You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Background:
OCSF needs a unified place to identify a data source. Previously, OCSF implementations utilized origin.product for certain types of data, but origin.cloud.service for others. For this essential, central, identification mechanism, OCSF would benefit from a unified path.
Cascading proposals:
These are stand-alone considerations that, when considered holistically, should address the whole proposal of identifying source data. This is NOT intended to represent other logging facilities that may be a part of the transmission of the log (log scrapers, forwarders, parsers, proxies, etc.); these fields are meant to provide a universal path for data that identifies the VENDOR of the data provided and the TYPE of data provided; e.g.,
While it is certain that there are scenarios where this may be challenging (e.g., when a 3rd party gathers raw data about Windows processes - that could conceivably be a vendor of "Microsoft" or the 3rd party), these fields should allow for the data that conforms to this schema to be identified.
Open questions:
Is it fair to expect ALL data to be represented in OCSF to have a vendor and a name?
Is there a desire to extend an enum for vendors/names? (HTTP Access Log vs. httpd_access)
Future considerations (acknowledged, but not in scope for this proposal):
Do we want to provide a place in the schema for data transmission to be logged? e.g., ETL timestamps, log forwarder(s), etc.
This poll should be considered simultaneously with the polls with the same title.
Is this data best classified as meta data or not? A general rule of thumb is that if data comes from a log, it does not get directly mapped to metadata. In regards to these fields, some data sources self-identify, and some do not.
METADATA:
{
"metadata": {
"NAME OF OBJECT FROM SECONDARY PROPOSAL": {
"vendor_name": # placeholder names
"product_name":
"version"
}
}
}
A unique object included in the base_event:
{
"metadata": {},
"origin / product / producer / NAME OF OBJECT FROM SECONDARY PROPOSAL": {}
}
Standalone fields in the base event (example names only):
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Background:
OCSF needs a unified place to identify a data source. Previously, OCSF implementations utilized origin.product for certain types of data, but origin.cloud.service for others. For this essential, central, identification mechanism, OCSF would benefit from a unified path.
Cascading proposals:
These are stand-alone considerations that, when considered holistically, should address the whole proposal of identifying source data. This is NOT intended to represent other logging facilities that may be a part of the transmission of the log (log scrapers, forwarders, parsers, proxies, etc.); these fields are meant to provide a universal path for data that identifies the VENDOR of the data provided and the TYPE of data provided; e.g.,
While it is certain that there are scenarios where this may be challenging (e.g., when a 3rd party gathers raw data about Windows processes - that could conceivably be a vendor of "Microsoft" or the 3rd party), these fields should allow for the data that conforms to this schema to be identified.
Open questions:
Is it fair to expect ALL data to be represented in OCSF to have a vendor and a name?
Is there a desire to extend an enum for vendors/names? (HTTP Access Log vs. httpd_access)
Future considerations (acknowledged, but not in scope for this proposal):
Do we want to provide a place in the schema for data transmission to be logged? e.g., ETL timestamps, log forwarder(s), etc.
This poll should be considered simultaneously with the polls with the same title.
Is this data best classified as meta data or not? A general rule of thumb is that if data comes from a log, it does not get directly mapped to metadata. In regards to these fields, some data sources self-identify, and some do not.
9 votes ·
Beta Was this translation helpful? Give feedback.
All reactions