Merge pull request #982 from rmouritzen-splunk/observables

Add new ways to define observables in metaschema
ocsf · Mar 12, 2024 · ba1cb34 · ba1cb34
2 parents 82e13ee + 5f73be3
commit ba1cb34
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -53,6 +53,7 @@ Thankyou! -->
 
 ### Misc
 1. New Extension registration for Sedara. #951
+2. Add new ways to define observables to metaschema. #982
 
 <!-- All available sections in the Changelog:
 

diff --git a/metaschema/dictionary-attribute.schema.json b/metaschema/dictionary-attribute.schema.json
@@ -52,6 +52,9 @@
         "is_array": {
             "type": "boolean",
             "description": "A flag used when the attribute represents an array of values rather than a single value."
+        },
+        "observable": {
+            "$ref": "observable.schema.json"
         }
     },
     "additionalProperties": false

diff --git a/metaschema/event.schema.json b/metaschema/event.schema.json
@@ -37,6 +37,16 @@
                     "description": "A unique identifier for this event, must be unique within the category.",
                     "minimum": 0,
                     "maximum": 999
+                },
+                "observables": {
+                    "type": "object",
+                    "description": "Defines class-specific observables by attribute path.",
+                    "patternProperties": {
+                        "^[a-z0-9_]+(\\.[a-z0-9_]+)*$": {
+                            "$ref": "observable.schema.json"
+                        }
+                    },
+                    "additionalProperties": false
                 }
             },
             "additionalProperties": false