File Access Authorization Event Upload

[ltk]

Is there any current support for uploading FAA events to a sync server? (I've been playing around with this for a bit, and my impression is no.)

Centrally storing/consuming execution event data is very straightforward with the /eventupload endpoint and we'd love to use something similar for FAA events.

[mlw]

This is not currently supported but something we've thought a bit about. We'd like to be able to begin support FAA rule management via the sync protocol, and having some way to generate events to allow exception flows for users via the sync protocol would be a natural extension.

A quick side note worth mentioning - you may be familiar already, but want to state here for posterity: while consuming execution events received via the sync protocol can provide some understanding about the breadth of executables in use throughout a fleet, these are not meant to be considered "telemetry". They are not 1-to-1 for all executions on a host (e.g. multiple cache layers can bypass a previously evaluated binary's execution from being sent during a sync) and they only contain a subset of the overall wealth of enriched data stored in logs. If the goal is to glean useful security information from executions on the fleet, the telemetry logs are the source of truth.