The Search tool is an essential resource for querying your data within the OCSF framework. It supports thorough investigations by helping you explore events, timelines, and attributes in detail.
💡What is OCSF?
From the OCSF GitHub instance:
“The Open Cybersecurity Schema Framework is an open-source project, delivering an extensible framework for developing schemas, along with a vendor-agnostic core security schema. Vendors and other data producers can adopt and extend the schema for their specific domains. Data engineers can map differing schemas to help security teams simplify data ingestion and normalization, so that data scientists and analysts can work with a common language for threat detection and investigation. The goal is to provide an open standard, adopted in any environment, application, or solution, while complementing existing security standards and processes.”
Learn more about OCSF here:
With the Search tool, you can:
Examine specific events and their sources.
Correlate data across multiple sources to uncover patterns and relationships.
Analyze raw data to better understand and triage potential threats.
This investigative environment is designed to simplify the process of navigating and interpreting raw data, providing the insights needed to inform your decisions.
⚠️ Attention
Search currently runs on select data sources that were mapped to the OCSF schema and a select list of significant OCSF event classes.
The Search tool is based on the structure of the OCSF framework and might refer to terms and elements originating from this schema. Learn more about OCSF terminology here.
The Search tool will not run on raw data from custom data sources.
📘In this section