Skip to content

Issue-1306: Make Email Activity event class and email object more generic #1307

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 25 commits into from
Jan 24, 2025
Merged

Issue-1306: Make Email Activity event class and email object more generic #1307

merged 25 commits into from
Jan 24, 2025

Conversation

Aniak5
Copy link
Contributor

@Aniak5 Aniak5 commented Jan 8, 2025
edited
Loading

Related Issue:

#1306

Description of changes:

  • Add protocol_name and command to email activity event class
  • Addto_mailboxes/from_mailbox/cc_mailboxes/delivered_to_list/reply_to_mailboxes to email object
  • Deprecate smpt_to/smtp_from/smtp_hello/delivered_to/reply_to
  • Update banner description to be more generic
image image

@Aniak5 Aniak5 added network_activity Issues related to Network Activity Category breaking Any breaking, non backwards compatible changes labels Jan 8, 2025
@Aniak5 Aniak5 self-assigned this Jan 8, 2025
@Aniak5 Aniak5 marked this pull request as draft January 8, 2025 17:56
Aniak5
Aniak5 commented Jan 8, 2025
View reviewed changes
Aniak5
Aniak5 commented Jan 8, 2025
View reviewed changes
@Aniak5 Aniak5 marked this pull request as ready for review January 10, 2025 15:48
@Aniak5 Aniak5 changed the title DRAFT: Make Email Activity event class and email object more generic Issue-1306: Make Email Activity event class and email object more generic Jan 10, 2025
@Aniak5
Copy link
Contributor Author

Aniak5 commented Jan 10, 2025

@JW-Corelight, @zschmerber @mikeradka do we want to add similar *_details fields for reply_to and delivered_to?

@JW-Corelight
Copy link
Contributor

It looks like you're right that both reply_to and delivered_to have the same issue - they can contain both the display name and the routable email address, so it make sense for them to have the *_details fields as well

@Aniak5 Aniak5 added non_breaking Non Breaking, backwards compatible changes and removed breaking Any breaking, non backwards compatible changes labels Jan 10, 2025
@JW-Corelight JW-Corelight self-requested a review January 10, 2025 19:46
JW-Corelight
JW-Corelight previously approved these changes Jan 10, 2025
View reviewed changes
floydtree
floydtree reviewed Jan 13, 2025
View reviewed changes
@floydtree floydtree added the v1.4.0 Changes marked for the upcoming version 1.4.0 label Jan 14, 2025
Aniak5
Aniak5 commented Jan 15, 2025
View reviewed changes
Aniak5
Aniak5 commented Jan 15, 2025
View reviewed changes
Aniak5
Aniak5 commented Jan 15, 2025
View reviewed changes
Aniak5
Aniak5 commented Jan 15, 2025
View reviewed changes
Aniak5 and others added 21 commits January 22, 2025 15:00
@Aniak5
Issue-1306: Replace 'an' with 'a'
722ff61 
Signed-off-by: Ania Kacewicz <[email protected]>
@Aniak5
Issue-1306: Add to_details, from_details, cc_details to dictionary
3c8c5b0 
Signed-off-by: Ania Kacewicz <[email protected]>
@Aniak5
Issue-1306: Add to_details, from_details, cc_details to email object
85eaa3d 
Signed-off-by: Ania Kacewicz <[email protected]>
@Aniak5
Issue-1306: Update change log
e9d46d3 
Signed-off-by: Ania Kacewicz <[email protected]>
@Aniak5
Issue-1306: Remove 'smtp_to/smtp_from' from constraints
9656e86 
Signed-off-by: Ania Kacewicz <[email protected]>
@Aniak5
Issue-1306: Change banner group to primary
871ddba 
Signed-off-by: Ania Kacewicz <[email protected]>
@Aniak5
Issue-1306: Revert group change
697105d 
Signed-off-by: Ania Kacewicz <[email protected]>
@Aniak5
Issue-1306: Add 'reply_to_details' and 'delivered_to_details' to emai…
f85c06e 
…l object

