ocsf-schema
ocsf-schema copied to clipboard
ocsf
OCSF Schema
The `User Inventory Info` class and the `User Info` class have names that are too similar and will be confusing as to which one to use for what purpose. The...
The definition of `timestamp_t` is > The nominal data type for these attributes is timestamp_t based on Unix time or number of milliseconds since the Unix epoch. Unfortunately, there are...
#### Related Issue: This PR adds several new scalar observables to address [Issue 960](https://github.com/ocsf/ocsf-schema/issues/960) . Two – port and subnet – use existing data types, while others introduce new data...
There is still confusion between the original Discovery classes that have the `_info` suffix and the new family of classes with that suffix. The former classes (Device Inventory Info, User...
Although it is very straight forward to call action "Unknown/Allowed/Denied/Other" and i agree with it, the field action is already present in another Models (CIM) used by Splunk, and I...
The `json_t` type has ended up with two interpretations: # Options ## Option 1: `json_t` is the _any_ type * The `json_t` is an any type, meaning any valid JSON...
(spun off from #905) Email Activity are much more based on the Application layer. The focal point of those logs are not the network transaction, but what the overarching applications...
A Network Interface device (which should be represented in a single Network Interface object) can have multiple IPs mapped to a single MAC (even if it's just an IPv4 and...
[Elastic Common Schema](https://www.elastic.co/guide/en/ecs/current) defines a set of attributes for vulnerabilities, certificates, process, users, etc that has an intersection with OCSF. It was also historically actively used for security events. OpenTelemetry...
For some enums we would like to be able to not use default enum values (`0` for `Unknown` and `99` for `Other`). The way some of the fields are defined...
