event.type "access" not allowed for event.category "file"

[taylor-swanson]

While working on updating SEI packages to package-spec 2.7.0, I came across this validation error:

[0] parsing field value failed: field "event.type" value "access" is not one of the expected values (change, creation, deletion, info) for any of the values of "event.category" (file)

As the error states, for event.category file, the only permitted values for event.type are change, creation, deletion, info. It appears that access was erroneously omitted from the list. The documentation even mentions that is should be an allowed value:

The access event type is used for the subset of events within a category that indicate that something was accessed. Common examples include event.category:database AND event.type:access, or event.category:file AND event.type:access. Note for file access, both directory listings and file opens should be included in this subcategory. You can further distinguish access operations using the ECS event.action field.

Related issue: https://github.com/elastic/security-team/issues/5870

Currently blocking the update of these packages:

• 1password
• box_events

[kgeller]

event.type: access was added officially in ECS 8.8, and those integrations are currently on 8.7

Once ecs 8.8 releases and the integrations are upgraded, I suspect the issue will be resolved