Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Hello, has anyone mapped osquery Schema to <https://schema.ocsf.io/|OCSF> yet? If not are there plans to do so?

Quickly looking at that, I’m not sure there’s a direct mapping.

osquery tables can be used to construct queries that would meet those categories.

<https://github.com/teoseller/osquery-attck> is similar work

I was thinking configuration state would be a good mapping?<https://schema.ocsf.io/classes/config_state?extensions=>

<@U7QP20JQH> Also OCSF is an open framework. If  you think osquery could use its own class in the framework feel free to let me know or join the party. I am on the weekly meeting for OCSF and we welcome new members.

Curious <@U055XBBQR26>, who is behind OCSF?

<@U02GN3QCQQH> AWS, Splunk, IBM, CrowdStrike, Brodcom and about 60 others. people wise <https://www.splunk.com/en_us/blog/security/open-cybersecurity-schema-framework-ocsf-gains-momentum.html|Paul Agbabian> leading the charge

Oh interesting. I'd heard of it when it was announced. I missed the announcement on Amazon's Security Lake. Thanks for sharing

I think RC3 (final non breaking change version) will be published by May 31. This is when things will heat up on the adoption side.

AWS is already using RC2 but they have good Schema version controls that allow for easy migration.

I do not, personally, have the bandwidth to under and OCSF or guess whether osquery should fit. But I’d encourage interested individuals to come to office hours and do what they think makes sense. 