Proposal for reserved attributes #134

rroupski · 2022-08-04T19:04:47Z

rroupski
Aug 4, 2022
Maintainer

This vote is about defining a list of reserved attributes that must not be used by the event producers.

_time: timestamp_t, required
The normalized event occurrence time. Normalized time means the original event time ref_time was corrected for the clock skew and it was converted to the OCSF timestamp_t.
_uid: string, required
The unique identifier of an event instance. The attribute is used in the metadata object: metadata._uid.
_raw_data: string, optional
The event data as received from the event source. This attribute must be used when events are translated from some other that OCSF format. If the event is created using the OCSF schema, then the _raw_data must not be used.

Please vote Yes (agree with the proposed list) or No (needs more discussions)

Yes (agree with the proposed list)

100%

No (needs more discussions)

0%

5 votes

paveljos · 2022-08-04T19:27:13Z

paveljos
Aug 4, 2022
Collaborator

To clarify, _uid is the new base_event field for base_event.type_uid or what is currently in metadata.uid? I just want to ensure we are not implying a system generated uuid for each event record.

1 reply

rroupski Aug 4, 2022
Maintainer Author

We are implying a system generated uuid for each event record. This vote is for the metadata._uid

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Proposal for reserved attributes #134

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment 1 reply

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Select a reply

Proposal for reserved attributes #134

rroupski Aug 4, 2022 Maintainer

Replies: 1 comment · 1 reply

paveljos Aug 4, 2022 Collaborator

rroupski Aug 4, 2022 Maintainer Author

rroupski
Aug 4, 2022
Maintainer

Replies: 1 comment 1 reply

paveljos
Aug 4, 2022
Collaborator

rroupski Aug 4, 2022
Maintainer Author