Summary

Endpoint currently uses the term "library" as an event.category but it does not actually exist in the allow list. There's really no ither category that these types of events fits into and it was determined that removing this classification will break existing rules, etc.

See: https://github.com/elastic/endpoint-dev/issues/11513 - for a discussion on the matter.

Motivation:

Already used in Endpoint and not feasible to remove, so we need to add it to ECS as an allowed category.

Detailed Design:

    - name: library
      description: >
        Events in this category refer to the loading of a library, such as (dll / so / dynlib), into a process.
        Use this category to visualize and analyze library loading related activity on
        hosts.  Keep in mind that driver related activity will be captured under the "driver" category above.
      expected_event_types:
        - start

See the endpoint-dev issue above for samples of events already generated and used in rules, etc.