Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Event family meta schema keyword and Discovery classes #1260

Draft
wants to merge 15 commits into
base: main
Choose a base branch
from

Conversation

pagbabian-splunk
Copy link
Contributor

@pagbabian-splunk pagbabian-splunk commented Nov 20, 2024

Related Issue: 1261

Description of changes:

Added a new meta schema keyword to the framework, family, so that related classes can be grouped together in the schema browser. In particular, we have many related classes in the Discovery category that make it difficult to see what classes do what. Given they have been created a different times, they sort by their IDs and therefore the related _query classes and _info classes also don't sort together. Lastly, some of the classes don't conform to consistent suffixes, e.g. inventory_info is really Device Inventory Info. This PR adds the information that will allow the browser to use the value of the keyword, e.g. the family name Query or Inventory, to collapse the classes under the title matching the family name.

Note

The ocsf-validator need to support the new family attribute. PR: ocsf/ocsf-validator#36

Signed-off-by: Paul Agbabian <pagbabian@splunk.com>
…favor of an updated email_activity class.

Updated the email object to include domains, files, urls arrays.
Updated the email_activity class to add the message_trace_uid ID.
Updated the email_activity class to use the references[] for the Trace activity_id instead of the description URL.
Updated the email_activity class description to reflect its SMTP protocol and the possible URLs and files attachments.

Signed-off-by: Paul Agbabian <pagbabian@splunk.com>
Signed-off-by: Paul Agbabian <pagbabian@splunk.com>
…on to fail!!

Signed-off-by: Paul Agbabian <pagbabian@splunk.com>
…ed an at_least_one constraint on all the to and from attributes. Not all email logs have the 'to' and 'from' but must have at least those or 'smtp_to' and 'smtp_from' in the log.

Signed-off-by: Paul Agbabian <pagbabian@splunk.com>
Signed-off-by: Paul Agbabian <pagbabian@splunk.com>
…egory. Updated the Discovery classes with their families of Query, Inventory, State.

Signed-off-by: Paul Agbabian <pagbabian@splunk.com>
Signed-off-by: Paul Agbabian <pagbabian@splunk.com>
Signed-off-by: Paul Agbabian <pagbabian@splunk.com>
@davemcatcisco
Copy link
Contributor

I appreciate that classes in the Discovery category already have one of three suffixes on their name. However, I think the distinction between inventory, state, and query might in some cases be a little arbitrary or artificial. It is heavily dependent on how a given event is used by a product, and this can vary hugely from one product to another. For example, an endpoint product might enumerate running processes on startup and use process_query events to describe what it finds, in which case the usage is more akin to state (or arguably inventory) than query.

So I guess in one respect I'm questioning if this change is actually going to help or hinder. For those for whom the chosen family aligns with their intended usage of the events, sure, it will help. But for those who see the foo event as an inventory instead of a state, the pre-determined sub-categorisation into distinct families that don't align with their usage is not helpful.

If the community believes there is value to the family concept, I'm wondering if it should be families plural. It seems to me that an event could potentially belong to multiple families.

@pagbabian-splunk pagbabian-splunk added metaschema v1.4.0 or later Changes marked for versions beyond v1.3.0 of OCSF labels Nov 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
metaschema v1.4.0 or later Changes marked for versions beyond v1.3.0 of OCSF
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants