clawdstrike_ocsf/objects/
actor.rs

1//! OCSF Actor object.
2
3use serde::{Deserialize, Serialize};
4
5use super::process::OcsfUser;
6
7/// OCSF Actor object identifying who performed the action.
8#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
9#[serde(deny_unknown_fields)]
10pub struct Actor {
11    /// User who performed the action.
12    #[serde(skip_serializing_if = "Option::is_none")]
13    pub user: Option<OcsfUser>,
14    /// Application / agent that performed the action.
15    #[serde(skip_serializing_if = "Option::is_none")]
16    pub app_name: Option<String>,
17    /// Application UID.
18    #[serde(skip_serializing_if = "Option::is_none")]
19    pub app_uid: Option<String>,
20    /// Session information.
21    #[serde(skip_serializing_if = "Option::is_none")]
22    pub session: Option<ActorSession>,
23}
24
25/// Minimal session object within an Actor.
26#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
27#[serde(deny_unknown_fields)]
28pub struct ActorSession {
29    /// Session UID.
30    #[serde(skip_serializing_if = "Option::is_none")]
31    pub uid: Option<String>,
32}
33
34#[cfg(test)]
35mod tests {
36    use super::*;
37
38    #[test]
39    fn actor_roundtrip() {
40        let a = Actor {
41            user: Some(OcsfUser {
42                name: Some("agent-1".to_string()),
43                uid: Some("agent-1".to_string()),
44            }),
45            app_name: Some("clawdstrike".to_string()),
46            app_uid: Some("hushd".to_string()),
47            session: Some(ActorSession {
48                uid: Some("sess-123".to_string()),
49            }),
50        };
51        let json = serde_json::to_string(&a).unwrap();
52        let a2: Actor = serde_json::from_str(&json).unwrap();
53        assert_eq!(a, a2);
54    }
55}
clawdstrike_ocsf/objects/actor.rs

clawdstrike_ocsf/objects/
actor.rs
