Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Findings/Security Finding/IBM/QRadar SIEM/offense.json is not valid OCSF? #32

Open
dfederschmidt opened this issue Jun 20, 2023 · 2 comments
Open

Findings/Security Finding/IBM/QRadar SIEM/offense.json is not valid OCSF? #32

dfederschmidt opened this issue Jun 20, 2023 · 2 comments
Assignees
@irakledibm

Comments

@dfederschmidt
Copy link

There seem to be various issues with this sample.

metadata.version is set to a value that is not reasonable. OCSF Version 7.5.0 does not exist.
https://github.com/ocsf/examples/blob/12802e239cc29016d267549e476d563b0b26bcc8/Findings/Security%20Finding/IBM/QRadar%20SIEM/offense.json#LL65C1-L66C1

severity_id - is a required property but is not set on the sample.

There may be various other issues but I stopped looking into using the sample after these 2 issues were uncovered. Just wanted to document this here in case someone else stumbles on this.
@pagbabian-splunk
Copy link

Thanks Daniel - good catches. My guess is that the version is not the OCSF version incorrectly populated but the QRadar version, which should be part of the product attribute of metadata: e.g. metadata.product.version = "7.5.0".

@irakledibm can you comment on this?

@irakledibm
Copy link
Contributor

I will review this sample and make appropriate changes.

@irakledibm irakledibm self-assigned this Aug 17, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@irakledibm irakledibm

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dfederschmidt @pagbabian-splunk @irakledibm