OCSF Mapping for Custom Roles Events
This document outlines the mapping of Automox Custom Roles events to the OCSF (Open Cybersecurity Schema Framework) standard. The following table provides a detailed mapping of each Automox Custom Role event to its corresponding OCSF class and event type.
Entity Management
New events are the mappings for organization role lifecycle operations: Create, Update, and Delete.
Event Classification Matrix
| Operation | Activity ID | Activity Name | Type UID | Type Name | HTTP Status | Message |
|---|---|---|---|---|---|---|
| Create | 1 | Create | 300401 | Entity Management: Create | 201 | Organization Role Creation |
| Update | 3 | Update | 300403 | Entity Management: Update | 200 | Organization Role Update |
| Delete | 4 | Delete | 300404 | Entity Management: Delete | 200 | Organization Role Deletion |
Actor (User) Information
| Field | Description | Example Value |
|---|---|---|
| actor.user.uid | Primary user identifier (UUID) Of the actor |
75c4039f-080d-477c-9eb2-af49d8f586ef |
| actor.user.uid_alt | Legacy numeric user ID | 67890 |
| actor.user.email_addr | The actor’s email address | admin@automox.com |
| actor.user.account.uid | Account/tenant UUID | 538f436e-51b0-48a5-80bc-ddbf6cc1baea |
Entity (Role) Data
Common Entity Fields
| Field | Description | Example Value |
|---|---|---|
| entity.type | Entity type classification | "Role" |
| entity.uid | Role UUID | 550e8400-e29b-41d4-a716-446655440003 |
Event-Specific Entity Data
| Field | Create | Update | Delete |
|---|---|---|---|
| entity.name | ✅ | ✅ | ❌ Not included |
| entity.data.description | ✅ | ✅ | ❌ Not included |
| entity.data.permissions[] | ✅* | ✅* | ❌ Not included |
| entity.data.scopes[] | ✅‡ | ❌ Not included | ❌ Not included |
Metadata
| Field | Purpose | Value | |
|---|---|---|---|
| metadata.version | OCSF schema version | 1.1.0 | |
| metadata.tenant_uid | Multi-tenant isolation identifier | Account UUID | |
| metadata.correlation_uid | Links related events together | The UUID of the target organization. This unique identifier may correspond to an account, a global organization, or a standard organization. It specifies the organization in which the role-related action is performed. | |
| metadata.product.name | Generating product name | Automox Audit Trail | |
| metadata.product.vendor_name | Product vendor | Automox | |
| metadata.product.version | Product version | 1.0.0-dev |
Raw Data (API Payloads)
The raw_data field preserves the original API request payload for forensic analysis.
Observables
Security-relevant data points extracted for threat detection and SIEM analysis.
observables:
- name: "actor.user.email_addr"
type: "Email Address"
type_id: 5
value: "admin@automox.com"
- name: "actor.user.org.uid"
type: "Organization ID"
type_id: 99
value: "b348aa75-c308-41e5-a1e4-26d56438a069"User Access
New events are the mappings for user role assignment operations: Grant and Revoke.
Event Classification Matrix
| Operation | Activity ID | Activity Name | Type UID | Type Name | Message |
|---|---|---|---|---|---|
| Grant | 1 | Assign Privileges | 300501 | User Access Management: Assign Privileges | User Role Assignment |
| Revoke | 2 | Revoke Privileges | 300502 | User Access Management: Revoke Privileges | User Role Revocation |
User Information
The user object represents the target user receiving or losing privileges (NOT the actor performing the action).
user:
uid: "75c4039f-080d-477c-9eb2-af49d8f586ef" # Target user UUID
email_addr: "target@automox.com" # Target user email| Field | Description | Example Value |
|---|---|---|
| user.uid | UUID of user receiving/losing privileges | 75c4039f-080d-477c-9eb2-af49d8f586ef |
| user.email_addr | Email address of target user | target@automox.com |
Actor (Unmapped)
The actor field isn’t supported in version 1.1.0, but becomes available starting from 1.4.0.
