Mike Radka (Splunk)
Mike Radka (Splunk)
(spun off from #905) Email Activity are much more based on the Application layer. The focal point of those logs are not the network transaction, but what the overarching applications...
A key point of discussion in the 10/04/2023 System Activity Workstream Sync was consolidation. As OCSF grows, so does its complexity. For instance, consumers would like to avoid having profile...
Background: I have some MS events in the pipeline surrounding **[clearing of the audit log](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1102)**. They are very useful for ‘covering tracks’ detections, but we don’t have a class that...
While applying consistency to Boolean attribute naming using `is_` via #841, we found some areas for improvement of the general dictionary descriptions for most of the boolean attributes. A Boolean...
Some input we gathered regarding the new `ldap_person` object (which replaces the `Person` profile via #813: - There are a few required attributes from the 3 LDAP classes we would...
I have about 30 or so Cisco VPN Events to map to OCSF. Today, we do not have any class associated specifically with VPN sessions. After some discussion, one idea...
There is very often the question of how to distinguish between `Recommended` attributes and `Optional` attributes. Upon discussing this with some OCSF adopters, it seems one major distinction is that...
Originated from `ocsf-schema` PR https://github.com/ocsf/ocsf-schema/pull/807 I believe there is an important relationship between the `observable` [datatypes](https://schema.ocsf.io/1.0.0/data_types?extensions=) and how the [observable objects ](https://schema.ocsf.io/1.0.0/objects/observable?extensions=)are identified. For instance, I believe the OCSF translator...
A topic of discussion that often comes up from OCSF adopters is "When should I use/create an Extension versus when should I use/create a Profile. The `Understanding OCSF` document does...
The Extension IDs are out of sequence, most likely because of alphabetical sorting by name. Show the extension id on mouse hover. Also, as Extensions and Profiles grow, so will...