Examine and clarify the desired behavior of overlaying profiles on existing attributes #977
Labels
documentation
Improvements or additions to documentation
framework
Structures, conventions, requirements, data types, etc.
Background
In OCSF's schema definition files, there is the concept of a profile. As documented here, a profile is akin to an overlay or mixin:
As described further on in the documentation, classes may explicitly declare attributes that overlap with a profile. The described behavior is that the class defined attribute requirement (e.g.
required
,recommended
,optional
) takes precedence over that of the profile:As discussed in the working group call on 03/05/2024, this behavior may or may not be desired. Specifically, it was not clear if a profile with a more restrictive requirement should be overridden by an explicitly declared attribute with a less restrictive requirement.
Examples
1. when a profile attribute is more restrictive than an event attribute
This can be seen in action today with the combination of the
rdp_activity
event in the network category and thehost
profile:host
profile as represented by the OCSF schema definition can be seen here: https://github.com/ocsf/ocsf-schema/blob/main/profiles/host.jsonNote how the
host
profile includes arecommended
device attribute, but therdp_activity
event includes a less restrictiveoptional
device attribute.On the schema server, the "device" attribute is not shown unless the
host
profile is active, and when the profile is active, it is shown with the less restrictiveoptional
requirement.2. when a profile attribute is less restrictive than an event attribute
This can be seen in several cases, but here we'll use the same
host
profile and thepatch_state
event in the discovery category:host
profile as represented by the OCSF schema definition can again be seen here: https://github.com/ocsf/ocsf-schema/blob/main/profiles/host.jsonNote how the
host
profile includes arecommended
device attribute, but thepatch_state
event includes a more restrictiverequired
device attribute.On the schema server, the "device" attribute is shown with the more restrictive
required
regardless of whether thehost
profile is active. When the profile is active, interestingly the additionalactor
attribute from the profile does not seem to appear.To Do
The above behavior in the OCSF schema server does conform to what is stated in the documentation, in a way: the
requirement
of the event is always preferred over therequirement
of the profile. However, there does seem to be some inconsistency on whether attributes exist or not based on whether the profile is applied. Why doesn't thedevice
attribute exist onrdp_activity
without thehost
profile applied, and why does theactor
attribute not exist onpatch_state
when it is?The text was updated successfully, but these errors were encountered: