From 6d00e90c162ad1d934b0e12450c91a5b1e4d928e Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Thu, 23 Feb 2023 11:13:45 -0600 Subject: [PATCH] Permit `event.type: access` for `event.category: file` events (#2174) * permit event.type:access for event.category: file * changelog --- CHANGELOG.next.md | 2 ++ docs/fields/field-values.asciidoc | 2 +- experimental/generated/ecs/ecs_flat.yml | 1 + experimental/generated/ecs/ecs_nested.yml | 1 + generated/ecs/ecs_flat.yml | 1 + generated/ecs/ecs_nested.yml | 1 + schemas/event.yml | 1 + 7 files changed, 8 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 89c0c61886..7201389a44 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -16,6 +16,8 @@ Thanks, you're awesome :-) --> #### Added +* Add `access` as an allowed type for `event.type: file`. #2174 + #### Improvements #### Deprecated diff --git a/docs/fields/field-values.asciidoc b/docs/fields/field-values.asciidoc index 3027b87c01..4c1788368e 100644 --- a/docs/fields/field-values.asciidoc +++ b/docs/fields/field-values.asciidoc @@ -240,7 +240,7 @@ Relating to a set of information that has been created on, or has existed on a f *Expected event types for category file:* -change, creation, deletion, info +access, change, creation, deletion, info [float] diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 32fd4675df..1c7b03bb28 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -3022,6 +3022,7 @@ event.category: from both host-based and network-based sources. An example source of a network-based detection of a file transfer would be the Zeek file.log. expected_event_types: + - access - change - creation - deletion diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 0fcfdd791f..444e2d1493 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -4014,6 +4014,7 @@ event: can come from both host-based and network-based sources. An example source of a network-based detection of a file transfer would be the Zeek file.log. expected_event_types: + - access - change - creation - deletion diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 5a4a00a320..41eeb653e9 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -2953,6 +2953,7 @@ event.category: from both host-based and network-based sources. An example source of a network-based detection of a file transfer would be the Zeek file.log. expected_event_types: + - access - change - creation - deletion diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index e36ffaac26..4d9a65a010 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -3934,6 +3934,7 @@ event: can come from both host-based and network-based sources. An example source of a network-based detection of a file transfer would be the Zeek file.log. expected_event_types: + - access - change - creation - deletion diff --git a/schemas/event.yml b/schemas/event.yml index 7082a7c2fd..f17c4b45c0 100644 --- a/schemas/event.yml +++ b/schemas/event.yml @@ -239,6 +239,7 @@ from both host-based and network-based sources. An example source of a network-based detection of a file transfer would be the Zeek file.log. expected_event_types: + - access - change - creation - deletion