OCSF
JVM since3.37.0 Native since3.37.0
Marshal and unmarshal OCSF (Open Cybersecurity Schema Framework) security events to/from JSON.
Maven coordinates
Or add the coordinates to your existing project:
<dependency>
<groupId>org.apache.camel.quarkus</groupId>
<artifactId>camel-quarkus-ocsf</artifactId>
</dependency>Check the User guide for more information about writing Camel Quarkus applications.
Usage
The OCSF (Open Cybersecurity Schema Framework) extension provides support for marshalling and unmarshalling security events following the OCSF specification.
Supported OCSF Event Classes
This extension includes support for 34 OCSF event classes including:
-
Findings:
DetectionFinding,SecurityFinding,VulnerabilityFinding,ComplianceFinding -
System Activity:
FileActivity,ProcessActivity,KernelActivity,MemoryActivity -
Network Activity:
NetworkActivity,HttpActivity,DnsActivity,SshActivity -
IAM:
Authentication,AuthorizeSession,AccountChange,GroupManagement -
Application Activity:
ApiActivity,DatastoreActivity,WebResourcesActivity
All event classes extend OcsfEvent which provides common attributes like time, severity_id, class_uid, and metadata.
Example: Creating a Detection Finding
import org.apache.camel.dataformat.ocsf.model.DetectionFinding;
import org.apache.camel.dataformat.ocsf.model.FindingInfo;
import org.apache.camel.dataformat.ocsf.OcsfConstants;
DetectionFinding finding = new DetectionFinding();
finding.setActivityId(OcsfConstants.ACTIVITY_CREATE);
finding.setSeverityId(OcsfConstants.SEVERITY_HIGH);
finding.setTime(System.currentTimeMillis());
finding.setIsAlert(true);
FindingInfo info = new FindingInfo();
info.setTitle("Malware Detection");
info.setDesc("Potential malware detected on endpoint");
finding.setFindingInfo(info);
from("direct:start")
.setBody(constant(finding))
.marshal().ocsf()
.to("splunk-hec:...");