Skip to content

Commit fe09815

Browse files
nbeckstead-ddogclaude
nbeckstead-ddog
and
claude
authored
Set device.os.type to Linux on all OCSF events (DataDog#23714)
* Set device.os.type to Linux on all OCSF events Add a schema-category-mapper that sets ocsf.device.os.type and ocsf.device.os.type_id (200/Linux) on every event the integration emits. This gives downstream rules a stable, source-agnostic way to filter for Linux events — e.g. cross-source detection rules can use @ocsf.device.os.type:Linux to scope to Linux endpoints without depending on metadata.product.vendor_name (which encodes the source, not the OS). Also add profiles: [host] to the SOCKADDR Network Activity sub-pipeline so device.os.* validates against the OCSF schema there (Network Activity has no native device attribute). Test fixtures updated to expect device.os in all 29 ocsf: blocks, and the SOCKADDR fixture to expect metadata.profiles: [host]. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Fix OCSF validation: device.os.name, base_event host profile, device.type_id Address validator errors after adding device.os.type to all sub-pipelines: - ocsf.device.os.name is required by the OCSF OS object; set it to "Linux" via a top-level string-builder in the OCSF pre-transformations sub-pipeline so it applies to every event. - ocsf.device.name is required to satisfy the Device object's at_least_one constraint on sub-pipelines that don't otherwise populate hostname/ip; set to "Unknown" via the same top-level string-builder. - Base Event class natively includes the host profile in OCSF; declaring profiles: [host] on the Base Event schema-processor brings the pipeline in line so device.* validates. - ocsf.device.type_id was missing from Base Event, SOCKADDR Network Activity, and SYSCALL Network Activity sub-pipelines; added a schema-category-mapper (Unknown / 0) to each. Test fixtures updated to reflect the new fields: device.os.name on all 29 fixtures, device.name on the 11 fixtures that previously lacked it (9 IAM/Device-Config with hostname/ip, 2 Network 4001), device.type and device.type_id on the 11 fixtures that previously lacked the full device shape (9 Base Event, 2 Network 4001), and metadata.profiles: [host] on the 9 Base Event fixtures. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 parent 413f117 commit fe09815

