rmouritzen-splunk
commented
3 months ago This behavior is "as-expected" (I'm pretty sure) because you the "Test Profile" (profile test) is part of the "Test extension" (extension test). The equivalent in the core schema is the "Linux Extension" (linux) that adds the "Linux Users" profile (linux_users). This is the only case in the core schema that uses a "patching" style extends. It's weird.
You can see this effect more clearly on the "Profiles" page (http://localhost:8080/profiles?extensions=). With no extensions enabled, only the core schema profiles are shown. If you click on the "Linux (1)" and/or your "Test extension", you'll see the related profiles pop up.
Over on the "Device Inventory Info" page (http://localhost:8080/classes/inventory_info?extensions=) to see your profile, you need to click both the "Test extension" checkbox under the "Extensions" and then click the "Test Profile" checkbox. With both checked, you'll see the "My Object" attribute.
A similar thing exists for the "Process" object page, which is "patched" by the Linux extension to add the linux/linux_users profile to the object. To see the linux_users profile attributes, you need to click both the "Linux" extension checkbox and the "Linux" profile checkbox.
It's a bit complicated, but then so are the extension and profile concepts. I'll leave this open for a while to see if this makes sense and in case I'm not fully understanding your example.
The situation is a bit complex so I have created a reproducer here.
parent_objectin OCSF server, I see themy_objectattribute as expectedmy_objectattribute to a profileparent_objectonly if I select the Test Profile. This is unexpected the Parent Object should not be influenced by the profile in any way.Surprisingly enough, the same situation is in OCSF core with "device" that is used in "logger" object and in the "host" profile, but it works as expected there 🤷♂️