Add 'Resources' Field to Various "System Activity [1]" Classes in OCSF Schema

[valllabh]

Description
Several activity classes defined in the OCSF schema currently lack a dedicated field for describing the resources affected by the respective activities. This omission limits the ability to accurately and comprehensively log and analyze these activities, particularly in environments like Kubernetes where resource identification is crucial.

Affected Activity Classes
The following activity classes do not include a 'Resources' field:

• File System Activity [1001]
• Memory Activity [1004]
• Module Activity [1005]
• Scheduled Job Activity [1006]
• Process Activity [1007]

Proposed Solution
I propose adding a new field to these activity classes to address this gap:

• Caption: Resources Array
• Name: resources
• Group: Primary
• Requirement: Recommended
• Type: Array

This field should be structured as an array to allow for the inclusion of multiple resources within a single activity event.

Use Case: Integration with Tetragon
Tetragon, an eBPF-based security observability and runtime enforcement tool, demonstrates a practical use case for this enhancement. It operates efficiently in Kubernetes environments, capturing detailed information about file events, including Kubernetes Pod data. This data is crucial for linking activities during security analysis. Currently, the File System Activity class in the OCSF schema does not offer a suitable way to store such Kubernetes-specific information. By contrast, the OCSF Security Finding class utilizes a Resource Object to map similar data, highlighting the utility of such a field.

Sample Tetragon Event

{
  "eventType": "FileDelete",
  "eventData": {
    "fileName": "/path/to/deleted/file.txt",
    "process": {
      "pid": 12345,
      "name": "example-process",
      "commandLine": "/usr/bin/example-process"
    },
    "kubernetes": {
      "pod": {
        "name": "example-pod",
        "namespace": "example-namespace",
        "labels": {
          "app": "example-app",
          "version": "v1"
        }
      },
      "node": {
        "name": "example-node"
      }
    }
  },
  "timestamp": "2023-11-20T12:34:56Z"
}

[valllabh]

#858 Issue duplicates this discussion