ocsf-schema
ocsf-schema copied to clipboard
Published
20 hours ago •
ocsf
ocsf
Circular dependency caused by existence of user (manager) in ldap_person.
Existence of manager of user type in ldap_person causing circular dependency, since ldap_person is part of the user object.
There are two options to consider:
- Remove manager from ldap_person object (is it really needed?).
- Change manager from user type to freshly created object.
Proposed new object user_reference:
{
"caption": "User Reference",
"name": "user_reference",
"description": "The User Reference object describes the characteristics of a referenced user credentials.",
"attributes": {
"credential_uid": {
"requirement": "optional"
},
"domain": {
"description": "The domain where the user is defined. For example: the LDAP or Active Directory domain.",
"requirement": "optional"
},
"email_addr": {
"requirement": "optional"
},
"forward_addr": {
"requirement": "optional"
},
"full_name": {
"requirement": "optional"
},
"name": {
"description": "The username. For example, <code>janedoe1</code>.",
"requirement": "recommended",
"type": "username_t"
},
"org": {
"description": "Organization and org unit related to the user.",
"requirement": "optional"
},
"phone_number": {
"caption": "Telephone Number",
"description": "The telephone number of the user.",
"requirement": "optional"
},
"uid": {
"description": "The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.",
"requirement": "recommended",
"observable": 31
}
},
"constraints": {
"at_least_one": [
"name",
"uid"
]
}
}
OCSF has at least a couple circular references. The other common one is process to parent_process (also of object type process) creating a parent_process to parent_process direct loop.
The suggested solution (from the OCSF encodings subgroup) is to use a heuristic to stop the recursion at a certain point. My own code stops after hitting a repeat of an attribute name, which works because of OCSF's shared attribute dictionary.
