Promote Splunk's Network File Activity event class to core schema #470
Locked
pagbabian-splunk
started this conversation in
Proposals
Replies: 1 comment
-
|
Completed via PR #501 |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Splunk created this event class, in order to have network drive file system events (e.g. Box, OneDrive, Google Drive). The reason it is a separate class in the Network category is to impart the different semantics of a remote file transfer. An alternate way of doing this would have been to create a Network profile (in work) and apply it to the System Activity event class, File System Activity. However there are a few other activities, such as Upload, Download etc. This approach would not impart the semantics of the different activity as distinctly as having a event class with the semantics in the name.
The schema in question is found here:
https://github.com/ocsf/splunk/blob/main/events/network/file_activity.json
7 votes ·
Beta Was this translation helpful? Give feedback.
All reactions