From 06620509ae233327d1fcb68ccc4cbe12f0abb0a3 Mon Sep 17 00:00:00 2001
From: Rick Mouritzen <rmouritzen@splunk.com>
Date: Mon, 23 Dec 2024 11:44:07 -0800
Subject: [PATCH] Issue #1296: Add File Access Check event class

---
 events/system/file_access_check.json | 68 ++++++++++++++++++++++++++++
 1 file changed, 68 insertions(+)
 create mode 100644 events/system/file_access_check.json

diff --git a/events/system/file_access_check.json b/events/system/file_access_check.json
new file mode 100644
index 000000000..91a5804d8
--- /dev/null
+++ b/events/system/file_access_check.json
@@ -0,0 +1,68 @@
+{
+  "caption": "File Access Check",
+  "description": "File Access Check events report when a local or network file was checked to see whether client can be granted desired access on a file.",
+  "extends": "system",
+  "name": "file_access_check",
+  "uid": 10,
+  "associations": {
+    "device": [
+      "actor.user"
+    ],
+    "actor.user": [
+      "device"
+    ]
+  },
+  "attributes": {
+    "access_list": {
+      "group": "primary",
+      "requirement": "recommended"
+    },
+    "access_mask": {
+      "description": "The sum of hexadecimal values of requested access rights.",
+      "group": "primary",
+      "requirement": "recommended"
+    },
+    "access_result": {
+      "group": "primary",
+      "requirement": "recommended"
+    },
+    "activity_id": {
+      "description": "The activity ID of the event.",
+      "enum": {
+        "1": {
+          "caption": "Allow"
+        },
+        "2": {
+          "caption": "Block"
+        }
+      }
+    },
+    "actor": {
+      "description": "The actor that performed the activity on the <code>file</code> object",
+      "requirement": "optional"
+    },
+    "file": {
+      "description": "The file that is the target of the activity.",
+      "group": "primary",
+      "requirement": "required"
+    },
+    "share": {
+      "description": "The share name.",
+      "group": "primary",
+      "requirement": "recommended"
+    },
+    "share_type": {
+      "group": "primary",
+      "requirement": "recommended"
+    },
+    "share_type_id": {
+      "group": "primary",
+      "requirement": "recommended"
+    },
+    "src_endpoint": {
+      "description": "The Endpoint from which the file access was requested.",
+      "group": "primary",
+      "requirement": "required"
+    }
+  }
+}