Mitchell Wasson

The general advice here is to create a different `network_interfaces` array object for each ip adress or mac if there are multiple associated with a single network interface. Conversation here...

I think piling on here is good if the Nic Teaming use case is effectively served by an array of ips in the network interface object.

Interesting! I haven't run into this yet as I haven't tried to reference a finding in related events. It is certainly an issue because the activity_id of a finding evolves...

Not trying to come down hard on this, but I think its important something that lands in the OCSF schema reflects practices adopted by multiple interest groups in cybersecurity/ Is...

The link to Microsoft link is helpful and should allay many concerns around vendor specific things :) > Do you think it's better to model it a Detection Finding with...

Good suggestion. A thorn with it is that `file.type_id` seems to have been used to indicate the "filesystem file type" where executable would fall into "Regular File". `mime_type` also exists,...

On the linking stuff, I mean how do we treat library files that aren't directly executable but still contain executable code?

@antchan2 on the use of `mime_type`, I agree that it is a feasible solution. I have two high-level thoughts on the matter. First, "Regular File" is a ridiculous `file.type_id` value...

Well I've certainly got some egg on my face. TIL (or today I relearned) regarding the POSIX file stat.

Here is a gist for the linux calculation https://gist.github.com/mlmitch/c3cf04fab6757b5220dd185870adbb23 Details of sourcing info from the operating system is left out for brevity.