-
Notifications
You must be signed in to change notification settings - Fork 136
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Porting the Scan event from the ICD schema. #915
Conversation
…s command or user initiated scan activity.
A few comments: I think this should be part of the Second: can we be more clear on the distinction between the |
There's somewhat an inconsistent naming for items scanned. Sometimes it's of the form The oddballs are |
@pagbabian-splunk Another use case for reporting of these events are application scans that occur on a schedule (e.g., malware scans). They're not necessarily tied to a command that's issued by a remote entity. But if the application category is a concern, |
@rmouritzen-splunk The names may have been kept generic to allow some leeway in what they are used for. E.g., the description for num_network is the number of items - which could mean files on a network drive or perhaps nodes as you referred to. I'll check our usage as well. |
This event class describes command or user initiated scan activity.