Issue 998: Add Data Classification Profile

[Aniak5]

Related Issue:

#998

Description of changes:

• Added data_classification object
• Added data_classification profile
• Added data_classification profile to database, databucket, email, file, metadata, product, resource_details and web_resource objects

[alanisaac]

Looks like this PR is picking up the latest version of the OCSF validator, which is now (technically, correctly) picking up more validation errors:

FATAL: File at events/network/file_activity.json does not pass metaschema validation. Error: 'optional' is not one of ['recommended', 'required'] at JSON path: '$.attributes.connection_info.requirement'

Either we need to fix the schema errors (likely in another PR) or pin the validator version fully.

[Aniak5]

Looks like this PR is picking up the latest version of the OCSF validator, which is now (technically, correctly) picking up more validation errors:

FATAL: File at events/network/file_activity.json does not pass metaschema validation. Error: 'optional' is not one of ['recommended', 'required'] at JSON path: '$.attributes.connection_info.requirement'

Either we need to fix the schema errors (likely in another PR) or pin the validator version fully.

I can create a new PR to fix this.

[alanisaac]

oh -- already on it! #1009

[k2niner]

(1) data_type seems like a fairly generic attribute name for what we are trying to capture. When I see that name, I certainly expect something else in the larger context of OCSF. I believe we want something like a Data Sensitivity Category, which is clearly way too long of a name, but does that capture the need?

(2) I would need to extend the object for my use case, but this might get me out of the business of extending some of the objects that I extend now, which is a win. I assume I could also have the profile applied to other objects within my extension, right?

(3) I apply a classification object to product as a means of capturing the "high water mark" of the product (i.e., web application) that was accessed. Worth considering.

[Aniak5]

(1) data_type seems like a fairly generic attribute name for what we are trying to capture. When I see that name, I certainly expect something else in the larger context of OCSF. I believe we want something like a Data Sensitivity Category, which is clearly way too long of a name, but does that capture the need?

Agreed, maybe something more simple like category or category_type? It exists within the data_classification object so we likely don't need data appended.

(2) I would need to extend the object for my use case, but this might get me out of the business of extending some of the objects that I extend now, which is a win. I assume I could also have the profile applied to other objects within my extension, right?

Yes, exactly!

(3) I apply a classification object to product as a means of capturing the "high water mark" of the product (i.e., web application) that was accessed. Worth considering.

We can certainly add the profile to the product object as well. Though this makes me wonder if we should add product to additional objects. Which OCSF object does product belong to in your example?

[k2niner]

We can certainly add the profile to the product object as well. Though this makes me wonder if we should add product to additional objects. Which OCSF object does product belong to in your example?

For a Web Resource Activity event, I apply a classification object to:

metadata - captures the sensitivity of the event log
product - inside metadata, this product attribute captures the high water mark of the sensitivity of the data hosted by the product (app)
web_resource - captures the sensitivity of the resource that was accessed.

I have two other uses, but they are unique to my extended object.

[Aniak5]

Tagging Jonathan @jonrau-at-queryai here because I cannot add him as a reviewer.

[jonrau-at-queryai]

LGTM! Awesome work with this 🚢

[zschmerber]

This is so helpful thanks for adding the profile.