Map Data to OCSF
In this tutorial you'll learn how to map events to Open Cybersecurity Schema Framework (OCSF). We walk you through an example of events from a network monitor and show how you can use Tenzir pipelines to easily transform them so that they become OCSF-compliant events.
The diagram above illustrates the data lifecycle and the OCSF mapping takes place: you collect data from various data sources, each of which has a different shape, and then convert them to a standardized representation. The primary benefit is that normalization decouples data acquisition from downstream analytics, allowing the processes to scale independently.
OCSF Primer​
The OCSF is a vendor-agnostic event schema (aka. "taxonomy") that defines structure and semantics for security events. Here are some key terms you need to know to map events:
- Attribute: a unique identifier for a specific type, e.g.,
parent_folder
of typeString
orobservables
of typeObservable Array
. - Event Class: the description of an event defined in terms of attributes,
e.g.,
HTTP Activity
andDetection Finding
. - Category: a group of event classes, e.g.,
System Activity
orFindings
.
The diagram below illustrates how subsets of attributes form an event class:
The Base Event Class is a special event class that's part of every event class. Think of it as a mixin of attributes that get automatically added: