Open Cybersecurity Schema Framework
-
|
I’m integrating snort IDS alerts into an OCSF pipeline. Which category or class should IDS alerts use? How should I handle custom fields not in OCSF? Any tips for severity mapping? Looking for best practices from others who’ve done this. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
Check out this article: https://github.com/ocsf/ocsf-docs/blob/main/articles/modeling-alerts.md In general, you want to think of an IDS alert as a Detection Finding and set the If regular events can be escalated into alerts, use the Security Control profile. A Detection Finding is more high-level and has "container semantics", e.g., consider putting your contributing events into |
Beta Was this translation helpful? Give feedback.
-
|
I concur with that. As for what event class to use, likely one of the |
Beta Was this translation helpful? Give feedback.
Check out this article: https://github.com/ocsf/ocsf-docs/blob/main/articles/modeling-alerts.md
In general, you want to think of an IDS alert as a Detection Finding and set the
is_alertfield totrue.If regular events can be escalated into alerts, use the Security Control profile.
A Detection Finding is more high-level and has "container semantics", e.g., consider putting your contributing events into
finding_info.related_events.