Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a generic event class for each category #1294

Open
rmouritzen-splunk opened this issue Dec 23, 2024 · 0 comments
Open

Add a generic event class for each category #1294

rmouritzen-splunk opened this issue Dec 23, 2024 · 0 comments
Assignees
Labels
enhancement New feature or request non_breaking Non Breaking, backwards compatible changes v1.4.0 or later Changes marked for versions beyond v1.3.0 of OCSF

Comments

@rmouritzen-splunk
Copy link
Contributor

A generic event class for each category is helpful when mapping existing event logs to OCSF in situations where the category of an event is clear but the work to fully map events is not yet complete.

The alternative is loss of fidelity or just dropping the raw event (not mapping it at all while running in production), neither of which is desirable. The loss of fidelity arises from the use of the Base Event class instead of a generic category-specific class, and thus losing both the category and activity IDs for the generic class.

There should be a warning in the event class descriptions of these generic classes saying exactly why they exist, and steering people away from their use a final solution. The same warning should be added to Base Event.

@rmouritzen-splunk rmouritzen-splunk added enhancement New feature or request non_breaking Non Breaking, backwards compatible changes v1.4.0 or later Changes marked for versions beyond v1.3.0 of OCSF labels Dec 23, 2024
@rmouritzen-splunk rmouritzen-splunk self-assigned this Dec 23, 2024
rmouritzen-splunk added a commit to rmouritzen-splunk/ocsf-schema that referenced this issue Dec 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request non_breaking Non Breaking, backwards compatible changes v1.4.0 or later Changes marked for versions beyond v1.3.0 of OCSF
Projects
None yet
Development

No branches or pull requests

1 participant