Hi, 

I believe to understnad this better we need more information.  However, in these cases, I would not use that "generic_event" as a match for my rules.  I would look for something else within the logs.  

What is the log source?  Can we map these events to a different event type in the parser? 

It would be great to provide some additional specifics as @dnehoda mentions but it's safe to say that the detection coverage for generic events based on curated detections is going to be fairly narrow to be kind about it and everything would be dependent upon you to write detections that align with those events.

While I can understand that using our default parsers may result in a field or two missing that you might want to use (that always seems to be the case no matter how many times one goes through a parser, there is always one more field...) or perhaps a small subset of events are being tagged as generic events, the vast majority of events would likely map to network connection, process launch or the like so at that point, it makes me wonder if there is either a specific log source that is problematic with its associated parser and a support case should be opened for it, or some other issue that is causing the event not to be associated properly with one of the more common event types.