Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a new meta schema keyword: family, to group related classes in a category #1334

Open
wants to merge 17 commits into
base: main
Choose a base branch
from
Open

Add a new meta schema keyword: family, to group related classes in a category #1334

wants to merge 17 commits into from

Conversation

pagbabian-splunk
Copy link
Contributor

Related Issue: #1261

Description of changes:

Added a new meta schema keyword called family which like the group keyword does with attributes, can tag related event classes. This could be used to organize related classes in a category that don't have contiguous IDs, which cause them to sort randomly as the classes have been created in time. A large number of classes in a category can also be collapsed into a label, as another example (e.g. a large list of OT protocols in the Network category).

Delete once you have confirmed the following:

  1. Did you add a single line summary of changes to Unreleased section in the CHANGELOG.md file?

@pagbabian-splunk
Removed the constraint from group_managenment.
a76f087 
Signed-off-by: Paul Agbabian <[email protected]>
@pagbabian-splunk
Merge branch 'main' of https://github.com/ocsf/ocsf-schema into main
cbe6ff6
@pagbabian-splunk
Merge branch 'main' of https://github.com/ocsf/ocsf-schema into main
d15e704
@pagbabian-splunk
Merge branch 'main' of https://github.com/ocsf/ocsf-schema into main
294a294
@pagbabian-splunk
Merge branch 'main' of https://github.com/ocsf/ocsf-schema into main
f2b1d72
@pagbabian-splunk
Merge branch 'main' of https://github.com/ocsf/ocsf-schema into main
7103620
@pagbabian-splunk
Merge branch 'main' of https://github.com/ocsf/ocsf-schema into main
b197e14
@pagbabian-splunk
Deprecated the email_url_activity and email_file_activity classes in …
5b68b7f 
…favor of an updated email_activity class.

Updated the email object to include domains, files, urls arrays.
Updated the email_activity class to add the message_trace_uid ID.
Updated the email_activity class to use the references[] for the Trace activity_id instead of the description URL.
Updated the email_activity class description to reflect its SMTP protocol and the possible URLs and files attachments.

Signed-off-by: Paul Agbabian <[email protected]>
@pagbabian-splunk
Added changed for PR ocsf#1259
df7fc18 
Signed-off-by: Paul Agbabian <[email protected]>
@pagbabian-splunk
removed the optional tag for email_uid as it was causing the validati…
e69358f 
…on to fail!!

Signed-off-by: Paul Agbabian <[email protected]>
@pagbabian-splunk
Relaxed the requirement of 'from' and 'to' to be recommended, and add…
8f2ac70 
…ed an at_least_one constraint on all the to and from attributes. Not all email logs have the 'to' and 'from' but must have at least those or 'smtp_to' and 'smtp_from' in the log.

Signed-off-by: Paul Agbabian <[email protected]>
@pagbabian-splunk
Added the constraint and relaxed requirement to the email object.
4e17230 
Signed-off-by: Paul Agbabian <[email protected]>
@pagbabian-splunk
Added a 'family' meta schema keyword for grouping of classes in a cat…
9b63ed2 
…egory. Updated the Discovery classes with their families of Query, Inventory, State.

Signed-off-by: Paul Agbabian <[email protected]>
@pagbabian-splunk
Reverted files from the email_update branch that were incorrectly added.
6932791 
Signed-off-by: Paul Agbabian <[email protected]>
@pagbabian-splunk
Removed file from branch erroneously included in the commit.
335dd6d 
Signed-off-by: Paul Agbabian <[email protected]>
@pagbabian-splunk
Merge branch 'main' of https://github.com/ocsf/ocsf-schema into event…
db8667c 
…_famil

Add back changes for the family keywords to conflicting classes for Discoveryy

Signed-off-by: Paul Agbabian <[email protected]>
@pagbabian-splunk
Merge branch 'main' of https://github.com/pagbabian-splunk/ocsf-schema
2bbeaca 
…into event_family
@pagbabian-splunk pagbabian-splunk added enhancement New feature or request framework Structures, conventions, requirements, data types, etc. non_breaking Non Breaking, backwards compatible changes metaschema v1.5.0 or later labels Feb 4, 2025
alanisaac
alanisaac reviewed Feb 4, 2025
View reviewed changes
Copy link
Contributor

@alanisaac alanisaac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor question: other categorization schemes in OCSF, like group and requirement for attributes are lower-case. Should family be as well? For this use case at least, it seems more like an enum than a description.

@pagbabian-splunk
Copy link
Contributor Author

Minor question: other categorization schemes in OCSF, like group and requirement for attributes are lower-case. Should family be as well? For this use case at least, it seems more like an enum than a description.

Yes, the intent was for it to be similar to group and requirement where the value is a string, rather than an enum. The difference is that for group and requirement the set of values are well known and limited, while for family it is more like a single phrase caption or short description, and a grouping function would need to be aware of that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alanisaac alanisaac alanisaac left review comments

@floydtree floydtree Awaiting requested review from floydtree floydtree is a code owner

@Aniak5 Aniak5 Awaiting requested review from Aniak5 Aniak5 is a code owner

@mikeradka mikeradka Awaiting requested review from mikeradka mikeradka is a code owner

@zschmerber zschmerber Awaiting requested review from zschmerber zschmerber is a code owner

@jonrau-at-queryai jonrau-at-queryai Awaiting requested review from jonrau-at-queryai jonrau-at-queryai is a code owner

@davemcatcisco davemcatcisco Awaiting requested review from davemcatcisco davemcatcisco is a code owner

At least 3 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
enhancement New feature or request framework Structures, conventions, requirements, data types, etc. metaschema non_breaking Non Breaking, backwards compatible changes v1.5.0 or later
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@pagbabian-splunk @alanisaac