All Required Attributes within Classes Must Have a Default

[pagbabian-splunk]

The intention of Required attributes within event classes is that the attribute is always present in every instance of the event. To be useful, reasonable default values must be spelled out so that the event can be validated, and that the semantics of the event can be reasonably (if not completely) represented.

For Enum attributes, the default is Unknown. For process PID integer attributes, the default may be 1, the primordial OS process (e.g. init).

However many other required attributes have not been documented as to what their default value should be.

[paveljos]

I believe this is worthy of making a new proposal for the OCSF plan for sane defaults.

[irakledibm]

One of the options could be adding default values to data types in dictionary. This way if "required" attribute is missing default value, it would automatically use default associated with data type. This way we can ensure that if someone forgot to add default value to recommended attribute, we have a backup.

[rroupski]

Adding default values for simple types is doable, however it might be a challenge to add default values for attributes that are defined objects, such as file or process.

[irakledibm]

It is doable as well for an objects. Objects would have all internal required attributes assigned default values. It would make all defined objects having default state that can be evaluated. I will prepare a proposal.

[pagbabian-splunk]

It is not deterministic for string fields, and there is no good default except when the value is unknown or n/a.