Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add guidance on the representation of process parentage #54

Merged
merged 1 commit into from
Feb 18, 2025
Merged

Add guidance on the representation of process parentage #54

merged 1 commit into from
Feb 18, 2025

Conversation

mlmitch
Copy link
Contributor

@mlmitch mlmitch commented Jan 15, 2025
edited
Loading

This document adds prescriptive guidance on how to effectively represent endpoint process parentage in OCSF

@mlmitch mlmitch marked this pull request as draft January 15, 2025 15:13
@mlmitch mlmitch mentioned this pull request Jan 15, 2025
Closed
@mlmitch mlmitch force-pushed the process-parentage branch 2 times, most recently from ebc4955 to 705f1ff Compare January 15, 2025 21:38
@mlmitch mlmitch marked this pull request as ready for review January 16, 2025 13:40
@mikeradka
Copy link
Contributor

mikeradka commented Jan 16, 2025
edited
Loading

@mlmitch , I recall a while back that @zschmerber was utilizing a Figma diagram to demonstrate parentage. Of course, this was prior to the process_entity / ancestry being added to OCSF in 1.4.0. Could the addition of a simple diagram be useful for this doc?

@zschmerber
Copy link

Here is what i had for process but i agree a picture speaks a thousand words in this case.

https://www.figma.com/board/nJKySDnnN7v2CwNpM9HoFV/Actor.process?t=ovxFyOOVmcQNo5TX-0

@mlmitch
Copy link
Contributor Author

mlmitch commented Jan 17, 2025

Great. I can incorporate something like that and some sample data I think.

@mlmitch
Copy link
Contributor Author

mlmitch commented Jan 31, 2025

Ready for review. I didn't end up including a diagram as there is already some good stuff in the blog I link and Zach's diagram was more about general process relationships than parentage specifically.

I added a sample 1.4.0 event demonstrating all the concepts though.

@zschmerber zschmerber self-requested a review February 4, 2025 17:14
zschmerber
zschmerber previously approved these changes Feb 4, 2025
View reviewed changes
@mlmitch mlmitch mentioned this pull request Feb 4, 2025
Closed
@mlmitch
Add guidance on the representation of process parentage
f0558c6 
Signed-off-by: Mitchell Wasson <miwasson@cisco.com>
@mikeradka mikeradka self-requested a review February 5, 2025 23:50
floydtree
floydtree approved these changes Feb 18, 2025
View reviewed changes
Copy link
Contributor

@floydtree floydtree left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for this excellent article.

@mlmitch One thing you can do is, add this as a "Reference" in the dictionary definition of the process object. So that people are directly linked to this article as they browse the schema. It will be similar to how I had done it for observables, in case you need a sample.

@floydtree floydtree merged commit fd5313d into ocsf:main Feb 18, 2025
@mlmitch
Copy link
Contributor Author

mlmitch commented Feb 19, 2025

Good suggestion Rajas. Mike recommended something similar. Will do.

@mlmitch
Copy link
Contributor Author

mlmitch commented Feb 20, 2025

ocsf/ocsf-schema#1349

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zschmerber zschmerber zschmerber approved these changes

@floydtree floydtree floydtree approved these changes

@mikeradka mikeradka mikeradka approved these changes

@pagbabian-splunk pagbabian-splunk Awaiting requested review from pagbabian-splunk

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mlmitch @mikeradka @zschmerber @floydtree