Hello, has anyone mapped osquery Schema to <OCSF> ...
# generalz
Zachary Schmerber
05/02/2023, 6:52 PMHello, has anyone mapped osquery Schema to OCSF yet? If not are there plans to do so?
s
seph
05/02/2023, 8:22 PM
Quickly looking at that, I’m not sure there’s a direct mapping.
osquery tables can be used to construct queries that would meet those categories.
https://github.com/teoseller/osquery-attck is similar work
z
Zachary Schmerber
05/02/2023, 8:53 PMI was thinking configuration state would be a good mapping?https://schema.ocsf.io/classes/config_state?extensions=
Zachary Schmerber
05/02/2023, 9:38 PM@seph Also OCSF is an open framework. If you think osquery could use its own class in the framework feel free to let me know or join the party. I am on the weekly meeting for OCSF and we welcome new members.
j
Josh Langner
05/03/2023, 1:37 PMCurious @Zachary Schmerber, who is behind OCSF?
z
Zachary Schmerber
05/03/2023, 9:13 PM@Josh Langner AWS, Splunk, IBM, CrowdStrike, Brodcom and about 60 others. people wise Paul Agbabian leading the charge
j
Josh Langner
05/03/2023, 9:24 PMOh interesting. I'd heard of it when it was announced. I missed the announcement on Amazon's Security Lake. Thanks for sharing
z
Zachary Schmerber
05/03/2023, 9:26 PMI think RC3 (final non breaking change version) will be published by May 31. This is when things will heat up on the adoption side.
Zachary Schmerber
05/03/2023, 9:28 PMAWS is already using RC2 but they have good Schema version controls that allow for easy migration.
s
seph
05/04/2023, 8:23 PM
I do not, personally, have the bandwidth to under and OCSF or guess whether osquery should fit. But I’d encourage interested individuals to come to office hours and do what they think makes sense.