Porting the Scan event from the ICD schema.

[maxhotta]

This event class describes command or user initiated scan activity.

[pagbabian-splunk]

A few comments: I think this should be part of the Discovery category rather than Application category, it fits the pattern of a proactive process to retrieve (discover) information from the network hosts.

Second: can we be more clear on the distinction between the uid and command_uid (introduced by this class)? I assume them to be different, where when a command launches it, it has an ID, and the scan process itself assigns a separate ID?

[rmouritzen-splunk]

There's somewhat an inconsistent naming for items scanned. Sometimes it's of the form num_widgets, meaning "number of widgets scanned", and sometimes it's of the form num_kind meaning "number of kind items scanned". Perhaps being more explicit would help?

The oddballs are num_network and num_registry. Perhaps these could be num_network_nodes and num_registry_entries. Or more tersely (though arguably still intelligeable) num_net_nodes and num_reg_entries.

[maxhotta]

@pagbabian-splunk Another use case for reporting of these events are application scans that occur on a schedule (e.g., malware scans). They're not necessarily tied to a command that's issued by a remote entity. But if the application category is a concern,
we can discuss and move if deemed to be clearer. Agreed on the meaning of the id's - I'll update the descriptions to be more clear.

[maxhotta]

@rmouritzen-splunk The names may have been kept generic to allow some leeway in what they are used for. E.g., the description for num_network is the number of items - which could mean files on a network drive or perhaps nodes as you referred to. I'll check our usage as well.