adding status_id IDs #1076
adding status_id IDs #1076
Conversation
Signed-off-by: SashaSelin <145011693+SashaSelin@users.noreply.github.com>
Signed-off-by: SashaSelin <145011693+SashaSelin@users.noreply.github.com>
Hello Team, I would like to add more status_id captions, Thanks! Signed-off-by: Sasha Selin sasha.selin@cyrebro.io Signed-off-by: SashaSelin <145011693+SashaSelin@users.noreply.github.com>
Improved Base Event [0] Class (status_id) Signed-off-by: SashaSelin <145011693+SashaSelin@users.noreply.github.com>
SashaSelin
requested review from
floydtree,
pagbabian-splunk,
Aniak5,
mikeradka and
zschmerber
as code owners
|
Can you provide some context on how these new enum items will be used? Throughout ocsf |
|
Hi Rajas,
Thank you for being able to address the pull-request so quickly.
Status “disable/enable” is very common when it comes to FortiGate logs, especially where the subtype=”system” and action=”add”.
The “status” field on this type of logs are represent the “cfgattr” (Configuration value changed) status.
Raw log for example:
<118>date=2024-05-01 time=11:43:38 devname="Test for OCSF" devid="FG11256985563" eventtime=1714553018203018280 tz="+0300" logid="0100044547" type="event" subtype="system" level="information" vd="North" logdesc="Object attribute configured" user="SashaS" ui="GUI(192.168.190.54)" action="Add" cfgtid=10691505 cfgpath="firewall.policy" cfgobj="136" cfgattr="status[disable]srcintf[OCSF-Test]dstintf[OCSF-Test]srcaddr[Sasha-selin-ocsf-test]dstaddr[Sasha-selin]srcaddr6[]dstaddr6[]src-vendor-mac[]action[accept]schedule[always]service[RDP]groups[]users[]fsso-groups[]comments[ (Copy of 148)]custom-log-fields[]" msg="Add firewall.policy 136"
Please let me know if you have any questions or need any further information.
Best Regards,
***@***.***
Sasha Selin
Content Engineer
P: +972-722-799-909
e: ***@***.******@***.***>
w: https://www.cyrebro.io<https://cas5-0-urlprotect.trendmicro.com/wis/clicktime/v1/query?url=https%3a%2f%2fwww.cyrebro.io&umid=c2711d6a-3fad-4865-87f1-0ce65f494866&auth=a99fe77bcab56e98367c062a968e80bb592e7fd1-e507592bdd49e97cf1bab98941c87cc5573c5e99>
Follow us
***@***.***<https://www.linkedin.com/company/cyberhat/?viewAsMember=true> ***@***.*** <https://twitter.com/cyrebro_io> ***@***.*** <https://www.facebook.com/Cyrebro/?view_public_for=475376792647012>
From: Rajas ***@***.***>
Sent: Tuesday, 7 May 2024 18:46
To: ocsf/ocsf-schema ***@***.***>
Cc: Sasha Selin ***@***.***>; Author ***@***.***>
Subject: Re: [ocsf/ocsf-schema] adding status_id IDs (PR #1076)
Can you provide some context on how these new enum items will be used? Throughout ocsf status attributes have been used to represent result of an activity, whereas enable/disable sound like activities themselves. Some context around the use-case will help move this along.
—
Reply to this email directly, view it on GitHub<#1076 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BCSLH3JAKJAQBK5GVLGOTL3ZBDZMXAVCNFSM6AAAAABHKX2CR2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOJYG43TEOBTGQ>.
You are receiving this because you authored the thread.Message ID: ***@***.******@***.***>>
|
|
I think |
|
This came up recently elsewhere - @SashaSelin note that there is also a Although Fortigate logs might be using the name Enable/Disable would be verbs which as mentioned would normally be actions/activities, the result of which would usually be Success/Failure.
In this case, as one option, the activity might be 'configuration changed'; the status would be Success, and the state would be Enabled. I noticed that we don't have any Enabled/Disabled states that I could see, and therefore @SashaSelin if you know what class you would be using, the |
|
Hi team,
Thank you for your answer,
Since we will use it to describe the new state of the configuration of FortiGate (and any other service/system), I think we will use the application_lifecycle class (feel free to correct me if you think we should use another class here).
In order to use it correctly, ill glad if you can add state to this class since we agreed that status is incorrect option :)
Please let me know if you need me to edit this pull request/open another pull request.
And again, thank you for your help!
Sasha Selin,
Content Engineer
Cyrebro
From: Paul Agbabian ***@***.***>
Sent: Friday, 17 May 2024 19:09
To: ocsf/ocsf-schema ***@***.***>
Cc: Sasha Selin ***@***.***>; Mention ***@***.***>
Subject: Re: [ocsf/ocsf-schema] adding status_id IDs (PR #1076)
Although Fortigate might be using the name status for this, in OCSF, for better or worse, we have tried to keep status the result of an activity that was performed.
This came up recently elsewhere - @SashaSelin<https://github.com/SashaSelin> note that there is also a state_id and state sibling for the state of something independent of action, activity or lifecycle. Note there are also specialized *_state attributes too in certain cases.
Enable/Disable would be verbs which as mentioned would normally be actions/activities, the result of which would usually be Success/Failure. status_id can be overridden as it is in the Finding classes, but there status_id follows the lifecycle of the Finding.
(Configuration value changed) status
In this case, as one option, the activity might be 'configuration changed'; the status would be Success, and the state would be Enabled.
—
Reply to this email directly, view it on GitHub<#1076 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BCSLH3PH7BA7MFSK7FDCMWLZCYTR5AVCNFSM6AAAAABHKX2CR2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMJXHEZDKOJTGU>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Related Issue:
Missing enable/disable status Ids
Description of changes:
added status id's to status_id in dictionary.
Signed-off-by: Sasha Selin (Cyrebro) (sasha.selin@cyrebro.io)