ocsf-schema
ocsf-schema copied to clipboard
ocsf
OCSF Schema
## BLUF Add `owner` (`user`) to `device` and `network_endpoint` to match its presence within the `resource` object. Create a new `agent` object that captures various agent/sensor details. ## Details The...
Refactored the Startup application type to apply to all OS's, as this event class has meaning across all of them. Removed the macOS extension as this refactoring removes the only...
`type_id` enum in the `database` today, has a bug where two separate enum items use the same id as seen below.  This is how...
## Background Today, the `datetime` profile is a "special" profile: - The [profile](https://github.com/ocsf/ocsf-schema/blob/main/profiles/datetime.json) defines no attributes to overlay onto objects. - Instead, the schema server [defines its behavior](https://github.com/ocsf/ocsf-server/blob/8d3bceeeca408ffe02ea3a3ffada91615313e6dd/lib/schema/cache.ex#L825-L830), where it...
## Background In OCSF's schema definition files, there is the concept of a **profile**. As documented [here](https://github.com/ocsf/ocsf-docs/blob/main/Understanding%20OCSF.md#taxonomy-constructs), a profile is akin to an overlay or [mixin](https://en.wikipedia.org/wiki/Mixin): > Profiles overlay additional...
**Tagged Events if Raised** There might be some cases where an IT configures their threat detection platform to highlight specific events that are of interest to them. For example, the...
## Background While discussing #960 today, it was raised that altering the type of attributes from `string_t` or `int_t` to more specific types like `user_agent_t` is a breaking change. We...
Currently the scalar values represented in `observables.type_id` have several "ID" types and several "Name" types without their pair being added which may matter to a source system. Additionally, there are...
Modern authentications and API activities to cloud resources (AWS, Azure, GCP, etc.) and SaaS applications (Microsoft Office 365, Google Workspace, etc.) often create activity logs that contain information not just...
Adding events to model remediation of entities on Windows/Linux/MacOS: These events report the status of remediation attempts (commands) on the defined target entities. Windows/Mac specific items were added as extensions...