Malware object not validating

[erikloman]

I am working on a OCSF producer and I found that the online tool /api/v2/validate to validate JSON against the schema produces an error related to malware[0].classification_ids. I think the JSON is correct but the JSON does not validate. I am doing something wrong?

{
  "activity_id": 1,
  "category_uid": 2,
  "class_uid": 2004,
  "time": 1719472279,
  "metadata": {
    "version": "1.2.0",
    "profiles": [ "security_control", "host" ],
    "product": {
      "name": "ByteJams Ranger",
      "uid": "9766fc71-4e12-492f-9962-421513f5a90b",
      "vendor_name": "ByteJams",
      "version": "1.0.1009.0",
      "feature": {
        "name": "anti_ransomware",
        "uid": "2e889cac-97da-40d0-81a5-543a4e264252",
        "version": "1.0"
      }
    }
  },
  "severity_id": 3,
  "status_id": 1,
  "type_uid": 200401,
  "action_id": 2,
  "disposition_id": 2,
  "attacks": [
    {
      "tactic": {
        "name": "Impact",
        "uid": "TA0040"
      },
      "technique": {
        "name": "Data Encrypted for Impact",
        "uid": "T1486"
      },
      "version": "1.4"
    }
  ],
  "malware": [
    {
      "classification_ids" : [ 10 ],
      "name": "Win32.Generic.Ransomware"
    }
  ],
  "device": {
    "hostname": "TEST-01",
    "uid": "1f3e49ee-db3c-4cc8-a9e6-4419eebe568c",
    "type_id": 2
  },
  "confidence_id": 3,
  "finding_info": {
    "analytic": {
      "name": "anti_ransomware",
      "type_id": 2,
      "version": "anti_ransomware",
      "uid": "2e889cac-97da-40d0-81a5-543a4e264252"
    },
    "title": "Suspicious ransomware behavior was blocked",
    "uid": "3f3e52cc-e208-473b-a59d-d558a06c9e44",
    "attacks": [
      {
        "tactic": {
          "name": "Impact",
          "uid": "TA0040"
        },
        "technique": {
          "name": "Data Encrypted for Impact",
          "uid": "T1486"
        },
        "version": "1.4"
      }
    ]
  }
}

I get the following error:

"errors": [
    {
      "error": "attribute_enum_value_unknown",
      "message": "Unknown enum value at \"malware[0].classification_ids\"; value ~c\"\\n\" is not defined for enum \"classification_ids\".",
      "value": [
        10
      ],
      "attribute": "classification_ids",
      "attribute_path": "malware[0].classification_ids"
    }
  ]

Is this a problem with the schema or with the validator?

[alanisaac]

Trying other methods of validation:

Using the schema for detection finding at https://schema.ocsf.io/schema/1.2.0/classes/detection_finding?profiles= and the event JSON you have above, validation passes when I try them out together in https://www.jsonschemavalidator.net/

I also found that this event passes the "v1" validation endpoint on the schema server at /api/validate.

That makes me think this is possibly an issue with the validation logic in the schema server in the v2 endpoint? cc: @rmouritzen-splunk

[rmouritzen-splunk]

This is (almost certainly) a gap in the v2 validation logic. I don't think it's handling arrays of enumerations.

@erikloman Your event's malware classification_ids value looks correct, so you're good. I'm going to move copy this issue over to the ocsf-server repo and mark it as a bug.

Thanks!

[rmouritzen-splunk]

OCSF Server issue: ocsf/ocsf-server#96

[rmouritzen-splunk]

@erikloman The public OCSF Server (https://schema.ocsf.io/) has been updated with a fix to the v2 validation APIs that addresses this problem. Thanks for pointing this out!