ocsf-schema icon indicating copy to clipboard operation
ocsf-schema copied to clipboard

Published 20 hours ago verified publisher icon ocsf

Determine the reserved attributes

Open rroupski opened this issue 2 years ago • 4 comments

Discussed in https://github.com/ocsf/ocsf-schema/discussions/84

Originally posted by rroupski July 19, 2022 Attributes that are either generated or derived by the collection, post-collection processing, or storage systems other than the mapping process are designated Reserved. The current list of the reserved attributes is:

  • _log_time (from metadata), rename as _logged_time
  • _type_uid
  • _type_name
  • _time
  • _observables
  • _raw_data
  • _unmapped

This discussion is about whether the last 3 attributes should be reserved or not.

  • _observables

  • _raw_data

  • _unmapped

  • The observables should generated based the input data and the schema. In other words, the observables data should not be manually added by the source that generated the event.

  • The raw_data is attribute that contains the original data as generated by the source. If the event source creates events in the OCSF Schema, then the raw_data should not be used.

  • The unmapped is attribute that contains the attributes, which are not defined by the OCSF Schema. If the event source creates events in the OCSF Schema, then the unmapped attribute could be used to add additional attribute, which are not defined by the schema.

rroupski avatar Jul 29 '22 22:07 rroupski

Add a couple of more reserved attributes: _processed_time and _modified_time?

Note, the modified_time attribute is used in the file, reg key, and reg value objects. Should we have both modified_time and _modified_time attributes?

rroupski avatar Jul 31 '22 16:07 rroupski

The metadata.uid is a reserved attribute (which is not on the original list above). It is also used in many objects as a general purpose unique identifier. Should we define a new attribute _uid in addition to the existing uid?

rroupski avatar Aug 01 '22 16:08 rroupski

Based on discussions with Paul, we should reduce the reserved attributes:

  • _uid: string, required The unique identifier of an event instance, assigned by the event processor.

  • _raw_data: string, optional The event data as received from the event source. This attribute must be used when events are translated from some other that OCSF format. If the event is created using the OCSF schema, then the _raw_data must not be used.

The type_uid, type_name, observables, and unmapped could be added by event producer or event processor, so they should not be reserved.

rroupski avatar Aug 01 '22 19:08 rroupski

Based on the Aug 4th call, the OCSF reserved attribute list is decided to be -

  1. _time
  2. _uid
  3. _raw_data

floydtree avatar Aug 04 '22 18:08 floydtree

N/A any more

rroupski avatar Oct 26 '22 18:10 rroupski