v2 validation APIs are not handling enum arrays #96

rmouritzen-splunk · 2024-07-11T18:40:48Z

Discussed in ocsf/ocsf-schema#1126

^{Originally posted by erikloman June 27, 2024}
I am working on a OCSF producer and I found that the online tool /api/v2/validate to validate JSON against the schema produces an error related to malware[0].classification_ids. I think the JSON is correct but the JSON does not validate. I am doing something wrong?

{
  "activity_id": 1,
  "category_uid": 2,
  "class_uid": 2004,
  "time": 1719472279,
  "metadata": {
    "version": "1.2.0",
    "profiles": [ "security_control", "host" ],
    "product": {
      "name": "ByteJams Ranger",
      "uid": "9766fc71-4e12-492f-9962-421513f5a90b",
      "vendor_name": "ByteJams",
      "version": "1.0.1009.0",
      "feature": {
        "name": "anti_ransomware",
        "uid": "2e889cac-97da-40d0-81a5-543a4e264252",
        "version": "1.0"
      }
    }
  },
  "severity_id": 3,
  "status_id": 1,
  "type_uid": 200401,
  "action_id": 2,
  "disposition_id": 2,
  "attacks": [
    {
      "tactic": {
        "name": "Impact",
        "uid": "TA0040"
      },
      "technique": {
        "name": "Data Encrypted for Impact",
        "uid": "T1486"
      },
      "version": "1.4"
    }
  ],
  "malware": [
    {
      "classification_ids" : [ 10 ],
      "name": "Win32.Generic.Ransomware"
    }
  ],
  "device": {
    "hostname": "TEST-01",
    "uid": "1f3e49ee-db3c-4cc8-a9e6-4419eebe568c",
    "type_id": 2
  },
  "confidence_id": 3,
  "finding_info": {
    "analytic": {
      "name": "anti_ransomware",
      "type_id": 2,
      "version": "anti_ransomware",
      "uid": "2e889cac-97da-40d0-81a5-543a4e264252"
    },
    "title": "Suspicious ransomware behavior was blocked",
    "uid": "3f3e52cc-e208-473b-a59d-d558a06c9e44",
    "attacks": [
      {
        "tactic": {
          "name": "Impact",
          "uid": "TA0040"
        },
        "technique": {
          "name": "Data Encrypted for Impact",
          "uid": "T1486"
        },
        "version": "1.4"
      }
    ]
  }
}

I get the following error:

"errors": [
    {
      "error": "attribute_enum_value_unknown",
      "message": "Unknown enum value at \"malware[0].classification_ids\"; value ~c\"\\n\" is not defined for enum \"classification_ids\".",
      "value": [
        10
      ],
      "attribute": "classification_ids",
      "attribute_path": "malware[0].classification_ids"
    }
  ]

Is this a problem with the schema or with the validator?

The text was updated successfully, but these errors were encountered:

rmouritzen-splunk · 2024-07-11T18:43:20Z

The new v2 validation logic isn't handling arrays of enum values.

rmouritzen-splunk · 2024-07-13T17:37:11Z

Fixed at version 2.71.1

rmouritzen-splunk transferred this issue from ocsf/ocsf-schema Jul 11, 2024

rmouritzen-splunk added the bug Something isn't working label Jul 11, 2024

rmouritzen-splunk self-assigned this Jul 11, 2024

rmouritzen-splunk changed the title ~~Malware object not validating~~ v2 validation APIs are not handling enum arrays Jul 11, 2024

rmouritzen-splunk mentioned this issue Jul 12, 2024

Issue 96: Add v2 validation support for enum arrays. #97

Merged

rmouritzen-splunk closed this as completed Jul 13, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

v2 validation APIs are not handling enum arrays #96

v2 validation APIs are not handling enum arrays #96

rmouritzen-splunk commented Jul 11, 2024

rmouritzen-splunk commented Jul 11, 2024

rmouritzen-splunk commented Jul 13, 2024

v2 validation APIs are not handling enum arrays #96

v2 validation APIs are not handling enum arrays #96

Comments

rmouritzen-splunk commented Jul 11, 2024

Discussed in ocsf/ocsf-schema#1126

rmouritzen-splunk commented Jul 11, 2024

rmouritzen-splunk commented Jul 13, 2024