2 files changed

Lines changed: 414 additions & 1 deletion

File tree

linux_audit_logs/assets/logs/linux-audit-logs.yaml

Lines changed: 225 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -467,6 +467,18 @@ pipeline:
467467
template: Linux
468468
target: ocsf.metadata.product.vendor_name
469469
replaceMissing: false
470+
- type: string-builder-processor
471+
name: Set `ocsf.device.name` to Unknown
472+
enabled: true
473+
template: Unknown
474+
target: ocsf.device.name
475+
replaceMissing: false
476+
- type: string-builder-processor
477+
name: Set `ocsf.device.os.name` to Linux
478+
enabled: true
479+
template: Linux
480+
target: ocsf.device.os.name
481+
replaceMissing: false
470482
- type: arithmetic-processor
471483
name: Convert `timestamp` epoch to seconds
472484
enabled: true
@@ -490,7 +502,8 @@ pipeline:
490502
className: Base Event
491503
classUid: 0
492504
extensions: []
493-
profiles: []
505+
profiles:
506+
- host
494507
mappers:
495508
- name: ocsf.activity_id
496509
categories:
@@ -597,6 +610,32 @@ pipeline:
597610
preserveSource: true
598611
overrideOnConflict: true
599612
type: schema-remapper
613+
- name: ocsf.device.os.type_id
614+
categories:
615+
- filter:
616+
query: "*"
617+
name: Linux
618+
id: 200
619+
targets:
620+
name: ocsf.device.os.type
621+
id: ocsf.device.os.type_id
622+
fallback:
623+
values: {}
624+
sources: {}
625+
type: schema-category-mapper
626+
- name: ocsf.device.type_id
627+
categories:
628+
- filter:
629+
query: "*"
630+
name: Unknown
631+
id: 0
632+
targets:
633+
name: ocsf.device.type
634+
id: ocsf.device.type_id
635+
fallback:
636+
values: {}
637+
sources: {}
638+
type: schema-category-mapper
600639
- type: pipeline
601640
name: OCSF sub pipeline for class File System Activity [1001]
602641
enabled: true
@@ -846,6 +885,19 @@ pipeline:
846885
preserveSource: false
847886
overrideOnConflict: true
848887
type: schema-remapper
888+
- name: ocsf.device.os.type_id
889+
categories:
890+
- filter:
891+
query: "*"
892+
name: Linux
893+
id: 200
894+
targets:
895+
name: ocsf.device.os.type
896+
id: ocsf.device.os.type_id
897+
fallback:
898+
values: {}
899+
sources: {}
900+
type: schema-category-mapper
849901
- type: pipeline
850902
name: OCSF sub pipeline for class File System Activity [1001] from SYSCALL
851903
enabled: true
@@ -1120,6 +1172,19 @@ pipeline:
11201172
preserveSource: true
11211173
overrideOnConflict: true
11221174
type: schema-remapper
1175+
- name: ocsf.device.os.type_id
1176+
categories:
1177+
- filter:
1178+
query: "*"
1179+
name: Linux
1180+
id: 200
1181+
targets:
1182+
name: ocsf.device.os.type
1183+
id: ocsf.device.os.type_id
1184+
fallback:
1185+
values: {}
1186+
sources: {}
1187+
type: schema-category-mapper
11231188
- type: pipeline
11241189
name: OCSF sub pipeline for class Module Activity [1005]
11251190
enabled: true
@@ -1355,6 +1420,19 @@ pipeline:
13551420
preserveSource: true
13561421
overrideOnConflict: true
13571422
type: schema-remapper
1423+
- name: ocsf.device.os.type_id
1424+
categories:
1425+
- filter:
1426+
query: "*"
1427+
name: Linux
1428+
id: 200
1429+
targets:
1430+
name: ocsf.device.os.type
1431+
id: ocsf.device.os.type_id
1432+
fallback:
1433+
values: {}
1434+
sources: {}
1435+
type: schema-category-mapper
13581436
- type: pipeline
13591437
name: OCSF sub pipeline for class Account Change [3001]
13601438
enabled: true
@@ -1609,6 +1687,19 @@ pipeline:
16091687
preserveSource: false
16101688
overrideOnConflict: true
16111689
type: schema-remapper
1690+
- name: ocsf.device.os.type_id
1691+
categories:
1692+
- filter:
1693+
query: "*"
1694+
name: Linux
1695+
id: 200
1696+
targets:
1697+
name: ocsf.device.os.type
1698+
id: ocsf.device.os.type_id
1699+
fallback:
1700+
values: {}
1701+
sources: {}
1702+
type: schema-category-mapper
16121703
- type: pipeline
16131704
name: OCSF sub pipeline for class Authentication [3002]
16141705
enabled: true
@@ -1873,6 +1964,19 @@ pipeline:
18731964
preserveSource: false
18741965
overrideOnConflict: true
18751966
type: schema-remapper
1967+
- name: ocsf.device.os.type_id
1968+
categories:
1969+
- filter:
1970+
query: "*"
1971+
name: Linux
1972+
id: 200
1973+
targets:
1974+
name: ocsf.device.os.type
1975+
id: ocsf.device.os.type_id
1976+
fallback:
1977+
values: {}
1978+
sources: {}
1979+
type: schema-category-mapper
18761980
- type: pipeline
18771981
name: OCSF sub pipeline for role assign logs
18781982
enabled: true
@@ -2167,6 +2271,19 @@ pipeline:
21672271
