ocsf-schema icon indicating copy to clipboard operation
ocsf-schema copied to clipboard

Published 20 hours ago verified publisher icon ocsf

User object should include an Enabled / Disabled state.

Open pagbabian-splunk opened this issue 1 year ago • 1 comments

Jason from Microsoft brought this up as part of the discussion around PR #1076 re: standard state values.

If we decide to add Enabled and Disabled as standard (dictionary defined) state_id enums that today are just 0 / 99, it can be applied to User and other objects whose state may be enabled or disabled after an operation or during a discovery.

pagbabian-splunk avatar Jun 04 '24 17:06 pagbabian-splunk

+1. Perhaps this is better as an is_enabled or is_disabled bool longer term.

Snowflake, Crowdstrike, SentinelOne, and others have this tracked per-User but also per-Device in some cases.

jonrau-at-queryai avatar Jun 06 '24 16:06 jonrau-at-queryai