Extension labeling and versioning in Metadata

[pagbabian-splunk]

There is no way within an event to determine whether an extension is part of the event, unless the extension is a net-new event class (or possibly Profile etc) with new names that indicate who has extended the schema. For example, Splunk had a Network File Activity extension class, and a Detection Report extension class which would not have been obvious as to who extended the schema. Even with a descriptive name indicating the extender, there may be more than one version of the extension.

At the expense of further bloat of the event, I'm suggesting that Metadata more explicitly have a place to indicate the producer or consumer that has extended that portion of the schema, and their version. The version may in fact be more important than the vendor, since just an event name with vendor prefix, for example, would not convey what version.

[jasonbreimer]

Yes, agreed. Going back to existing extensions makes sense. As you stated version would be very important too. +1 vote.

{
"caption": "New or Existing Extension",
"meta": "profile",
"name": "name_ex",
"version": "0.0.0",
"uid": 123
}

[jasonbreimer]

Something basic:

{
"caption": "New or Existing Extension",
"name": "name_ex",
"version":"0.0.0"
}

We could add "type". I think that was the intention of "meta".

[floydtree]

This appears to have been implemented in #503