ocsf-server icon indicating copy to clipboard operation
ocsf-server copied to clipboard

Published 20 hours ago verified publisher icon ocsf

Defined attributes can only be enabled through a single profile

Open mlmitch opened this issue 2 months ago • 2 comments

This issue relates to https://github.com/ocsf/ocsf-schema/issues/1422 and is currently blocking https://github.com/ocsf/ocsf-schema/pull/1423

An idea in that pull request is to allow both the linux_users profile and a new macos_users profile to enable the egid and euid attributes.

However @rmouritzen-splunk states that there are two issues with this:

  1. After schema compilation, each event class and object attribute can either have zero or one profile attribute. We will now need a profiles attribute, indicating that a single attribute (egid for example) can be "enabled" by the linux and/or macos profile.
  2. We need to resolve which of these profiles "wins" as the attribute is compiled in to an event class or object type. The attributes in profiles can be change / override information, and they set the requirement. We need a resolution / merge flow.

@mikeradka notes from an OCSF community call

Something suggested in the 5/21/2025 System call - perhaps an approach where the strictest requirement takes precedence, and if same requirement perhaps a merge process. Seems like more discussion/exploration may be needed.

This issue tracks the server work needed to resolve these issues and enable an attribute to be present in more than one OCSF profile.

mlmitch avatar Sep 22 '25 22:09 mlmitch

That's right - we had this conversation some months ago. My suggestion was that the highest requirement would win, given the desire to include the profile that has the higher requirement. However, because descriptions can also be overridden, it's not so clear as to which wins in that case. In some cases a generic attribute can have a very different meaning in context, and the browser or schema generator won't know which to use.

pagbabian-splunk avatar Sep 23 '25 14:09 pagbabian-splunk

FYI: This week I started working on this issue. I've started by (finally) re-writing the schema compilation in Python. This is a deep change that required deeply understanding the entire schema compilation process, and so was a good time to rip out the Elixir compilation code and replace it.

rmouritzen-splunk avatar Oct 02 '25 19:10 rmouritzen-splunk