Guides

Advantages of FSQL

Suggest Edits

There is great variety in the types of data that are security relevant, and as a result the OCSF/QDM is a very large schema. It has over 70 events (and counting) with over 200,000 attributes without following its recursive relationships.

Query’s entity search (based on OCSF observables) provides an easy start to searching with Query without knowing the data model. But once an analyst moves beyond entity searches into more specific searches, or they begin to map data, the size of the QDM/OCSF can be overwhelming.

But patterns within the QDM/OCSF allow FSQL to provide several schema life hacks that can be used to simplify surfing the schema.

  • Observables (entities) are shortcuts to many attributes like IP addresses or user names. The data model defines most observables by type but in some cases defines them by specific locations in the schema. FSQL provides the :observable attribute selection filter and its shorthand form, %.
  • Describing attributes by their type – an object like user or a primitive type like ip – can provide the same shortcuts as most observables and then some.
  • Describing events by their category can let users describe 5-10 event types at once, enabling broad searches and alleviating the need to know 1) specific event types and 2) which type source X is mapped to.
  • Finding events and attributes by both their name (how the computer knows them) or their caption (how they’re labeled for humans) lets analysts worry less about learning the data model or even how to read its documentation.

Updated 2 days ago