Move File Access Check into different category

[awhite456]

Background

File Access Check [1] is an event currently under the System Activity category that documents an allow/block result for when a remote system attempts to mount a network file share on this server. It appears to be heavily inspired by Windows Event 5140 [2] - "A network share object was accessed."

Problem

There are three issues with the current placement of File Access Check under System Activity.

Issue 1 - actor_process requirement

As this event is under System Activity, the field actor_process is required, as per the base event class [3] for this category. Most sources of this file share access data however do not provide any process information that could be mapped into this field. Windows Event 5140, for example, does not provide any process information - just the source IP and port of the request (which will mapped into the src_endpoint field).

Issue 2 - What would actor_process be in this context?

Even if the data were available, it is also not clear which process should be placed into this actor_process field. Is it the local process performing the authorization, or the remote process attempting to mount the file share? For the former option, this process information may not be useful as it will likely be the same for all requests. For the latter option, while it would be more useful, it may be difficult to accurately provide this information due to the joins across systems required.

Issue 3 - Not system activity

This event does not reflect activity undertaken on a given system. Instead, it is an audit event, documenting from the server whether a file share mount operating was allowed or blocked. Client side attempts to mount remote shares are already captured by the Folder Activity [4] event, which is already in System Activity.

Options

Option 1 - Move to Audit Category

Moving this event to the audit category would remove the requirement on actor_process, which cannot typically be populated. In addition, as this is essentially an audit event with the allow/block result, it will be thematically grouped with the other audit-related events.

Option 2 - Leave in System Activity, reduce requirement on actor_process

Reducing the requirement on actor_process will allow File Access Check to stay in the System Activity category. The side-effect of this however is that other events in this same category will also no longer have this requirement, which may cause issues, such as a process creation event not having information about the calling process.

Option 3 - Do nothing, require actor_process

Continuing to require actor_process will prevent translation of Windows Event 5140, but may still be mappable by other data sources. Documentation will be required to define what actor_process is in this context.

References

• [1] https://schema.ocsf.io/classes/file_access_check
• [2] https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5140
• [3] https://github.com/ocsf/ocsf-schema/blob/main/events/system/system.json
• [4] https://schema.ocsf.io/classes/folder_activity?extensions=

[mikeradka]

Wanted to check on Option 2 - "The side-effect of this however is that other events in this same category will also no longer have this requirement, which may cause issues, such as a process creation event not having information about the calling process." - I thought we have the capability to downgrade a field requirement for a single class. We should check to see whether that capability exists. If it does, how might that change things?

[JasonKeirstead]

I would vote 1 BUT ALSO I would suggest renaming the class entirely because the name is needlessly confusing. If this class is meant to convey network share access check then that should be the name, it's not checking for file access at all.

[awhite456]

Completely agree, we had also discussed renaming this to "file share access check" or "network share access check"

[awhite456]

File Access Check ended up being put into the Splunk extension