Open Cybersecurity Schema Framework (OCSF) in Datadog

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Overview

Open Cybersecurity Schema Framework (OCSF) in Datadog is in Preview.

Cloud SIEM collects and analyzes data from a wide range of sources such as cloud services, firewalls, networks, applications, and IT systems. Since these services emit data in different formats, it often requires significant effort to normalize and prepare logs before meaningful threat analysis can occur.

The Open Cybersecurity Schema Framework (OCSF) is an open-source, vendor-neutral standard for organizing and classifying security event data. It is designed to simplify and unify how security logs are structured across platforms and products, enabling consistent threat detection and faster investigation.

At Datadog, OCSF support is integrated directly into Datadog Cloud SIEM. This means that incoming security logs are automatically enriched with OCSF-compliant attributes at ingestion time through out-of-the-box (OOTB) pipelines. See Supported out-of-the-box OCSF pipelines for details. This means you get standardized, normalized log data without manual configuration.

OCSF integration in Datadog’s Cloud SIEM enables:

  • Simplified detection rules: A unified attribute structure means detection logic can be written once and applied across multiple sources.
  • Streamlined investigations: Analysts no longer need to remember source-specific formats because one schema enables a single-query triage across providers.
  • Cross-source correlation: Detection logic can correlate events across disparate services (for example, phishing and privilege escalation).
  • Scalable integration maintenance: OCSF allows consistent schema expectations, even as new data sources are added.

OCSF model

To normalize your security data, OCSF remaps your data based on the following components:

  1. Data types, attributes, objects and arrays
  2. Event classes and categories
  3. Profiles
  4. Extensions

Data types, attributes, objects, and arrays

Data types, attributes, objects, and arrays are the main components of the OCSF model.

NameDescription
Data typesData types define data elements as integers, strings, floating-point numbers, and boolean values.
AttributesAttributes are the building blocks of the framework. They are used to provide the common language for your data, regardless of the source. See the attribute dictionary for a list of all attributes.
ObjectsObjects are collections of related attributes that represent the entities, such as a process, device, user, malware, or file.
ArraysArrays support any of the data types, including complex types.

Event categories and classes

Security events within the OCSF model are organized into categories, which are high-level groupings that sort events based on their data type. See OCSF Categories for more information and a list of available categories. Categories are further divided up into event classes. For example, there are six classes for the Identity & Access Management category. See OCSF Event Classes for more information.

Profiles

Profiles are a class of attributes that you can optionally overlay onto event classes and the objects that reference them. It adds additional information to an existing event class and is independent of event categories. See OCSF Profiles for a list of profiles and the OCSF Profiles documentation for more information.

Extensions

You can optionally add extensions, such as new attributes, objects, categories, profiles, and event classes, to the OCSF schemas. See OCSF Extensions for more information.

Supported out-of-the-box OCSF pipelines

The following Log Management integrations support out-of-the-box OCSF pipelines:

  • Okta
  • Cloudtrail
  • GitHub

View Security Pipelines - OCSF

Cloud SIEM OCSF remaps log data in Log Management’s integration pipelines. See Supported out-of-the-box OCSF pipelines for details.

To view the Integration Pipeline Library for a source:

  1. Navigate to Logs Pipelines.
  2. Click Browse Pipeline Library.
  3. Search and click on the integration you are interested in (for example, Okta).
  4. To view the OCSF pipelines for Okta, scroll down to the end of the list of processors for the Okta integration.

To view the read-only OCSF pipeline for a source integration:

  1. Navigate to Logs Pipelines.
  2. Select your pipeline.
  3. Scroll to the OCSF pipelines at end of the pipeline’s processors.
  4. Click the OCSF pipeline to view the associated remap processors.
  5. Click the eye icon on the OCSF pipeline to view information such as the following:
    • OCSF schema version
    • Class
    • Profile

Note: Cloning the main pipeline converts OCSF pipelines into log pipelines rather than Security pipelines.

View OCSF data in logs

All OCSF values are contained in the dedicated `OCSF` attribute, and are in addition to the other processes that transform and enrich logs. This means that the OCSF data does not affect any existing detections, monitors, or dashboards.

To view OCSF data in logs:

  1. Navigate to Logs Explorer.
  2. Enter a search for your logs.
  3. Click on a log.
  4. In the side panel, scroll down to the `ocsf` JSON attributes to see the OCSF data.
PREVIEWING: may/cloud-siem-ocsf