RC3 items from Weekly Call 3/4/2023

[pagbabian-splunk]

Among the topics discussed with consensus today:

1. We won't have platform specific classes in core schema. Profiles or extensions are the preferred approach.
2. For the Windows Log profile, the win_resource object can be added as a Primary, Optional attribute, so as to avoid a Windows Resource Activity class. A counter POV is that adding this to the profile brings it along in some places, e.g. Authentication, where it isn't relevant. However, that is why we have Optional attributes. Another approach would be to have two distinct Windows profiles: a Windows Log profile (aptly named) and a Windows Resource profile. This latter was not discussed on the call but may split the difference. A better solution is for a Windows extension to carry the win_resource object and apply as a profile to core classes, or include in specific Windows extension classes.
3. With the change of category name from Audit to Access Control, the API Activity class doesn't belong. The suggestion was to move it to the newly promoted Application Activity category.
4. There is a new PR to promote Application Lifecycle Activity from dev extension to Application Activity category.
5. There was agreement to promote the Discovery category from dev and have it replace the Configuration / Inventory category, along with the structural changes to the two Device oriented inventory and config state classes. However, other classes from the dev extension from that category will not be candidates for RC3.
6. There was discussion on the Network File Activity class that is currently in the Network category and whether it is intuitive to find it there. Now that there is the Application Activity category there was some consensus to move it. Application Activity category would then have three classes for RC3.
7. We reviewed some of the share event codes across the different cloud drives. Many of the detailed codes were more akin to privileges assigned than file activity itself. This needs to be considered when arranging the codes and their activities for what is now Network File Activity.
8. We reviewed a number of Windows events to get a feel for our current coverage. Aside from crypto events, there was reasonably good coverage at the category level.

I will create some relevant PRs based on this list for RC3 consideration.

[pagbabian-splunk]

1. Still holds, but another option is being considered: a specific Platform section similar to Extensions but part of the Core schema categorization. Core classes that are platform specific can reside there, and extensions can add to it.
2. See 1/ for Windows specifically, including the three specific Windows classes in System Activity
3. This was approved and done.
4. This was approved and done, but the class is in PR state as of today.
5. The category name was approved and changed, but the class enhancements need PRs as of today.
6. Still pending
7. Still pending
8. No action required

New items not in above list:
9. Account object, still in PR state
10. Resource object, being re-thought, and resource_type_id may not be needed or needs to be refined
11. More clarification on User and Account needed - a proposal is being put together
12. Authorization, still in PR state but changes to split into to classes are being proposed

[pagbabian-splunk]

RC3 is now final.