Changing default type to start and allowing it to be configured by the event category (#60323) (#60448)

x-pack/plugins/endpoint/common/generate_data.test.ts

@@ -62,10 +62,11 @@ describe('data generator', () => {
     expect(processEvent['@timestamp']).toEqual(timestamp);
     expect(processEvent.event.category).toEqual('process');
     expect(processEvent.event.kind).toEqual('event');
-    expect(processEvent.event.type).toEqual('creation');
+    expect(processEvent.event.type).toEqual('start');
     expect(processEvent.agent).not.toBeNull();
     expect(processEvent.host).not.toBeNull();
     expect(processEvent.process.entity_id).not.toBeNull();
+    expect(processEvent.process.name).not.toBeNull();
   });
 
   it('creates other event documents', () => {
@@ -74,10 +75,11 @@ describe('data generator', () => {
     expect(processEvent['@timestamp']).toEqual(timestamp);
     expect(processEvent.event.category).toEqual('dns');
     expect(processEvent.event.kind).toEqual('event');
-    expect(processEvent.event.type).toEqual('creation');
+    expect(processEvent.event.type).toEqual('start');
     expect(processEvent.agent).not.toBeNull();
     expect(processEvent.host).not.toBeNull();
     expect(processEvent.process.entity_id).not.toBeNull();
+    expect(processEvent.process.name).not.toBeNull();
   });
 
   describe('creates alert ancestor tree', () => {

x-pack/plugins/endpoint/common/generate_data.ts

@@ -16,6 +16,7 @@ interface EventOptions {
   parentEntityID?: string;
   eventType?: string;
   eventCategory?: string;
+  processName?: string;
 }
 
 const Windows: OSFields[] = [
@@ -64,8 +65,22 @@ const POLICIES: Array<{ name: string; id: string }> = [
 
 const FILE_OPERATIONS: string[] = ['creation', 'open', 'rename', 'execution', 'deletion'];
 
+interface EventInfo {
+  category: string;
+  /**
+   * This denotes the `event.type` field for when an event is created, this can be `start` or `creation`
+   */
+  creationType: string;
+}
+
 // These are from the v1 schemas and aren't all valid ECS event categories, still in flux
-const OTHER_EVENT_CATEGORIES: string[] = ['driver', 'file', 'library', 'network', 'registry'];
+const OTHER_EVENT_CATEGORIES: EventInfo[] = [
+  { category: 'driver', creationType: 'start' },
+  { category: 'file', creationType: 'creation' },
+  { category: 'library', creationType: 'start' },
+  { category: 'network', creationType: 'start' },
+  { category: 'registry', creationType: 'creation' },
+];
 
 interface HostInfo {
   agent: {
@@ -240,13 +255,14 @@ export class EndpointDocGenerator {
       event: {
         category: options.eventCategory ? options.eventCategory : 'process',
         kind: 'event',
-        type: options.eventType ? options.eventType : 'creation',
+        type: options.eventType ? options.eventType : 'start',
         id: this.seededUUIDv4(),
       },
       host: this.commonInfo.host,
       process: {
         entity_id: options.entityID ? options.entityID : this.randomString(10),
         parent: options.parentEntityID ? { entity_id: options.parentEntityID } : undefined,
+        name: options.processName ? options.processName : 'powershell.exe',
       },
     };
   }
@@ -352,12 +368,14 @@ export class EndpointDocGenerator {
     const ts = node['@timestamp'] + 1000;
     const relatedEvents: EndpointEvent[] = [];
     for (let i = 0; i < numRelatedEvents; i++) {
+      const eventInfo = this.randomChoice(OTHER_EVENT_CATEGORIES);
       relatedEvents.push(
         this.generateEvent({
           timestamp: ts,
           entityID: node.process.entity_id,
           parentEntityID: node.process.parent?.entity_id,
-          eventCategory: this.randomChoice(OTHER_EVENT_CATEGORIES),
+          eventCategory: eventInfo.category,
+          eventType: eventInfo.creationType,
         })
       );
     }

x-pack/plugins/endpoint/common/types.ts

@@ -326,6 +326,7 @@ export interface EndpointEvent {
   };
   process: {
     entity_id: string;
+    name: string;
     parent?: {
       entity_id: string;
     };