search

ocsf / ocsf-server

OCSF Schema WEB Server
https://schema.ocsf.io/
Apache License 2.0
40 stars 28 forks source link

v2 validation APIs are not handling enum arrays #96

Closed rmouritzen-splunk closed 3 months ago

rmouritzen-splunk commented 3 months ago

Discussed in https://github.com/ocsf/ocsf-schema/discussions/1126

Originally posted by **erikloman** June 27, 2024 I am working on a OCSF producer and I found that the online tool [/api/v2/validate](https://schema.ocsf.io/doc/index.html#/Tools/SchemaWeb_SchemaController_validate2) to validate JSON against the schema produces an error related to malware[0].classification_ids. I think the JSON is correct but the JSON does not validate. I am doing something wrong? ``` { "activity_id": 1, "category_uid": 2, "class_uid": 2004, "time": 1719472279, "metadata": { "version": "1.2.0", "profiles": [ "security_control", "host" ], "product": { "name": "ByteJams Ranger", "uid": "9766fc71-4e12-492f-9962-421513f5a90b", "vendor_name": "ByteJams", "version": "1.0.1009.0", "feature": { "name": "anti_ransomware", "uid": "2e889cac-97da-40d0-81a5-543a4e264252", "version": "1.0" } } }, "severity_id": 3, "status_id": 1, "type_uid": 200401, "action_id": 2, "disposition_id": 2, "attacks": [ { "tactic": { "name": "Impact", "uid": "TA0040" }, "technique": { "name": "Data Encrypted for Impact", "uid": "T1486" }, "version": "1.4" } ], "malware": [ { "classification_ids" : [ 10 ], "name": "Win32.Generic.Ransomware" } ], "device": { "hostname": "TEST-01", "uid": "1f3e49ee-db3c-4cc8-a9e6-4419eebe568c", "type_id": 2 }, "confidence_id": 3, "finding_info": { "analytic": { "name": "anti_ransomware", "type_id": 2, "version": "anti_ransomware", "uid": "2e889cac-97da-40d0-81a5-543a4e264252" }, "title": "Suspicious ransomware behavior was blocked", "uid": "3f3e52cc-e208-473b-a59d-d558a06c9e44", "attacks": [ { "tactic": { "name": "Impact", "uid": "TA0040" }, "technique": { "name": "Data Encrypted for Impact", "uid": "T1486" }, "version": "1.4" } ] } } ``` I get the following error: ``` "errors": [ { "error": "attribute_enum_value_unknown", "message": "Unknown enum value at \"malware[0].classification_ids\"; value ~c\"\\n\" is not defined for enum \"classification_ids\".", "value": [ 10 ], "attribute": "classification_ids", "attribute_path": "malware[0].classification_ids" } ] ``` Is this a problem with the schema or with the validator?
rmouritzen-splunk commented 3 months ago

The new v2 validation logic isn't handling arrays of enum values.

rmouritzen-splunk commented 3 months ago

Fixed at version 2.71.1