Promote Splunk's Network File Activity event class to core schema #470
Locked
pagbabian-splunk
started this conversation in
Proposals
Replies: 1 comment
-
|
Completed via PR #501 |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Splunk created this event class, in order to have network drive file system events (e.g. Box, OneDrive, Google Drive). The reason it is a separate class in the Network category is to impart the different semantics of a remote file transfer. An alternate way of doing this would have been to create a Network profile (in work) and apply it to the System Activity event class, File System Activity. However there are a few other activities, such as Upload, Download etc. This approach would not impart the semantics of the different activity as distinctly as having a event class with the semantics in the name.
The schema in question is found here:
https://github.com/ocsf/splunk/blob/main/events/network/file_activity.json
7 votes ·
Beta Was this translation helpful? Give feedback.
All reactions