Now that OCSF 1.3 is out, I’m overdue to highlight some of the cool new features we’ve seen released in OCSF. Version 1.2 dropped in early May and version 1.3 was just released.
As usual, some of the innovation deepens existing capabilities and some adds new capabilities.
Here’s my take on what’s new and noteworthy:
OCSF 1.2
Data Security Finding event class
The first major addition from my perspective is adding the Data Security Finding event class. When we built Query’s integration with Microsoft Purview, we needed a better way to represent the DLP events. So Query’s own Jonathan Rau designed the Data Security Finding event and contributed it to the OCSF community. The Microsoft team continues to increase their involvement in OCSF and is broadening support for OCSF support across their security portfolio.
The Discovery Event Category
OCSF is an event-centric schema, with its roots in SIEM products and log management. Events are “verbs”, i.e. things that happened, while objects are “nouns” – devices, users, files – things the action happened to.
When Query began working with OCSF in late 2022, there was no straightforward way to represent information about objects from systems of record, so we decided to support searching for objects without an event. But this complicates search because objects don’t have observables, a convenient way to find OCSF records by IoCs and other facts. And it complicates presenting search results because while all events have common fields to make grid views and timeline visualizations easy – time, message, etc. – objects lack this consistency.
The many discovery events added in OCSF 1.2 addresses Query’s specific use case for searching beyond event stores like SIEMs. Discovery events represent a system of record for information about an object. We think this is a great advancement for OCSF and will be moving Query’s search to this approach soon.
Tunnel Activity event class
Finally, OCSF 1.2 added Tunnel Activity events to model tunneling activity (like VPNs and ssh tunnels) – very important in our post-COVID BYOD world.
OCSF 1.3
And now for the really new stuff! OCSF 1.3 was just released – and yes, it’s no coincidence that it was released during Black Hat. The things we’re most excited about are:
Threat Intelligence
The newest version of OCSF will model threat intelligence into OCSF. One of the first things I get asked about OCSF is “how do you represent threat intelligence in OCSF?” and until now the answer has been “you don’t!” Threat intelligence has been part of Query since the beginning and we’ve had our own custom extensions for a long time, so you can imagine we’ve been championing this addition. Jonathan Rau worked with the group to get consensus and we’re very happy with the outcome.
Remediation Events
A new category of events for remediation has been added. OCSF has had a variety of finding events for compliance and security. This new feature makes OCSF better able to represent what has been done to remediate those findings. If any of you recently spent a weekend remediating an EDR-induced problem, you can model your work in OCSF and get full credit. Remediation events continue OCSF’s tradition of MITRE support by mapping back to MITRE DEFEND countermeasures.
New Objects
We’re happy to see several new objects, including a ticket object for things like ITSM platforms, windows services, and the Whois object – we had our own and we will now move to the OCSF version. And don’t forget the OSINT object for threat intelligence!
Validator
The last thing I’ll mention is not in OCSF per se, but it is now officially available to the community, and that’s the backwards compatibility validator. This is close to my heart because I wrote it! This validator ensures that you can’t publish a breaking change (feels like something like this has been in the news lately). I worked with the community to get consensus on what rules were needed to do this. It’s now available in OCSF’s Python library at https://github.com/ocsf/ocsf-lib-py. I’ll say more on OCSF’s new tooling in a future post.
I’ve said publicly in the past that we’re impressed and delighted by this community — I wish we had engaged sooner!
