Open eliraz-levi opened 1 month ago
@mikeradka - thank you for your comments here.
I understand why Entity Management class is a better mapping.
Yet, it lacks access_list
and access_mask
, would you think it's a good idea to add them to the Entity Management class ?
Furthermore, it lacks a list of managed_entity
objects for cases where we access multiple objects at once. Replacing managed_entity
by a list of managed_entity
objects would results in breaking change. How would you suggest to address it ?
An updated PR was created https://github.com/ocsf/ocsf-schema/pull/1105
Windows Resource Activity class (201003) is not aligned with fields exist in Windows event 4662 - “An operation was performed on an object”. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662 Windows event 4662 is an essential security event to detect and investigate DCSync attack which is a very common attack in active directory environment https://attack.mitre.org/techniques/T1003/006/ .
Current gaps:
win_resource.uid
.