Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Application Error event class #1289

Open
rmouritzen-splunk opened this issue Dec 17, 2024 · 0 comments
Open

Add Application Error event class #1289

rmouritzen-splunk opened this issue Dec 17, 2024 · 0 comments
Assignees
Labels
application_activity Issues related to Application Activity Category enhancement New feature or request non_breaking Non Breaking, backwards compatible changes

Comments

@rmouritzen-splunk
Copy link
Contributor

Add an Application Error event class with category Application Activity (6).

Question: is "Error" too specific? "Issue" is more general, but doesn't seem to convey the correct idea.

One use is raw event translation errors where the process of translating (mapping) a raw event to OCSF fails such that no normal event can be created.

The kind of error should be captured with activity_id:

  • 0 - Unknown
  • 1 - General error: the application generating OCSF events has experienced an error.
  • 2 - Translation error: the application generating OCSF events had encountered an error translating (mapping) a raw event to OCSF. Including the original raw event in the raw_data field is highly recommended.
  • 99 - Other.

The severity_id values from base_event should work fine.

@rmouritzen-splunk rmouritzen-splunk added enhancement New feature or request non_breaking Non Breaking, backwards compatible changes application_activity Issues related to Application Activity Category labels Dec 17, 2024
@rmouritzen-splunk rmouritzen-splunk self-assigned this Dec 17, 2024
rmouritzen-splunk added a commit to rmouritzen-splunk/ocsf-schema that referenced this issue Dec 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
application_activity Issues related to Application Activity Category enhancement New feature or request non_breaking Non Breaking, backwards compatible changes
Projects
None yet
Development

No branches or pull requests

1 participant