Skip to content

Linux Audit Logs: Map event_id to ocsf.metadata.uid#23184

Merged
nbeckstead-ddog merged 2 commits intomasterfrom
nbeckstead/linux-event-id
Apr 7, 2026
Merged

Linux Audit Logs: Map event_id to ocsf.metadata.uid#23184
nbeckstead-ddog merged 2 commits intomasterfrom
nbeckstead/linux-event-id

Conversation

@nbeckstead-ddog
Copy link
Copy Markdown
Contributor

@nbeckstead-ddog nbeckstead-ddog commented Apr 6, 2026

What does this PR do?

Maps the auditd event_id field to ocsf.metadata.correlation_uid across all OCSF sub-pipelines in the Linux Audit Logs integration.

Motivation

Detection rules correlate related audit records (e.g. SYSCALL + PATH events) using @event_id. metadata.correlation_uid is the OCSF-standard field for this purpose — its description is "The unique identifier used to correlate events," which matches exactly how auditd uses event_id to group related record types within a single audit event.

@nbeckstead-ddog nbeckstead-ddog requested a review from a team as a code owner April 6, 2026 18:28
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 6, 2026
edited
Loading

⚠️ Recommendation: Add qa/skip-qa label

This PR does not modify any files shipped with the agent.

To help streamline the release process, please consider adding the qa/skip-qa label if these changes do not require QA testing.

gfoss
gfoss approved these changes Apr 6, 2026
View reviewed changes
Copy link
Copy Markdown

@gfoss gfoss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

cepolation-datadog
cepolation-datadog requested changes Apr 6, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cepolation-datadog cepolation-datadog left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The event_id isn't a correlation uid. A correlation_uid is something that ties together several events, like in a session. This should map to ocsf.metadata.event_code https://schema.ocsf.io/1.5.0/objects/metadata

@nbeckstead-ddog
Copy link
Copy Markdown
Contributor Author

nbeckstead-ddog commented Apr 7, 2026

The event_id isn't a correlation uid. A correlation_uid is something that ties together several events, like in a session. This should map to ocsf.metadata.event_code https://schema.ocsf.io/1.5.0/objects/metadata

I don't think event_code is right since the ID is a random number, not an ID for a specific event type. Updated to use uid

cepolation-datadog
cepolation-datadog approved these changes Apr 7, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cepolation-datadog cepolation-datadog left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@nbeckstead-ddog nbeckstead-ddog changed the title Linux Audit Logs: Map event_id to ocsf.metadata.correlation_uid Linux Audit Logs: Map event_id to ocsf.metadata.uid Apr 7, 2026
@nbeckstead-ddog nbeckstead-ddog added this pull request to the merge queue Apr 7, 2026
Merged via the queue into master with commit 9ab5577 Apr 7, 2026
51 checks passed
@nbeckstead-ddog nbeckstead-ddog deleted the nbeckstead/linux-event-id branch April 7, 2026 14:11
@dd-octo-sts dd-octo-sts bot added this to the 7.79.0 milestone Apr 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gfoss gfoss gfoss approved these changes

@cepolation-datadog cepolation-datadog cepolation-datadog approved these changes

Assignees

No one assigned

Labels

ecosystems/review-requested integration/linux_audit_logs product/review-requested team/logs-integrations-reviewers

Projects

None yet

Milestone

7.79.0

Development

Successfully merging this pull request may close these issues.

3 participants

@nbeckstead-ddog @gfoss @cepolation-datadog