Software Application

Purpose

The Application CDP contains up-to-date information on all software applications and "information systems” within an organization. A software application is defined as an individual piece of software installed on a device while information systems are applications defined on the business level and may contain several devices.

Understanding the Table

The Application CDP is ideal for answering questions about the current status of all software applications. This includes understanding which applications are in use, their versions, and the vendors supplying them. Information systems running in the organization can be joined to the OCSF application_lifecycle for historical trend analysis. By leveraging this historical data, users can gain insights into the evolution and lifecycle of applications within the organization, enabling better decision-making and strategic planning.

Applications is mostly a Type 1 table. This means all columns are updated directly when new information is ingested.  

A row is a unique combination of the following attributes: Application Vendor Name, Application Version, Application Name, or Application UID.

Joining to CDPs and OCSF

The application.id column should be used for all joins within the CDPs. This ensures consistency and accuracy when merging data from different sources. For joining back to OCSF tables, it is recommended to use either the application.uid or a combination of the application.name and the application.version.

Schema

Example Queries

Find all active applications

SELECT * FROM applications where last_seen_time >= {date}

How to join back to OCSF

SELECT * FROM CDP.application left join OCSF.application_lifecycle on CDP.application.uid = OCSF.application_lifecycle.app:uid