Determine the reserved attributes

[rroupski]

Attributes that are either generated or derived by the collection, post-collection processing, or storage systems other than the mapping process are designated Reserved. The current list of the reserved attributes is:

• _log_time (from metadata)
• _type_uid
• _type_name
• _time
• _observables
• _raw_data
• _unmapped

This discussion is about whether the last 3 attributes should be reserved or not.

• _observables

• _raw_data

• _unmapped

• The observables should generated based the input data and the schema. In other words, the observables data should not be manually added by the source that generated the event.

• The raw_data is attribute that contains the original data as generated by the source. If the event source creates events in the OCSF Schema, then the raw_data should not be used.

• The unmapped is attribute that contains the attributes, which are not defined by the OCSF Schema. If the event source creates events in the OCSF Schema, then the unmapped attribute could be used to add additional attribute, which are not defined by the schema.

[rroupski]

IMO, only the unmapped should be removed from the reserved attributes.

[Aniak5]

I feel like raw_data should also be removed since the mapping service is in charge of it.