Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Are profile #includes optional? #25

Closed
davaya opened this issue Oct 10, 2022 · 1 comment
Closed

Are profile #includes optional? #25

davaya opened this issue Oct 10, 2022 · 1 comment

Comments

@davaya
Copy link

davaya commented Oct 10, 2022
edited
Loading

The documentation says:

Profiles overlay additional related attributes into event classes and objects allowing for cross-category event class augmentation and filtering. Event classes register for profiles which can be optionally applied, or mixed into event classes and objects, by a producer or mapper.

The system event is:

  "attributes": {
    "$include": [
      "profiles/host.json",
      "profiles/user.json",
      "profiles/malware.json"
    ],
    "device": {
      "group": "primary",
      "requirement": "required",
      "profile": null
    },
    "actor_process": {
      "requirement": "required",
      "profile": null
    }
  }

The host profile is:

  "attributes": {
    "device": {
      "requirement": "recommended"
    },
    "actor_process": {
      "requirement": "optional"
    }
  }

The $include directive seems to say that the host profile is always included in the system event, downgrading the device and actor_process attributes from required to not required. There are only two events that have properties modified by a profile: inventory and system, in both cases by the host profile. That raises the question of whether that is an error in the two events, or in the host profile. It seems strange that a system event would always require a device attribute except when operating under the host profile - wouldn't it make more sense to just make the device attribute always non-required regardless of profile?

Is there ever a circumstance in which the system event would not include the host (or user or malware) profile? If so, what controls whether $include directives are executed? The context is schema generation - it seems that a system event could include any attribute listed in the system event or any included profile. The expected behavior of producers and consumers seems ill-defined if the attributes permitted in an event is variable.
@davaya davaya changed the title Are profiles optional? Are profile #includes optional? Oct 10, 2022
@davaya
Copy link
Author

davaya commented Oct 11, 2022

Roumen says: "The requirements defined in the profiles are the default requirements, however classes can overwrite the defaults and that is what we did for the system activity events."

Done and dusted.

@davaya davaya closed this as completed Oct 11, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@davaya