Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User object definition fix #807

Merged
merged 2 commits into from
Oct 2, 2023
Merged

User object definition fix #807

merged 2 commits into from
Oct 2, 2023

Conversation

floydtree
Copy link
Contributor

@floydtree floydtree commented Oct 2, 2023
edited
Loading

Related Issue: None

Description of changes: non-breaking

  1. The user object's definition contained a erroneous property for the name attribute, cleaning that up.
    • per @mikeradka this might be intentional to allow functionality of observables, adding it back out of caution. We should confirm this and add a section in the contribution guide to explain this behavior.
  2. Adding explicit requirement property where missing.

@floydtree
user object definition fix
2782370 
Signed-off-by: Rajas <rajaspa@amazon.com>
@floydtree floydtree added bug Something isn't working non_breaking Non Breaking, backwards compatible changes labels Oct 2, 2023
Aniak5
Aniak5 previously approved these changes Oct 2, 2023
View reviewed changes
Copy link
Contributor

@Aniak5 Aniak5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@mikeradka
Copy link
Contributor

mikeradka commented Oct 2, 2023
edited
Loading

I am not sure this is erroneous. There is a chance that this could be breaking for those using observables. I think username_t is there because it is an observable type, which is used for identifying & generating observables.

image

I believe that in this link: https://schema.ocsf.io/1.0.0/data_types?extensions=, all of the data types that contain an O at the end are what causes an object to be identified as an observable (for example, file_hash_t, file_name_t) - compare those to the 'observables' type_id enum: https://schema.ocsf.io/1.0.0/objects/observable?extensions=

image

A practical example: I believe the OCSF translator looks at the datatype, and when the datatype of a given object matches an observable type, it identifies that object as an observable.

@floydtree
Copy link
Contributor Author

Interesting, if that's the case it should be documented in the contribution guide, do you mind adding a section for how to define observables or something similar? @mikeradka
Out of caution, I am adding that property back to the object.

@floydtree
adding type property back to an attribute
2628cce 
Signed-off-by: Rajas <rajaspa@amazon.com>
@floydtree floydtree requested a review from Aniak5 October 2, 2023 17:28
@mikeradka
Copy link
Contributor

mikeradka commented Oct 2, 2023
edited
Loading

Interesting, if that's the case it should be documented in the contribution guide, do you mind adding a section for how to define observables or something similar? @mikeradka Out of caution, I am adding that property back to the object.

Great minds think alike, my friend. I was just digging into the docs to see if it is specified anywhere. Thanks for adding it back - we definitely don't want to break use of observables.

I am spinning up some local tests on my side to cover observable datatypes/generation more thoroughly. Once I better wrap my head around it i'll be sure to add to our docs! Tracking in the docs repo here: ocsf/ocsf-docs#32

@mikeradka mikeradka mentioned this pull request Oct 2, 2023
Open
@mikeradka mikeradka merged commit 6c0261c into ocsf:main Oct 2, 2023
1 check passed
@floydtree floydtree deleted the user-fix branch October 3, 2023 14:14
@pagbabian-splunk pagbabian-splunk added the v1.1.0 Changes marked for v1.1.0 of OCSF label Jan 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Aniak5 Aniak5 Aniak5 approved these changes

@mikeradka mikeradka mikeradka approved these changes

@irakledibm irakledibm irakledibm approved these changes

@jasonbreimer jasonbreimer Awaiting requested review from jasonbreimer

Assignees
No one assigned
Labels
bug Something isn't working non_breaking Non Breaking, backwards compatible changes v1.1.0 Changes marked for v1.1.0 of OCSF
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@floydtree @mikeradka @Aniak5 @irakledibm @pagbabian-splunk