Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue #1296: Add File Access Check event class #1297

Draft
wants to merge 5 commits into
base: main
Choose a base branch
from
Draft

Issue #1296: Add File Access Check event class #1297

wants to merge 5 commits into from
+70 −1

Conversation

rmouritzen-splunk
Copy link
Contributor

@rmouritzen-splunk rmouritzen-splunk commented Dec 23, 2024
edited
Loading

Related Issue:

#1296

Description of changes:

dd a File Access Check class to the System category.

The Splunk private schema has this class, and it is so far there is no equivalent in the core schema. This event class is useful for the 5140 and 5145 Windows Event types.

NOTE

This PR include a line in CHANGELIST.md for PR #1291, which was merged before the CHANGELOG.md was updated.

@rmouritzen-splunk
Copy link
Contributor Author

rmouritzen-splunk commented Dec 23, 2024
edited
Loading

@query-jeremy : The ocsf-validator's "Metaschema Validator" is incorrectly failing here.

Edit: This was actually a real problem. The actor attribute is in the primary group in the shared base system activity class, and so changing its recommended attribute to optional is incorrect.

@rmouritzen-splunk rmouritzen-splunk self-assigned this Jan 6, 2025
@rmouritzen-splunk rmouritzen-splunk added enhancement New feature or request system_activity Issues related to System Activity Category non_breaking Non Breaking, backwards compatible changes v1.4.0 or later Changes marked for versions beyond v1.3.0 of OCSF labels Jan 6, 2025
@floydtree
Copy link
Contributor

This is will be discussed in the Jan 8th's System Activity call, converting to draft for now.

@floydtree floydtree marked this pull request as draft January 7, 2025 18:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@floydtree floydtree Awaiting requested review from floydtree floydtree is a code owner

@pagbabian-splunk pagbabian-splunk Awaiting requested review from pagbabian-splunk pagbabian-splunk is a code owner

@Aniak5 Aniak5 Awaiting requested review from Aniak5 Aniak5 is a code owner

@mikeradka mikeradka Awaiting requested review from mikeradka mikeradka is a code owner

@zschmerber zschmerber Awaiting requested review from zschmerber zschmerber is a code owner

@jonrau-at-queryai jonrau-at-queryai Awaiting requested review from jonrau-at-queryai jonrau-at-queryai is a code owner

@davemcatcisco davemcatcisco Awaiting requested review from davemcatcisco davemcatcisco is a code owner

At least 3 approving reviews are required to merge this pull request.

Assignees

@rmouritzen-splunk rmouritzen-splunk

Labels
enhancement New feature or request non_breaking Non Breaking, backwards compatible changes system_activity Issues related to System Activity Category v1.4.0 or later Changes marked for versions beyond v1.3.0 of OCSF
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rmouritzen-splunk @floydtree