ocsf-schema icon indicating copy to clipboard operation
ocsf-schema copied to clipboard
verified publisher icon ocsf

Add Zone to managed entity object

Open max-power15 opened this issue 1 year ago • 3 comments

Related Issue:

Managed Entity object was did not stand out as an obvious choice when reviewing Okta Network zones.

Description of changes:

  • Following a discussion based on Okta system logs in slack, Network zones were considered to be an entity based on the operations performed.
  • Adding a Zone entity to the managed entity type_id enum.
  • Adding a Zone object

max-power15 avatar Sep 25 '24 09:09 max-power15

After looking at a zone.update log in Okta, i seems like the structure of the data my need to be carried by an array, also I see a zone https://schema.ocsf.io/1.3.0/objects/device?extensions= field in the schema so we would have a collision with adding a new object with the same name.

zschmerber avatar Sep 25 '24 19:09 zschmerber

Nice draft, @max-power15. I believe adding a Zone entity to the Entity Management class makes a lot of sense. However, there are a few logistics to consider:

  1. OCSF already includes a zone attribute, which is currently of type String. Changing its type to a zone object would be a breaking change.

  2. That said, I do see potential in creating an object which represents a zone (or even an array of zones), as it could include attributes like name and uid, and perhaps additional ones such as a CIDR range. One option could be to introduce a zone_info object or attribute. While the name is flexible, we would need to choose something other than zone to avoid breaking changes.

  3. If we proceed with a new zone_info object (or whatever the name may be), we might consider deprecating the current zone (String) attribute and directing to using the new object.

  4. This could also tie in with the recent discussions around a Network profile. I’d love to hear your thoughts, along with @pagbabian-splunk @floydtree @zschmerber @Aniak5

mikeradka avatar Sep 25 '24 19:09 mikeradka

@zschmerber @mikeradka

Great feedback, I wasn't aware of the zone attribute. Happy to adjust the object name and the additional attribute for CIDR

Is there a PR for the network profile I could check out, or is it being discussed in slack?

max-power15 avatar Sep 26 '24 07:09 max-power15

ack, I wasn't aware of the zone attribute. Happy to adjust the object name and the additional attri

Hello @max-power15 , this one slipped through the cracks for me for some reason. This has been more of a discussion topic rather than any sort of PR. Perhaps this is a topic we could discuss in one of the upcoming Network syncs on Wednesdays? It may be worthwhile to send us over a ping about it in the #network slack channel.

mikeradka avatar Nov 18 '24 18:11 mikeradka

The caption of the existing zone string attribute is 'Network Zone'. If we are going to introduce a more generic zone_info object and a more specific network_zone attribute of that type, we will either have to deprecate the current zone attribute or change its caption and description.

The latter may not be "correct" in that it is in current use as a 'Network Zone' - making it more generic only works if we didn't favor another more specific replacement of zone_info and network_zone.

pagbabian-splunk avatar Mar 11 '25 00:03 pagbabian-splunk

Being resolved in #1364

floydtree avatar Mar 14 '25 18:03 floydtree