Add OCSF to ASIM mapper#153
Merged
Merged
Conversation
Map the Microsoft OCSF package into the ASIM event\nshapes it already emits, covering alert, audit, authentication,\nprocess, user-management, file, network, DNS, DHCP, and web\nsessions. Add strict failure coverage for unsupported classes and\nkeep the package tests aligned with the new mapper. Assisted-by: GPT-5 (Codex)
Address review findings against the authoritative ASIM schema data and OCSF 1.8 reference: - Map OCSF Logoff activity to EventType Logoff instead of Logon. - Read the URL from http_request.url.url_string so Url is a string, not a record, on conformant OCSF input. - Preserve the full original OCSF event under AdditionalFields instead of a fixed metadata envelope that silently dropped unmapped payload fields. - Normalize enumerated fields: ThreatCategory via lookup table with ThreatOriginalCategory, AlertVerdict to the four allowed values, Authentication EventSubType from logon_type with EventOriginalSubType, and Dns EventType from the query opcode with request/response EventSubType. - Map severity_id 6 (Fatal) to High and stop passing arbitrary severity strings into EventSeverity. - Orient rename events correctly: OCSF file becomes SrcFile* and file_result becomes TargetFile*. - Derive ParentProcessId from the acting process's parent instead of the acting process itself. - Honor OCSF start_time for EventStartTime. - Drop the explicit unsupported class list in favor of the fallback. - Make test fixtures OCSF-1.8-conformant (query.hostname, src_endpoint.mac, http_request.url) and add Logoff, rename, and logon_type coverage. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Assisted-by: Claude Opus 4.8 (Claude Code)
Expose microsoft::ocsf::map and microsoft::asim::map as the broad package entry points. Split the OCSF-to-ASIM implementation into class-level mappers under microsoft::asim::ocsf so future direct ASIM mappings can be added behind the stable API. Assisted-by: GPT-5 (Codex)
Keep the new Microsoft mapping UDO frontmatter within the supported operator schema by using plain descriptions only. Assisted-by: GPT-5 (Codex)
Treat Microsoft OCSF and ASIM dispatchers as current-event mappers and make raw payload preservation optional provenance. Update Windows Event Log tests to parse XML explicitly before mapping and refresh their baselines. Assisted-by: GPT-5 Codex (Superconductor)
Inline small finalization and unsupported branches instead of routing through helper UDOs. Relax Account Change mapping so missing actor names stay nullable output fields rather than rejecting the event. Assisted-by: GPT-5 Codex (Superconductor)
Snapshot the OCSF source event before creating the temporary ASIM working record, then use that snapshot when populating AdditionalFields. This keeps implementation-only mapper state out of the preserved source event instead of dropping it after the fact. Assisted-by: GPT-5 Codex (Superconductor)
Initialize ASIM OCSF mappers with separate ocsf and asim records, then read source fields through ocsf while building the ASIM output. Keep the account-change class assertion before the common wrapper so it validates the original OCSF event shape. Assisted-by: GPT-5 Codex (Superconductor)
Run the generic ASIM wrapper through OCSF normalization only when class_uid is absent, then always dispatch via the ASIM OCSF mapper with raw passthrough. Initialize source and target namespaces in one assignment for Graph and Windows OCSF wrappers. Assisted-by: GPT-5 Codex (Superconductor)
Add class_uid assertions to every ASIM OCSF leaf mapper so direct calls fail before common mapper setup when the source OCSF class is wrong. Assisted-by: GPT-5 Codex (Superconductor)
Assert required source OCSF fields before common mapper setup instead of checking derived ASIM fields after mapping work has already run. Assisted-by: GPT-5 Codex (Superconductor)
Keep class_uid guards on leaf mappers, but remove field-completeness assertions so supported OCSF classes can map whatever ASIM fields are available. Assisted-by: GPT-5 Codex (Superconductor)
Simplify ASIM OCSF mapper conditionals by dropping redundant else-null branches and using explicit boolean comparisons for optional SID predicates. Assisted-by: GPT-5 Codex (Superconductor)
Remove redundant fallback expressions now that optional spreads and nullable predicates are handled directly. Drop final select projections from the ASIM package tests so they validate the full mapped event shape. Assisted-by: GPT-5 Codex (Superconductor)
Drop the raw-data side channel from the Microsoft OCSF and ASIM mapper UDOs. The mappers now use only the current event as their input, avoiding deferred argument semantics around moved fields. Assisted-by: GPT-5 Codex (Superconductor)
Move the Microsoft OCSF-to-ASIM tests under the ASIM OCSF test tree so their layout mirrors the operator package. Split the broad user-management and direct-target cases into per-operator baselines. Assisted-by: GPT-5 (Codex)
Require Microsoft map UDOs to write through an explicit event field. This makes OCSF and ASIM mapping composable with surrounding records and lets callers attach raw data outside the mapper without relying on deferred argument evaluation. Assisted-by: GPT-5 Codex (Superconductor)
Make microsoft::asim::map expect OCSF input instead of hiding the Microsoft-to-OCSF conversion and OCSF derive/cast steps. Add examples that show the explicit OCSF-to-ASIM pipeline for Windows XML and Graph sign-ins. Assisted-by: GPT-5 Codex (Superconductor)
Leave the Microsoft ASIM wrapper as an OCSF-only mapper for now, but document the intended source-to-ASIM bridge once OCSF derive and cast support field-targeted operation. Assisted-by: GPT-5 Codex (Superconductor)
mavam
force-pushed
the
topic/ocsf-to-asim
branch
from
7a8c2a5 to
83c2b18
Compare
Call the OCSF-to-ASIM mapper with this directly in the unsupported mapping fixture. Without strict, the assertion remains a warning instead of making the test expect a failing pipeline. Assisted-by: GPT-5 (Codex)
Remove temporary event aliases from Microsoft examples and tests now that the mappers take a named event argument. Make mapper cleanup drops optional so direct event=this calls do not emit field-not-found warnings after the current event shape changes. Assisted-by: GPT-5 (Codex)
Use move-based record construction when replacing mapper input with the final OCSF or ASIM event. This removes the separate cleanup drops for consumed intermediate namespaces. Assisted-by: GPT-5 (Codex)
Emit only the mapped ASIM fields from OCSF-to-ASIM operators. Callers that need to retain the OCSF event can duplicate or copy it before invoking the ASIM mapper. Assisted-by: GPT-5 (Codex)
Remove redundant class filters from per-schema ASIM OCSF tests. Keep only the records each fixture intends to map, and drop single-event sorts that no longer affect output order. Assisted-by: GPT-5 (Codex)
Move the shared ASIM OCSF common mapper setup out of the helpers namespace. The package only has one helper UDO here, so callers can use microsoft::asim::ocsf::common directly. Assisted-by: GPT-5 (Codex)
Route ASIM, Graph, and Windows mapping scratch state through the explicit event parameter instead of top-level temporary fields. This keeps nested mapping calls from leaking ocsf, asim, graph, or windows records into the caller scope. Add scope regressions that map nested payloads and assert the outer fields remain untouched. Assisted-by: GPT-5 (Codex)
Let the Microsoft public map UDOs use selector defaults for their event field parameter. Call sites that map the current record no longer need to spell out event=this, while nested selectors such as payload and win remain explicit. Assisted-by: GPT-5 (Codex)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🔍 Problem
🛠️ Solution
microsoft::ocsf::map_to_asimwith shared ASIM initialization and schema-specific dispatch.strictmode.💬 Review
AdditionalFields.EventTypemappings.