For now, the field is stored under unmapped as a temporary workaround.
Once we upgrade to the latest schema version, we can officially include the actor field in User Access events.
| Field | Description | Example Value |
|---|---|---|
| unmapped.actor.user.uid | Primary user identifier (UUID) Of the actor |
75c4039f-080d-477c-9eb2-af49d8f586ef |
| unmapped.actor.user.email_addr | The actor’s email address | admin@automox.com |
| unmapped.actor.user.account.uid | Account/tenant UUID | 538f436e-51b0-48a5-80bc-ddbf6cc1baea |
| unmapped.actor.user.org.uid | The actor log (logged on) | b348aa75-c308-41e5-a1e4-26d56438a069 |
Resource (Role) Information
The resource object describes the role being granted or revoked.
resource:
uid: "550e8400-e29b-41d4-a716-446655440003" # Role UUID
type: "role" # Resource type
namespace: "ACCOUNT" # Scope/namespace| Field | Description | Example Value |
|---|---|---|
| resource.uid | UUID of the role being assigned/revoked | 550e8400-e29b-41d4-a716-446655440003 |
| resource.type | Type of resource | role |
| resource.namespace | Authorization scope ‡ | ACCOUNT |
Privileges Array
The privileges array contains UUIDs of roles being granted or revoked in this operation.
privileges:
- "550e8400-e29b-41d4-a716-446655440003" # Role UUIDUnmapped Fields
Custom fields that don't map directly to OCSF standard schema but provide valuable context.
unmapped:
scope: "ACCOUNT" # Authorization scope
actor:
user:
uid: "832653b0-b57b-4d8d-8695-f0e8804de91b"| Field | Description | Value |
|---|---|---|
| unmapped.scope | Authorization scope (ACCOUNT/GLOBAL/ORGANIZATION) | ACCOUNT |
Rationale: These fields provide Automox-specific context that enhances OCSF events for internal security analysis without breaking OCSF compliance.
Metadata
metadata:
version: "1.1.0" # OCSF
version uid: "843f7ab9-1dd5-496e-8c5f-285927c3d976" # Event UUID
tenant_uid: "538f436e-51b0-48a5-80bc-ddbf6cc1baea" # Tenant ID
correlation_uid: "b348aa75-c308-41e5-a1e4-26d56438a069" # Correlation ID
product:
name: "Automox Audit Trail"
vendor_name: "Automox"
version: "1.0.0-dev"| Field | Description | Value |
|---|---|---|
| metadata.version | OCSF schema version | 1.1.0 |
| metadata.uid | Unique event identifier | Event-specific UUID |
| metadata.tenant_uid | Multi-tenant isolation | Account UUID |
| metadata.correlation_uid | Links related events | The UUID of the target organization. This unique identifier may correspond to an account, a global organization, or a standard organization. It specifies the organization in which the role-related action is performed. |
| metadata.product.* | Audit system metadata | Product name, vendor, version |
Observables
Security-relevant data points extracted for threat detection and SIEM analysis.
observables:
- name: "unmapped.actor.user.email_addr"
type: "Email Address"
type_id: 5
value: "admin@automox.com"
- name: "unmapped.actor.user.org.uid"
type: "Organization ID"
type_id: 99
value: "b348aa75-c308-41e5-a1e4-26d56438a069"| Observable | Type | Type ID | Value | Purpose |
|---|---|---|---|---|
| User Email | Email Address | 5 | Requester's Email | Identity tracking, anomaly detection |
| Organization ID | Organization ID | 99 | Requester's Organization (logged) | Event correlation, tenant isolation |
* Permission: All permissions follow the {resource}:{action} format, such as endpoint:read
‡ Scope: Scope is the enum of [ACCOUNT, GLOBAL, ORGANIZATION]