Add host profile and actor mappings to Network Activity SYSCALL pipeline (DataDog#23349)

* Map event_id to ocsf.metadata.correlation_uid in all sub-pipelines

* use uid instead of correlation_uid

* Map exe and comm to OCSF actor process fields in Network Activity pipeline

Add exe -> ocsf.actor.process.path and comm -> ocsf.actor.process.name
mappings to the Network Activity [4001] Syscall sub-pipeline.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Add actor.process expectations to Network Activity SYSCALL test

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Add host profile and full actor mappings to Network Activity SYSCALL pipeline

Network Activity (4001) has no native actor attribute, which caused the
earlier exe/comm -> ocsf.actor.process.* mappings to be rejected by the
schema validator. Declaring profiles: [host] on the SYSCALL->4001
schema-processor makes actor (and device) valid attributes on the class.

Also expand actor mappings for parity with the FS-from-SYSCALL
sub-pipeline: pid, uid/UID, auid/AUID, ses, tty.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Add metadata.profiles to Network Activity SYSCALL test expectation

The schema-processor emits ocsf.metadata.profiles: [host] when the host
profile is declared on the schema. Mirror the format used by IAM
sub-pipeline tests (e.g. line 141).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: nbeckstead-ddog

linux_audit_logs/assets/logs/linux-audit-logs.yaml

@@ -3210,7 +3210,8 @@ pipeline:
             className: Network Activity
             classUid: 4001
             extensions: []
-            profiles: []
+            profiles:
+              - host
           mappers:
             - name: ocsf.activity_id
               categories:
@@ -3321,3 +3322,84 @@ pipeline:
               preserveSource: false
               overrideOnConflict: true
               type: schema-remapper
+            - name: Map `exe` to `ocsf.actor.process.path`
+              sources:
+                - exe
+              sourceType: attribute
+              target: ocsf.actor.process.path
+              targetFormat: string
+              preserveSource: true
+              overrideOnConflict: true
+              type: schema-remapper
+            - name: Map `comm` to `ocsf.actor.process.name`
+              sources:
+                - comm
+              sourceType: attribute
+              target: ocsf.actor.process.name
+              targetFormat: string
+              preserveSource: true
+              overrideOnConflict: true
+              type: schema-remapper
+            - name: Map `pid` to `ocsf.actor.process.pid`
+              sources:
+                - pid
+              sourceType: attribute
+              target: ocsf.actor.process.pid
+              targetFormat: integer
+              preserveSource: true
+              overrideOnConflict: true
+              type: schema-remapper
+            - name: Map `uid` to `ocsf.actor.process.user.uid`
+              sources:
+                - uid
+              sourceType: attribute
+              target: ocsf.actor.process.user.uid
+              targetFormat: string
+              preserveSource: true
+              overrideOnConflict: true
+              type: schema-remapper
+            - name: Map `UID` to `ocsf.actor.process.user.name`
+              sources:
+                - UID
+              sourceType: attribute
+              target: ocsf.actor.process.user.name
+              targetFormat: string
+              preserveSource: true
+              overrideOnConflict: true
+              type: schema-remapper
+            - name: Map `auid` to `ocsf.actor.user.uid`
+              sources:
+                - auid
+              sourceType: attribute
+              target: ocsf.actor.user.uid
+              targetFormat: string
+              preserveSource: true
+              overrideOnConflict: true
+              type: schema-remapper
+            - name: Map `AUID` to `ocsf.actor.user.name`
+              sources:
+                - AUID
+              sourceType: attribute
+              target: ocsf.actor.user.name
+              targetFormat: string
+              preserveSource: true
+              overrideOnConflict: true
+              type: schema-remapper
+            - name: Map `ses` to `ocsf.actor.session.uid`
+              sources:
+                - ses
+              sourceType: attribute
+              target: ocsf.actor.session.uid
+              targetFormat: string
+              preserveSource: true
+              overrideOnConflict: true
+              type: schema-remapper
+            - name: Map `tty` to `ocsf.actor.session.terminal`
+              sources:
+                - tty
+              sourceType: attribute
+              target: ocsf.actor.session.terminal
+              targetFormat: string
+              preserveSource: true
+              overrideOnConflict: true
+              type: schema-remapper

linux_audit_logs/assets/logs/linux-audit-logs_tests.yaml

@@ -1609,6 +1609,20 @@ tests:
       ocsf:
         activity_id: 1
         activity_name: "Open"
+        actor:
+          process:
+            name: "bash"
+            path: "/usr/bin/bash"
+            pid: 226245
+            user:
+              name: "lima"
+              uid: "502"
+          session:
+            terminal: "pts0"
+            uid: "4"
+          user:
+            name: "lima"
+            uid: "502"
         category_name: "Network Activity"
         category_uid: 4
         class_name: "Network Activity"
@@ -1622,6 +1636,8 @@ tests:
           product:
             name: "Auditd"
             vendor_name: "Linux"
+          profiles:
+           - "host"
           version: "1.5.0"
         severity: "Informational"
         severity_id: 1