Signed-off-by: Ania Kacewicz <[email protected]>
@Aniak5
issue-1306: Rename 'cc/from/to/delivered_to/reply_to'_details to _mai…
5b3e2f7 
…lbox

Signed-off-by: Ania Kacewicz <[email protected]>
@Aniak5
issue-1306: Update change log
3c428a0 
Signed-off-by: Ania Kacewicz <[email protected]>
@Aniak5
Issue-1306: Update reference in protocol_name in network connection o…
3279b4f 
…bject

Signed-off-by: Ania Kacewicz <[email protected]>
@Aniak5
Issue-1306: Add machine-readable example into description and make _m…
65ebf91 
…ailbox plural for arrays

Signed-off-by: Ania Kacewicz <[email protected]>
@Aniak5
Issue-1306: Update change log
ecc1c28 
Signed-off-by: Ania Kacewicz <[email protected]>
@Aniak5
Issue-1306: Add section number to 'mailbox' references
3204214 
Signed-off-by: Ania Kacewicz <[email protected]>
@Aniak5
Issue-1306: Deprecate 'delivered_to' and 'reply_to' in favor of 'deli…
af3621a 
…vered_to_list' and 'reply_to_mailboxes'

Signed-off-by: Ania Kacewicz <[email protected]>
@Aniak5
issue-1306: Add reference to 'delivered_to_list'
2e266aa 
Signed-off-by: Ania Kacewicz <[email protected]>
@Aniak5
Issue-1306: Update network connection protocol_name and protocol_num …
0e3d5f0 
…descriptions

Signed-off-by: Ania Kacewicz <[email protected]>
@Aniak5
Issue-1306: Make 'activity_id' required in email activity class
2877409 
Signed-off-by: Ania Kacewicz <[email protected]>
@Aniak5
Issue-1306: Change 'activity_id' requirement in email file and url ev…
a187d51 
…ent classes

Signed-off-by: Ania Kacewicz <[email protected]>
@Aniak5
Issue-1306: Address review comments
15fc1cf 
Signed-off-by: Ania Kacewicz <[email protected]>
@Aniak5
Issue-1306: Change 'email.uid' description and deprecate 'email_uid'
774d00d 
Signed-off-by: Ania Kacewicz <[email protected]>
pagbabian-splunk
pagbabian-splunk previously approved these changes Jan 23, 2025
View reviewed changes
Copy link
Contributor

@pagbabian-splunk pagbabian-splunk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor point - for message_uid we should also use the Source meta data keyword for "Message-ID"

@floydtree
Copy link
Contributor

There is a breaking change (hardening requirement of activity_id) in this PR that the community collectively agreed to pass through. All 3 Email Activity * star classes had a bug since v1.0.0, where it had overwritten activity_id's requirement from required to optional in its definition.

This directly conflicts with usage of activity_id throughout the framework, as it is one of the primary classifiers in all event classes and is expected to be populated in all OCSF events. The has community collectively agreed to fix this within the v1 major cycle, even though this can technically be classified as a breaking change considering it as a critical bugfix.

@pagbabian-splunk @Aniak5 @mikeradka @jasonbreimer

@floydtree floydtree merged commit 3827752 into ocsf:main Jan 24, 2025
2 of 3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pagbabian-splunk pagbabian-splunk pagbabian-splunk approved these changes

@floydtree floydtree floydtree approved these changes

@mikeradka mikeradka mikeradka approved these changes

@davemcatcisco davemcatcisco davemcatcisco left review comments

@JW-Corelight JW-Corelight JW-Corelight left review comments

@zschmerber zschmerber Awaiting requested review from zschmerber zschmerber is a code owner

@jonrau-at-queryai jonrau-at-queryai Awaiting requested review from jonrau-at-queryai jonrau-at-queryai is a code owner

Assignees

@Aniak5 Aniak5

Labels
breaking Any breaking, non backwards compatible changes bug Something isn't working deprecation A schema artifact is being deprecated network_activity Issues related to Network Activity Category v1.4.0 Changes marked for the upcoming version 1.4.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@Aniak5 @JW-Corelight @floydtree @pagbabian-splunk @mikeradka @davemcatcisco