ocsf-schema

ocsf-schema copied to clipboard

Account Change missing group object

2

Hi, When trying to transform a Group created event, the assumption is - this would belong in "Group Management 3006". However, this class does not contain activity events which show...

FluffySocks32

Change data type for `type_uid` to `long_t`

6

When developing custom extensions for OCSF the generated value for `type_uid` can be out of range for classic 32-bit integer (max positive value is `2,147,483,647`). As an example, we (S1...

rohencz-s1

Consolidation Efforts Tracking

3

A key point of discussion in the 10/04/2023 System Activity Workstream Sync was consolidation. As OCSF grows, so does its complexity. For instance, consumers would like to avoid having profile...

mikeradka

Background: I have some MS events in the pipeline surrounding **[clearing of the audit log](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1102)**. They are very useful for ‘covering tracks’ detections, but we don’t have a class that...

mikeradka

While applying consistency to Boolean attribute naming using `is_` via #841, we found some areas for improvement of the general dictionary descriptions for most of the boolean attributes. A Boolean...

mikeradka

ldap_person Object Improvements

1

Some input we gathered regarding the new `ldap_person` object (which replaces the `Person` profile via #813: - There are a few required attributes from the 3 LDAP classes we would...

mikeradka

Add 'Resources' Field to Various "System Activity [1]" Classes in OCSF Schema

1

**Issue Description** Several activity classes defined in the OCSF schema currently lack a dedicated field for describing the resources affected by the respective activities. This omission limits the ability to...

valllabh

Hi, During development of a python json schema parser, we noticed a few naming inconsistencies which required edge cases (Could not use the Elixir json schema generator). Below are those...

FluffySocks32

Create a Network Tunneling Class (VPN Session Start/Stop Events)

1

I have about 30 or so Cisco VPN Events to map to OCSF. Today, we do not have any class associated specifically with VPN sessions. After some discussion, one idea...

mikeradka

Base Network class should not include activity_id

1

The `network.json` file is the category base for the Network Activity. It defines the `activity_id` attribute that shouldn't assume all extended classes share the same values. (There is a behavior...

pagbabian-splunk