Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create a slim version of the ocsf-schema #1223

Open
nadidsky opened this issue Oct 28, 2024 · 0 comments
Open

Create a slim version of the ocsf-schema #1223

nadidsky opened this issue Oct 28, 2024 · 0 comments

Comments

@nadidsky
Copy link

In the context of some services charge you by volume, OCSF instead of reducing the volume of the logs, in many cases they get bigger.

Would be incredible useful and cost saving to define a OCSF-slim version of the OCSF-schema that could translate to the standard OCSF schema in search time, but with much shorter naming convention.

For instance the categories https://github.com/ocsf/ocsf-schema/blob/main/categories.json format could be:

{
  "caption": "Categories",
  "name": "category",
  "shortname": "cat",
  "description": "The OCSF categories organize event classes, each aligned with a specific domain or area of focus.",
  "attributes": {
    "system": {
      "caption": "System Activity",
      "shortname": "sys",      
      "description": "System Activity events.",
      "uid": 1
    },
    "findings": {
      "caption": "Findings",
      "shortname": "finds",      
      "description": "Findings events report findings, detections, and possible resolutions of malware, anomalies, or other actions performed by security products.",
      "uid": 2
    },
    "iam": {
      "caption": "Identity & Access Management",
      "shortname": "iam",            
      "description": "Identity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc.",
      "uid": 3
    },
    "network": {
      "caption": "Network Activity",
      "shortname": "net",            
      "description": "Network Activity events.",
      "uid": 4
    },
    "discovery": {
      "caption": "Discovery",
      "shortname": "disc",            
      "description": "Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects.",
      "uid": 5
    },
    "application": {
      "caption": "Application Activity",
      "shortname": "app", 
      "description": "Application Activity events report detailed information about the behavior of applications and services.",
      "uid": 6
    },
    "remediation": {
      "caption": "Remediation",
      "shortname": "rem", 
      "description": "Remediation events report the results of remediation commands targeting files, processes, and other objects.",
      "uid": 7
    }
  }
}

While it might have a slighter higher difficulty to be read(but easier to be written), it will clearly improve the disk and license optimisation of the systems. Could should be something like this added? Has it been already considered and discarded?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nadidsky