Skip to content

Update docs for better information on constructing and using arrays#132

Merged
pagbabian-splunk merged 5 commits intoocsf:mainfrom
jasonbreimer:array_description
Apr 17, 2026
Merged

Update docs for better information on constructing and using arrays#132
pagbabian-splunk merged 5 commits intoocsf:mainfrom
jasonbreimer:array_description

Conversation

@jasonbreimer
Copy link
Copy Markdown
Contributor

@jasonbreimer jasonbreimer commented Mar 20, 2026

Summary

This PR modifies the Understanding OCSF and Schema FAQ documentation for arrays, describing how arrays should be modeled and populated in OCSF.

Changes Included

  • Rewrote the Arrays documentation section
  • Added a new FAQ entry for array's

Pending Changes

  1. Should date be updated in Understanding OCSF?
  2. Create PDF version
  3. Change logs

@jasonbreimer
Update understanding-ocsf.md
7a35cb3 
Start array's modification for clarity and examples

Signed-off-by: Jason Reimer <jason.reimer@tanium.com>
@jasonbreimer
Update understanding-ocsf.md
15ab5f7 
add an intro and adjust formatting

Signed-off-by: Jason Reimer <jason.reimer@tanium.com>
@jasonbreimer
Update understanding-ocsf.md
2df2c98 
try to emulate Paul's writing style.

Signed-off-by: Jason Reimer <jason.reimer@tanium.com>
@jasonbreimer
Update schema-faq.md
adb08b9 
add array information to faq

Signed-off-by: Jason Reimer <jason.reimer@tanium.com>
@jasonbreimer jasonbreimer self-assigned this Mar 20, 2026
@jasonbreimer jasonbreimer added the documentation Improvements or additions to documentation label Mar 20, 2026
@jasonbreimer
Copy link
Copy Markdown
Contributor Author

jasonbreimer commented Mar 20, 2026

Hello @floydtree! What do you think of these changes. This is based upon all the questions that came up again when creating gpu_info_list.

@jasonbreimer
Copy link
Copy Markdown
Contributor Author

jasonbreimer commented Mar 20, 2026

hey @pagbabian-splunk on the Understanding OCSF how would you like to handle the date field Date: September 2024? Is that a value that should be updated with this change?

@pagbabian-splunk
Copy link
Copy Markdown
Contributor

pagbabian-splunk commented Mar 20, 2026

hey @pagbabian-splunk on the Understanding OCSF how would you like to handle the date field Date: September 2024? Is that a value that should be updated with this change?

Hi @jasonbreimer I have a few other tweaks I need to make (and have been lax on doing) so thanks for the reminder. I will get that date change done as part of it. Hopefully by this weekend.

pagbabian-splunk
pagbabian-splunk previously approved these changes Mar 31, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@pagbabian-splunk pagbabian-splunk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks very good!

@pagbabian-splunk pagbabian-splunk marked this pull request as ready for review March 31, 2026 01:04
floydtree
floydtree requested changes Mar 31, 2026
View reviewed changes
Comment thread overview/understanding-ocsf.md Outdated
Comment thread overview/understanding-ocsf.md Outdated
@floydtree
Copy link
Copy Markdown
Contributor

floydtree commented Mar 31, 2026

@jasonbreimer this is fantastic, just a couple minor comments

@jasonbreimer
Final changes
c301050 
Replaced IP examples with existing OCSF attributes (finding_info / finding_info_list) to better show changes.

Updated Dated and Version

Signed-off-by: Jason Reimer <jason.reimer@tanium.com>
@pagbabian-splunk pagbabian-splunk merged commit c59534f into ocsf:main Apr 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Aniak5 Aniak5 Aniak5 approved these changes

@zschmerber zschmerber zschmerber approved these changes

@pagbabian-splunk pagbabian-splunk pagbabian-splunk approved these changes

@floydtree floydtree floydtree approved these changes

@mikeradka mikeradka Awaiting requested review from mikeradka mikeradka is a code owner

@rmouritzen-splunk rmouritzen-splunk Awaiting requested review from rmouritzen-splunk rmouritzen-splunk is a code owner

Assignees

@jasonbreimer jasonbreimer

Labels

documentation Improvements or additions to documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@jasonbreimer @pagbabian-splunk @floydtree @Aniak5 @zschmerber