Comments (7)
We decided to leave the Cloud Activity
class for now and we moved the virtual machine class to the System Activity
category. Now we need to determine whether we need the storage event class or any other more specific cloud usage classes.
from ocsf-schema.
@floydtree and @paveljos what do y'all think of removing the cloud category and moving the various activities to different categories/classes.
1 Login
activity could go here
2 IAM
activity could go in here
3 Operational
activity can go into various other classes/categories. As an example, ec2/emr/workspace events could go into the Virtual Machine Activity
class.
We could potentially rename the Database activity
category to Storage Activity
and move the cloud storage activity event class under there.
from ocsf-schema.
Interesting thought; there is a lot to consider here. I agree with the idea that keeping the cloud category for a very small number of potential sources seems to be an anti-pattern. However, in terms of classes, I think the normalization of these events to those classes might be problematic and might make the overlap of "requirements" very thin. I'm still struck by the idea that we're really trying to normalize API calls with the sources that are in here currently. I'll run up some conversation and see if I can get some consensus.
from ocsf-schema.
I believe the most common use case is that analysts (human and software) will process CloudTrail and similar sources holistically, and will most likely not benefit from separating the source across difference categories. However, this brings to mind the conversation we had with @jp-harvey recently on changing from a 1:many relationship between categories and classes to an approach more akin to tagging; that way, we could tag the cloud classes with all of these potential categories.
from ocsf-schema.
That is my concern too. From an analytics perspective you want to have all the data in one schema, especially when you want to detect users deviating from their historic pattern of life. It would be nice to be able to represent cloud api activity holistically as well as individually in more specific event classes (such as storage activity or virtual machine activity). Maybe it makes sense to move cloud storage activity to another category and just keep the generic cloud activity event class?
from ocsf-schema.
Sorry, I have been away for a couple of weeks. I don't think we would benefit from separating out different types of Cloud API events into different event classes for a few reasons.
- All these events will in the end need to have the same/very similar schema, as all the events look alike.
- As you both pointed out, from an analyst's perspective having a congruent schema for cloud api events would be more beneficial.
- Having the ability to filter out all Cloud API events using a single class_uid/name parameter from the entire dataset is a strong outcome of our current scheme. We wouldn't want to lose on that.
from ocsf-schema.
What do y'all think about renaming the database activity
category to storage activity
and moving the cloud storage event class into there? Would that break any that break anything on your end?
from ocsf-schema.
Related Issues (20)
- Evidence Artifacts object doesn't have attributes to describe registry keys or values
- Network Connection Information doesn't have the ability to display allowed or blocked HOT 2
- _resource object has optional constrained fields of name and uid - should be recommended
- Adjust Windows Resource Activity class (201003) to be aligned with Windows event 4662 HOT 2
- Package extension (affected packages) by vendor name and type
- Add Query length & Answer length to dns_activity class HOT 1
- Add query tld, parent domain, and subdomain to the dns_activity class HOT 1
- Clarify what the domain attribute entails HOT 1
- Reputation Object and base_score
- User object should include an Enabled / Disabled state. HOT 1
- User should have an array of Account objects
- Add `grandparent_process` into `process`, fight process-related recursion
- Extend compliance by Compliance references KB Articles and Compliance standards KB Articles
- Mapping for mailbox rule events HOT 2
- The Job object cannot adequately describe Windows scheduled jobs
- Additional types for device (endpoint) object HOT 1
- USER, LDAP Person extension by useful fields + cloud profile added to support Azure AD
- Should Http response and Http request be present together?
- Evidence Artifacts object doesn't have attribute to describe target job of a Scheduled Job Activity
- Kubernetes extension - the initial shape
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ocsf-schema.