.
+    expected_event_types:
+    - start
+    - end
+    - info
+    name: session
   - description: 'Relating to web server access. Use this category to create a dashboard
       of web server/proxy activity from apache, IIS, nginx web servers, etc. Note:
       events from network observers such as Zeek http log may also be included in
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 1ca8779d5e..3bb3ce663b 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -2209,6 +2209,16 @@ event:
         - info
         - start
         name: process
+      - description: The session category is applied to events and metrics regarding
+          logical persistent connections to hosts and services. Use this category
+          to visualize and analyze interactive or automated persistent connections
+          between assets. Data for this category may come from Windows Event logs,
+          SSH logs, or stateless sessions such as HTTP cookie-based sessions, etc.
+        expected_event_types:
+        - start
+        - end
+        - info
+        name: session
       - description: 'Relating to web server access. Use this category to create a
           dashboard of web server/proxy activity from apache, IIS, nginx web servers,
           etc. Note: events from network observers such as Zeek http log may also
diff --git a/schemas/event.yml b/schemas/event.yml
index 6778790784..b4add99818 100644
--- a/schemas/event.yml
+++ b/schemas/event.yml
@@ -277,6 +277,15 @@
             - end
             - info
             - start
+        - name: session
+          description: >
+            The session category is applied to events and metrics regarding logical persistent connections to hosts and services.
+            Use this category to visualize and analyze interactive or automated persistent connections between assets.
+            Data for this category may come from Windows Event logs, SSH logs, or stateless sessions such as HTTP cookie-based sessions, etc.
+          expected_event_types:
+            - start
+            - end
+            - info
         - name: web
           description: >
             Relating to web server access. Use this category to create a dashboard of