preserveSource: true
21682272
overrideOnConflict: true
21692273
type: schema-remapper
2274+
- name: ocsf.device.os.type_id
2275+
categories:
2276+
- filter:
2277+
query: "*"
2278+
name: Linux
2279+
id: 200
2280+
targets:
2281+
name: ocsf.device.os.type
2282+
id: ocsf.device.os.type_id
2283+
fallback:
2284+
values: {}
2285+
sources: {}
2286+
type: schema-category-mapper
21702287
- type: pipeline
21712288
name: OCSF sub pipeline for class Group Management [3006]
21722289
enabled: true
@@ -2416,6 +2533,19 @@ pipeline:
24162533
preserveSource: false
24172534
overrideOnConflict: true
24182535
type: schema-remapper
2536+
- name: ocsf.device.os.type_id
2537+
categories:
2538+
- filter:
2539+
query: "*"
2540+
name: Linux
2541+
id: 200
2542+
targets:
2543+
name: ocsf.device.os.type
2544+
id: ocsf.device.os.type_id
2545+
fallback:
2546+
values: {}
2547+
sources: {}
2548+
type: schema-category-mapper
24192549
- type: pipeline
24202550
name: OCSF sub pipeline for class Device Config State Change [5019]
24212551
enabled: true
@@ -2639,6 +2769,19 @@ pipeline:
26392769
preserveSource: true
26402770
overrideOnConflict: true
26412771
type: schema-remapper
2772+
- name: ocsf.device.os.type_id
2773+
categories:
2774+
- filter:
2775+
query: "*"
2776+
name: Linux
2777+
id: 200
2778+
targets:
2779+
name: ocsf.device.os.type
2780+
id: ocsf.device.os.type_id
2781+
fallback:
2782+
values: {}
2783+
sources: {}
2784+
type: schema-category-mapper
26422785
- type: pipeline
26432786
name: OCSF sub pipeline for class Process Activity [1007] for EXECVE
26442787
enabled: true
@@ -2827,6 +2970,19 @@ pipeline:
28272970
preserveSource: false
28282971
overrideOnConflict: true
28292972
type: schema-remapper
2973+
- name: ocsf.device.os.type_id
2974+
categories:
2975+
- filter:
2976+
query: "*"
2977+
name: Linux
2978+
id: 200
2979+
targets:
2980+
name: ocsf.device.os.type
2981+
id: ocsf.device.os.type_id
2982+
fallback:
2983+
values: {}
2984+
sources: {}
2985+
type: schema-category-mapper
28302986
- type: pipeline
28312987
name: OCSF sub pipeline for class Process Activity [1007] from SYSCALL
28322988
enabled: true
@@ -3061,6 +3217,19 @@ pipeline:
30613217
preserveSource: true
30623218
overrideOnConflict: true
30633219
type: schema-remapper
3220+
- name: ocsf.device.os.type_id
3221+
categories:
3222+
- filter:
3223+
query: "*"
3224+
name: Linux
3225+
id: 200
3226+
targets:
3227+
name: ocsf.device.os.type
3228+
id: ocsf.device.os.type_id
3229+
fallback:
3230+
values: {}
3231+
sources: {}
3232+
type: schema-category-mapper
30643233
- type: pipeline
30653234
name: OCSF sub pipeline for class Network Activity [4001] from SOCKADDR
30663235
enabled: true
@@ -3088,6 +3257,9 @@ pipeline:
30883257
version: 1.5.0
30893258
className: Network Activity
30903259
classUid: 4001
3260+
extensions: []
3261+
profiles:
3262+
- host
30913263
mappers:
30923264
- name: ocsf.activity_id
30933265
categories:
@@ -3187,6 +3359,32 @@ pipeline:
31873359
preserveSource: true
31883360
overrideOnConflict: true
31893361
type: schema-remapper
3362+
- name: ocsf.device.os.type_id
3363+
categories:
3364+
- filter:
3365+
query: "*"
3366+
name: Linux
3367+
id: 200
3368+
targets:
3369+
name: ocsf.device.os.type
3370+
id: ocsf.device.os.type_id
3371+
fallback:
3372+
values: {}
3373+
sources: {}
3374+
type: schema-category-mapper
3375+
- name: ocsf.device.type_id
3376+
categories:
3377+
- filter:
3378+
query: "*"
3379+
name: Unknown
3380+
id: 0
3381+
targets:
3382+
name: ocsf.device.type
3383+
id: ocsf.device.type_id
3384+
fallback:
3385+
values: {}
3386+
sources: {}
3387+
type: schema-category-mapper
31903388
- type: pipeline
31913389
name: OCSF sub pipeline for class Network Activity [4001] from Syscall
31923390
enabled: true
@@ -3403,3 +3601,29 @@ pipeline:
34033601
preserveSource: true
34043602
overrideOnConflict: true
34053603
type: schema-remapper
3604+
- name: ocsf.device.os.type_id
3605+
categories:
3606+
- filter:
3607+
query: "*"
3608+
name: Linux
3609+
id: 200
3610+
targets:
3611+
name: ocsf.device.os.type
3612+
id: ocsf.device.os.type_id
3613+
fallback:
3614+
values: {}
3615+
sources: {}
3616+
type: schema-category-mapper
3617+
- name: ocsf.device.type_id
3618+
categories:
3619+
- filter:
3620+
query: "*"
3621+
name: Unknown
3622+
id: 0
3623+
targets:
3624+
name: ocsf.device.type
3625+
id: ocsf.device.type_id
3626+
fallback:
3627+
values: {}
3628+
sources: {}
3629+
type: schema-category-mapper

0 commit comments

Comments
 (0)