Add security_control and host profiles to base_event.json
#1270
Conversation
mlmitch
requested review from
floydtree,
pagbabian-splunk,
Aniak5,
mikeradka,
zschmerber,
jonrau-at-queryai and
davemcatcisco
as code owners
mlmitch
force-pushed
the
sec_control_apply
branch
from
849cedf to
1c1d595
Compare
objects/resource_details.json
Outdated
| @@ -48,8 +48,5 @@ | |||
| "description": "The version of the resource. For example <code>1.2.3</code>.", | |||
| "requirement": "optional" | |||
| } | |||
| }, | |||
There was a problem hiding this comment.
This is in there to allow the server to add it to "Referenced By" list of the profile. Take a look here - https://schema.ocsf.io/profiles/cloud
There was a problem hiding this comment.
Every other case was in the event hierarchy so this was the only profile declaration removal I reverted
|
The compatibility check is failing because The validator assumes that profiles are enabled globally instead of per-record, essentially not trusting producers to assign the correct values to Adding new required attributes is not allowed, unless the attribute was introduced in a profile that is new to the schema. It could be that the check should be updated to allow attributes added by way of any profile newly assigned to the event in question. I'm curious to learn what @rmouritzen-splunk thinks. |
mlmitch
force-pushed
the
sec_control_apply
branch
from
1c1d595 to
7b8390a
Compare
|
Thanks for diagnosing so quickly Jeremy.
I think this makes sense. |
mlmitch
force-pushed
the
sec_control_apply
branch
from
7b8390a to
9ea9782
Compare
This looks like it assumes attributes from profiles are always active. A profile is only active in an OCSF event with the profile in its Adding profiles to event classes and objects should always be backwards compatible since OCSF events without the added profiles are unaffected. Here are checks possible, though. These are the profile backwards compatibility checks I can think of:
The checks other than the first are done in isolation, outside of the context of an event class or object. Other than removing profiles, I don't think there are any context-sensitive checks. Let me know this makes sense and that these arguments hold up. |
|
Assuming I'm understanding the |
|
I like the addition of the new Can y'all thumbs up here if you think I should change this optionality in the PR? |
`security_control` and `host` are universally applicable in OCSF Both were applied in an ad-hoc manner _almost_ everywhere Also, sometimes the profile wasn't correctly applied (e.g. cloud_resources_inventory_info.json) This change enables providing a consistent interface with these profiles to downstream data consumers. Change optionality of `action_id` in `security_control` to `recommended` Also removed redundant profile declarations in event hierarchy (e.g. cloud in dhcp_activity.json) Profile declarations in objects left alone to facilitate "Referenced By" feature Signed-off-by: Mitchell Wasson <miwasson@cisco.com>
mlmitch
force-pushed
the
sec_control_apply
branch
from
9ea9782 to
6afd946
Compare
|
Changing the optionality of |
Thanks @mlmitch . I certainly think it is worth raising in the next community call just to ensure we are all on the same page with this one. |
|
TTP profile didnt work out. #1281 revisits applying security_control to the base event. |
security_controlandhostare universally applicable in OCSFBoth were applied in an ad-hoc manner almost everywhere.
Also, sometimes the profile wasn't correctly applied (e.g. cloud_resources_inventory_info.json)
This change enables providing a consistent interface with these profiles to downstream data consumers.
Also removed redundant profile declarations in event hierarchy (e.g. cloud in dhcp_activity.json)