Originally posted by **erikloman** June 27, 2024
I am working on a OCSF producer and I found that the online tool [/api/v2/validate](https://schema.ocsf.io/doc/index.html#/Tools/SchemaWeb_SchemaController_validate2) to validate JSON against the schema produces an error related to malware[0].classification_ids. I think the JSON is correct but the JSON does not validate. I am doing something wrong?
```
{
"activity_id": 1,
"category_uid": 2,
"class_uid": 2004,
"time": 1719472279,
"metadata": {
"version": "1.2.0",
"profiles": [ "security_control", "host" ],
"product": {
"name": "ByteJams Ranger",
"uid": "9766fc71-4e12-492f-9962-421513f5a90b",
"vendor_name": "ByteJams",
"version": "1.0.1009.0",
"feature": {
"name": "anti_ransomware",
"uid": "2e889cac-97da-40d0-81a5-543a4e264252",
"version": "1.0"
}
}
},
"severity_id": 3,
"status_id": 1,
"type_uid": 200401,
"action_id": 2,
"disposition_id": 2,
"attacks": [
{
"tactic": {
"name": "Impact",
"uid": "TA0040"
},
"technique": {
"name": "Data Encrypted for Impact",
"uid": "T1486"
},
"version": "1.4"
}
],
"malware": [
{
"classification_ids" : [ 10 ],
"name": "Win32.Generic.Ransomware"
}
],
"device": {
"hostname": "TEST-01",
"uid": "1f3e49ee-db3c-4cc8-a9e6-4419eebe568c",
"type_id": 2
},
"confidence_id": 3,
"finding_info": {
"analytic": {
"name": "anti_ransomware",
"type_id": 2,
"version": "anti_ransomware",
"uid": "2e889cac-97da-40d0-81a5-543a4e264252"
},
"title": "Suspicious ransomware behavior was blocked",
"uid": "3f3e52cc-e208-473b-a59d-d558a06c9e44",
"attacks": [
{
"tactic": {
"name": "Impact",
"uid": "TA0040"
},
"technique": {
"name": "Data Encrypted for Impact",
"uid": "T1486"
},
"version": "1.4"
}
]
}
}
```
I get the following error:
```
"errors": [
{
"error": "attribute_enum_value_unknown",
"message": "Unknown enum value at \"malware[0].classification_ids\"; value ~c\"\\n\" is not defined for enum \"classification_ids\".",
"value": [
10
],
"attribute": "classification_ids",
"attribute_path": "malware[0].classification_ids"
}
]
```
Is this a problem with the schema or with the validator?
Discussed in https://github.com/ocsf/ocsf-schema/discussions/1126