ocsf-schema icon indicating copy to clipboard operation
ocsf-schema copied to clipboard

Published 20 hours ago verified publisher icon ocsf

Docs: Correct reference to missing MacOS profile

Open trumant opened this issue 7 months ago • 1 comments

Observed Behavior

As a newcomer to the project, I was reading https://github.com/ocsf/ocsf-schema/blob/main/extensions.md?plain=1#L19 and expected to find a directory named macos in https://github.com/ocsf/ocsf-schema/tree/main/extensions but I did not.

Expected Behavior

https://github.com/ocsf/ocsf-schema/blob/main/extensions.md?plain=1#L19 either does not mention a missing extension or the document is otherwise clarified to set the appropriate expectations for the reader as to the presence or absence of an extension specific to MacOS.

trumant avatar May 02 '25 11:05 trumant

Yes, there was a MacOS extension during one of the version cycles, but before the official release of that version, the author removed the extension and refactored the event as a core event (for what was then Startup Item Query - now deprecated in favor of the Query Evidence object and Live Evidence: https://schema.ocsf.io/1.5.0/objects/query_evidence?extensions=)

However, we will likely be adding it back in 1.6 (more discussion required) for other purposes. Sorry for the confusion this may have created.

pagbabian-splunk avatar May 12 '25 21:05 pagbabian-splunk