Open overly-engineered opened 3 months ago
Thanks! Good observation - we want to avoid recursive definitions where possible but where we cannot, we SHOULD always at least indicate caution with a warning. We can add the warning and modify the description.
The network proxy endpoint contains a reference to itself a network proxy. This in itself is not a bad thing as there could be multiple proxy endpoints tied together however other places in the schema where recursive referencing of this type have warnings around how nested the data should be.
The
ldap_person.manager
field has a note to say this should only be applied once per event, the process.parent_process field has a similar note. Theanalytic.related_analytic
field was deprecated as of v1, but it would have faced the same issue.Currently when being a consumer of OCSF there is no way to reliably parse the network_proxy object without recursively mapping out every proxy, which becomes doubly difficult when attempting to index the object.