search

ocsf / ocsf-schema

OCSF Schema
Apache License 2.0
582 stars 118 forks source link

Recursive network_proxy object #996

Open overly-engineered opened 3 months ago

overly-engineered commented 3 months ago

The network proxy endpoint contains a reference to itself a network proxy. This in itself is not a bad thing as there could be multiple proxy endpoints tied together however other places in the schema where recursive referencing of this type have warnings around how nested the data should be.

The ldap_person.manager field has a note to say this should only be applied once per event, the process.parent_process field has a similar note. The analytic.related_analytic field was deprecated as of v1, but it would have faced the same issue.

Currently when being a consumer of OCSF there is no way to reliably parse the network_proxy object without recursively mapping out every proxy, which becomes doubly difficult when attempting to index the object.

pagbabian-splunk commented 3 months ago

Thanks! Good observation - we want to avoid recursive definitions where possible but where we cannot, we SHOULD always at least indicate caution with a warning. We can add the warning and modify the description.