Normalization and the OCSF Data Model
Search Results Normalization into OCSF Data Model
Query normalizes the results that come from different data sources into a standardized cybersecurity data schema called OCSF - Open Cybersecurity Schema Framework. OCSF is open-source and an industry standard, with the backing and collaboration from key vendors in cybersecurity. OCSF was announced at BlackHat 2022 with its initial founding coalition including organizations like Splunk, AWS, Broadcom, Cloudflare, CrowdStrike, IBM Security, Okta, Palo Alto Networks, Rapid7, Sumo Logic, Tanium, Trend Micro, and Zscaler. For more information on OCSF, please refer to:
Query's Data Schema is OCSF
Query plays the role of the "Data Broker" by converting data from data source vendors' native formats into OCSF. This normalization results in OCSF "Objects" as Query's cybersecurity entities of interest, and OCSF "Event Classes" as the activity related to those events.
Query's version of OCSF
View and browse Query's OCSF at https://schema.query.ai/
Note: OCSF is rapidly evolving, hence Query is using a smaller, stable subset, along with some additional modifications, suitable for our cybersecurity Federated Search use-cases. Please refer to the official OCSF Documentation link to understand the broader schema.
OCSF Objects as Query's Cybersecurity Entities
OCSF Objects have been adopted into Query's data model to represent cybersecurity Entities. Each object has its set of attributes that Query can extract and set from the federated search results coming from multiple disparate data sources. Below are the OCSF Objects in Query's Data Model:
- User: Represents a user. Its attributes include fields like
name, email_addr, uid, ... - Device: Represents an endpoint. Its attributes include fields like
hostname, ip, instance_uid, ... - Network Endpoint: Represents any public/private source/destination of a network connection. Its attributes include fields like
hostname, ip, port, svc_name, ... - Process: Represents running instance of a launched program. Its attributes include fields like
name, pid, parent_process, user, ... - Email: Represents email metadata such as sender, recipients, and direction. Its attributes include fields like
from, to, subject, size, ... - File: Represents files, folders, links and mounts, including the reputation information, if applicable. Its attributes include fields like
name, path, type_id, fingerprints, ... - URL: Represents the path and reputation of a URL. Its attributes include fields like
hostname, path, scheme, port, query_string, ... - Domain Info: Represents registration information pertaining to a domain. Its attributes include fields like
domain, registrar, created_time, modified_time, ... - Location: Represents geographic location information. Its attributes include fields like
coordinates, city, country, ...
Relevant OCSF Event Classes for Query
Query normalizes and correlates the above OCSF Objects' activity information coming from various data sources into the event classes below:
- Security Finding: Security Finding events describe findings, detections, anomalies, alerts and/or actions performed by security products.
- Email Activity: Email Activity events report findings and activities of emails.
- File System Activity: File System Activity events report when a process performs an action on a file or folder.
- Account Change: Account Change events report when specific user account management tasks are performed, such as a user/role being created, changed, deleted, renamed, disabled, enabled, locked out or unlocked.
- Authentication: Authentication events report authentication session activities such as user attempts a logon or logoff, successfully or otherwise.
- Authorization: Authorization events report special privileges or groups assigned to a session.
- Entity Management: Entity Management events report activity by a managed client, a micro service, or a user at a management console. The activity can be a create, read, update, and delete operation on a managed entity.
- Network Activity: Network Activity events report network connection and traffic activity.
- HTTP Activity: HTTP Activity events report HTTP connection and traffic information.
- API Activity: API Activity events describe general CRUD (Create, Read, Update, Delete) API activities, e.g. (AWS Cloudtrail).
Relevant OCSF Event Categories for Query
OCSF groups similar Event Classes into what it calls "Categories". The above Event Classes fall into the below OCSF Categories. Note that Categories are not displayed in the UI and are listed here more for information on Query's schema:
- Findings: Category for any finding events. This includes
security_findingevents. - System Activity: Category for any system activity events. This includes
file_system_activityevents. - Audit Activity: Category for any audit activity events. This includes
account_change, authentication, authorization, and entity_managementevents. - Network Activity: Category for any network activity events. This includes
network_activity, http_activity, email_activity, and api_activityevents.
Searching by Time
All events in OCSF have three time attributes: time, start_time, and end_time. Query always provides a value for event time. Most systems of record have only one timestamp for events; in these cases, start_time and end_time will be empty. When you change the value of the time picker in the search bar, you're changing a filter on the time field.
Objects in OCSF do not have an association to time. Most systems of record that provide data on objects also lack this association; they respond to queries with information about the current state of the environment. Because of this, time filters are ignored when searching for objects.
Updated about 2 months ago