Proposal for Event Producer

[jc-sumo]

There needs to be a clear and consistent place for information to determines the original source of an OCSF event, AKA "What is the thing that made the log called?". This would exist within the base event and apply to all OCSF events regardless of category and class.

Note: In all options except 1 and 5, product is removed from the base event. In all cases product remains an object, only placement and usage changes in any proposal.

1. metadata.product
   Move product object inside of metadata object. Moving it into the metadata object makes a clear distinction that it is intended to describe information about a log vs information from a log. It has the following attributes, only vendor needs to be added:

• Feature (Optional)
• Language (Recommended)
• Product ID (Recommended)
• Product Name (Required)
• Product Vendor (Required)
• Product Path (Optional)
• Product Version (Recommended)

2. metadata.producer
   Introduce producer object in addition to the existing product object, would exist within metadata, while product would be removed. Distinguished by the producer being the source of an event, while product is for information about a product from within a log. E.g. EDR providing information about which product, version, vendor etc. a process belongs to. producer would have the following attributes:

• Language (Recommended)
• Producer ID (Recommended)
• Producer Name (Required)
• Producer Vendor (Required)
• Producer Version (Recommended)

3. origin.attributes
   Individual attributes within Origin object instead of a separate object.

• Origin Name
• Origin Vendor
• Origin Version
• Origin ID
• Origin Language

4. metadata.source
   Identical to proposal 2 except it uses the word source instead of `producer'.

5. origin.product
   Same as 1, but places product within origin object.

6. origin.producer
   Same as 2, but places producer within origin object.

[jp-harvey]

Suggestion: the thing that collects the log from the origin is the earliest timestamped entry in an array called something like history, and that the origin defines where the data originally came from, something a little like:

{
    "metadata": {
        "origin": "WindowsEventLog",
        "history": [
            {
                "time": "2022-08-08T14:00:00Z",
                "id": "7f36b7d2-7b34-4237-9a65-3e5ecf2e1059",
                "product": "Splunk Universal Forwarder",
                "version": "1.88"
            },
            {
                "time": "2022-08-08T14:01:00Z",
                "id": "1eadc0cd-9d25-4dba-96b4-58e9a3ecea74",
                "product": "Splunk Relay",
                "version": "1.4"
            }
        ]
    }
}