Frequently asked questions about the Open Cybersecurity Schema Framework.
- How do I create a typical OCSF event?
- How would I populate the
observablesarray? - When should I use a Finding event class?
- When should I use metadata.correlation_uid?
- Can Finding events be correlated with each other too?
- How do I use the Actor object?
- When should I use the session attribute?
- When should I use the unmapped attribute?
- unmapped is of Object type. What does that mean and is it different from JSON or a String type?
- When should I use Authorize Session from Identity and Access Management vs. Web Resource Access Activity from the Application category?
- When should I use HTTP Activity vs. Web Resource Access Activity?
- Can you explain Profiles to me?
- Is there a similarity between OCSF and LDAP (and X.500)?
- How should the attribute suffixes
_uidand_idbe used and what are “siblings?” - How is backwards compatibility managed?
- What changes are not backwards compatible?
- When should I use
statusand when should I usestatewhen adding to the schema? - When should I use a
Module Activity: Loadevent and when should I use aProcess Activity: Injectevent