Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ext attribute to File object #1043

Closed
shellcromancer opened this issue Apr 17, 2024 · 1 comment · Fixed by #1046
Closed

Add ext attribute to File object #1043

shellcromancer opened this issue Apr 17, 2024 · 1 comment · Fixed by #1046
Labels
enhancement New feature or request non_breaking Non Breaking, backwards compatible changes v1.3.0 Changes marked for v1.3.0 of OCSF

Comments

@shellcromancer
Copy link
Contributor

The File object currently has an attribute for the file name (e.g. svchost.exe) but having a dedicated attribute for the executable extension (e.g. exe) is useful to search on to reduce the need for more expensive wild-card searches on the name field. This would also allow for security use-cases like finding where the mime-type differs from expected file extensions.

Other security object models in usage today have this attribute as well:

I'd suggest the type of the attribute be an optional string, and it would follow the same conventions as ECS to only get the trailing extension if there are multiple, without the prepending .: file.name of export.tar.gz has a file.extension of gz.
@floydtree floydtree added enhancement New feature or request non_breaking Non Breaking, backwards compatible changes v1.3.0 Changes marked for v1.3.0 of OCSF labels Apr 17, 2024
@zschmerber
Copy link
Contributor

Nice, this is a good find.

shellcromancer added a commit to shellcromancer/ocsf-schema that referenced this issue Apr 17, 2024
@shellcromancer
feat: adds file_extension attribute to File object
abd0f98 
Closes ocsf#1043
shellcromancer added a commit to shellcromancer/ocsf-schema that referenced this issue Apr 17, 2024
@shellcromancer
feat: adds file_extension attribute to File object
b59a3b8 
Closes ocsf#1043
shellcromancer added a commit to shellcromancer/ocsf-schema that referenced this issue Apr 17, 2024
@shellcromancer
feat: adds file_extension attribute to File object
449c78e 
Closes ocsf#1043
@shellcromancer shellcromancer mentioned this issue Apr 17, 2024
Merged
shellcromancer added a commit to shellcromancer/ocsf-schema that referenced this issue Apr 17, 2024
@shellcromancer
feat: adds ext attribute to File object
bb92c3c 
Closes ocsf#1043
shellcromancer added a commit to shellcromancer/ocsf-schema that referenced this issue Apr 17, 2024
@shellcromancer
feat: adds ext attribute to File object
e4c6ed6 
Closes ocsf#1043
shellcromancer added a commit to shellcromancer/ocsf-schema that referenced this issue Apr 17, 2024
@shellcromancer
feat: adds ext attribute to File object
e92f004 
Closes ocsf#1043
@shellcromancer shellcromancer changed the title Add extension attribute to File object Add ext attribute to File object Apr 17, 2024
shellcromancer added a commit to shellcromancer/ocsf-schema that referenced this issue Apr 19, 2024
@shellcromancer
feat: adds ext attribute to File object
c765770 
Closes ocsf#1043
shellcromancer added a commit to shellcromancer/ocsf-schema that referenced this issue Apr 19, 2024
@shellcromancer
feat: adds ext attribute to File object
a48fadf 
Closes ocsf#1043
shellcromancer added a commit to shellcromancer/ocsf-schema that referenced this issue Apr 24, 2024
@shellcromancer
feat: adds ext attribute to File object
772beb2 
Closes ocsf#1043
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request non_breaking Non Breaking, backwards compatible changes v1.3.0 Changes marked for v1.3.0 of OCSF
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: adds ext attribute to File object shellcromancer/ocsf-schema
3 participants
@zschmerber @shellcromancer @floydtree