ocsf-schema
ocsf-schema copied to clipboard
ocsf
OCSF Schema
The [Device](https://schema.ocsf.io/1.3.0/objects/device?extensions=) object has an `imei` field which can only store one International Mobile Equipment Identity (IMEI) value. Dual-SIM devices are now common and these devices have two IMEI values,...
PR 1159 added the `Script Activity` event class to the schema. It was authored by myself and merged on 22nd August. Within a week of this, I realised on trying...
#### Description: I have a question regarding the appropriate placement of parent process details in OCSF for **process events**, specifically in the case of **process creation** events with `activity_id` set...
### Remote Ransomware Encrypting Shared Files **INTRODUCTION** Remote ransomware refers to ransomware that operates on an unmanaged (or compromised) remote machine, encrypting files shared from another system. Since the endpoint...
#### Related Issue: Managed Entity object was did not stand out as an obvious choice when reviewing Okta Network zones. #### Description of changes: - Following a discussion based on...
Based on discussion at https://opencybersecu-lz97379.slack.com/archives/C03C2QPSBPB/p1727259577114689 The field for an IP address to be stored in a `network connection info` object is unclear. The discussion identified the likely suspect of adding...
There has been some discussion and confusion on how to represent a security detection in OCSF. One obvious approach is to use the `Detection Finding` class, however it isn't appropriate...
Will it be possible to unify the "signature" (dictionary) and "digital_signature" (object)? The object mentions that the usage for the name should be "digital_signature", but in the dictionary.json there is...
Hi, while mapping Windows Event ID 7045 I'm missing some fields in Class Application Lifecycle (6002). For example: * actor (reference) (who did the action) * device (reference) (where happens...
TL;DR - The schema needs a new activity class to represent script execution events. Most Windows EDR products provide visibility into the execution of PowerShell, Python, VBScript, JavaScript, Office macros,...