Merge pull request SEKOIA-IO#879 from SEKOIA-IO/feat/add_ocsf_format

Add OCSF parser
HarishHary · May 22, 2024 · 13fd879 · 13fd879
2 parents b69fbf9 + c48c0f2
commit 13fd879
Show file tree

Hide file tree

Showing 37 changed files with 3,512 additions and 0 deletions.
diff --git a/OCSF/README.md b/OCSF/README.md
@@ -0,0 +1,9 @@
+# OCSF
+
+## Description
+
+OCSF
+
+## Intakes
+
+-
diff --git a/OCSF/_meta/logo.png b/OCSF/_meta/logo.png
diff --git a/OCSF/_meta/manifest.yml b/OCSF/_meta/manifest.yml
@@ -0,0 +1,5 @@
+uuid: 01f0e9a1-2c78-4118-8a70-0e86ed285a31
+name: OCSF
+slug: "ocsf"
+description: >-
+  OCSF
diff --git a/OCSF/ocsf/CHANGELOG.md b/OCSF/ocsf/CHANGELOG.md
@@ -0,0 +1,8 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
diff --git a/OCSF/ocsf/_meta/fields.yml b/OCSF/ocsf/_meta/fields.yml
@@ -0,0 +1,81 @@
+ocsf.activity_id:
+  description: The normalized identifier of the activity that triggered the event.
+  name: ocsf.activity_id
+  type: long
+
+ocsf.activity_name:
+  description: The event activity name, as defined by the activity_id.
+  name: ocsf.activity_name
+  type: keyword
+
+ocsf.class_name:
+  description: 'The event class name, as defined by class_uid value: Security Finding.'
+  name: ocsf.class_name
+  type: keyword
+
+ocsf.class_uid:
+  description: The unique identifier of a class. A Class describes the attributes
+    available in an event.2001 Security FindingSecurity Finding events describe findings,
+    detections, anomalies, alerts and/or actions performed by security products.
+  name: ocsf.class_uid
+  type: long
+
+process.group.id:
+  description: ''
+  name: process.group.id
+  type: keyword
+
+process.group.name:
+  description: ''
+  name: process.group.name
+  type: keyword
+
+process.parent.user.domain:
+  description: ''
+  name: process.parent.user.domain
+  type: keyword
+
+process.parent.user.email:
+  description: ''
+  name: process.parent.user.email
+  type: keyword
+
+process.parent.user.full_name:
+  description: ''
+  name: process.parent.user.full_name
+  type: keyword
+
+process.parent.user.group.id:
+  description: ''
+  name: process.parent.user.group.id
+  type: keyword
+
+process.parent.user.group.name:
+  description: ''
+  name: process.parent.user.group.name
+  type: keyword
+
+process.user.domain:
+  description: ''
+  name: process.user.domain
+  type: keyword
+
+process.user.email:
+  description: ''
+  name: process.user.email
+  type: keyword
+
+process.user.full_name:
+  description: ''
+  name: process.user.full_name
+  type: keyword
+
+process.user.group.id:
+  description: ''
+  name: process.user.group.id
+  type: keyword
+
+process.user.group.name:
+  description: ''
+  name: process.user.group.name
+  type: keyword
diff --git a/OCSF/ocsf/_meta/logo.png b/OCSF/ocsf/_meta/logo.png
diff --git a/OCSF/ocsf/_meta/manifest.yml b/OCSF/ocsf/_meta/manifest.yml
@@ -0,0 +1,11 @@
+uuid: a9c959ac-78ec-47a4-924e-8156a77cebf5
+name: OCSF
+slug: ocsf
+
+description: >-
+  The Open Cybersecurity Schema Framework is an open-source project, delivering an extensible framework for developing schemas, along with a vendor-agnostic core security schema.
+
+data_sources:
+  File monitoring:
+  Network device logs:
+  Process monitoring: