Handle Executable and Read-Only files in the File object (ocsf#1438)

pagbabian-splunk · web-flow · commit 83234cf4112c · 2025-06-24T12:24:00.000-04:00
#### Related Issue: ocsf#1418 #### Description of changes: Added an `Executable File` enum value to the File object type_id enums. Added an `is_read-only` attribute to the dictionary and redefined it specifically in the `File` object. After discussion, we felt that treating executable files as distinct from regular files was warranted, vs. relying on the attributes of a file by the file system. The rationale I used was that the actual construction of the executable file is special, similar to a Symbolic Link being special, or a Folder being special - as they are distinguished currently in the enum list. --------- Signed-off-by: Paul Agbabian <pagbabian@splunk.com>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -56,6 +56,7 @@ Thankyou! -->
   1. Added `Deleted` to `finding` `status_id` enum. [#1437](https://github.com/ocsf/ocsf-schema/pull/1437)
   1. Added `status` to `related_event` object. [#1434](https://github.com/ocsf/ocsf-schema/pull/1434)
   1. Added `attack_graph` to `finding_info`. [#1436](https://github.com/ocsf/ocsf-schema/pull/1436)
+  1. Added `Executable File` to `file` `type_id` enum. Added `is_readonly` as an optional attribute. [#1438](https://github.com/ocsf/ocsf-schema/pull/1438)
 
 ### Misc
   1. Fixed spelling errors throughout the project and added spell checking to the CI linter workflow. [#1411](https://github.com/ocsf/ocsf-schema/pull/1411)
@@ -102,6 +103,7 @@ Thankyou! -->
   1. Added `tcp_state_id` as `integer_t`. [#1382](https://github.com/ocsf/ocsf-schema/pull/1382)
   1. Added `query_evidence` as type `query_evidence`. [#1382](https://github.com/ocsf/ocsf-schema/pull/1382)
   1. Added `checks` as type `check`. [#1369](https://github.com/ocsf/ocsf-schema/pull/1369)
+  1. Added 'is_readonly' as type `boolean_t` with a "See specific usage" description. [#1438](https://github.com/ocsf/ocsf-schema/pull/1438)
 * #### Objects
   1. Added `assessment` object to capture evaluations/assessments of configurations/signals. [#1343](https://github.com/ocsf/ocsf-schema/pull/1343)
   1. Added `node`, `edge`, `graph` objects. [#1343](https://github.com/ocsf/ocsf-schema/pull/1343)
diff --git a/dictionary.json b/dictionary.json
@@ -3155,6 +3155,11 @@
       "description": "The indication of whether the email has been read.",
       "type": "boolean_t"
     },
+    "is_readonly": {
+      "caption": "Read-Only",
+      "description": "Indicates that an object cannot be modified. See specific usage",
+      "type": "boolean_t"
+    },
     "is_remote": {
       "caption": "Remote",
       "description": "The indication of whether the session is remote.",
diff --git a/objects/file.json b/objects/file.json
@@ -73,6 +73,10 @@
       "profile": "cloud",
       "requirement": "optional"
     },
+    "is_readonly": {
+      "description": "Indicates that the file cannot be modified.",
+      "requirement": "optional"
+    },
     "is_system": {
       "requirement": "optional"
     },
@@ -130,7 +134,7 @@
       "requirement": "optional"
     },
     "type_id": {
-      "description": "The file type ID.",
+      "description": "The file type ID. Note the distinction between a <code>Regular File</code> and an <code>Executable File</code>. If the distinction is not known, or not indicated by the log, use <code>Regular File</code>. In this case, it should not be assumed that a Regular File is not executable.",
       "enum": {
         "0": {
           "caption": "Unknown"
@@ -156,6 +160,9 @@
         "7": {
           "caption": "Symbolic Link"
         },
+        "8": {
+          "caption": "Executable File"
+        },
         "99": {
           "caption": "Other"
         }
