Working with OCSF-formatted data in the Splunk platform and Splunk Enterprise Security

Use add-ons and CIM mappings to support timestamping and threat detections for Cybersecurity Schema Framework (OCSF) events in the Splunk platform.

For best results when working with OCSF-formatted data in the Splunk platform, install and configure the OCSF-CIM Add-On for Splunk. This add-on provides the .conf file stanzas and Common Information Model (CIM) mappings that allow the Splunk platform to work with OCSF-formatted data effectively.

Note: The OCSF-CIM Add-On for Splunk is not a Splunk-supported application. It is provided "as is" without any warranties, maintenance and support, or service level commitments.

If you choose not to use the OCSF-CIM Add-On for Splunk, then you must manually configure timestamp extractions in the Splunk platform and detections in Splunk Enterprise Security.

To convert your incoming data to OCSF format and then analyze it using Splunk Enterprise Security, do the following:

To configure the Splunk platform deployment to extract event timestamps for the incoming OCSF-formatted data, do one of the following:
- Install and configure the OCSF-CIM Add-On for Splunk. When configuring the add-on, you must select the source types that are prefixed by ocsf: and correspond to your incoming data. For example, if you are ingesting and converting cisco:asa data to OCSF format, then select the ocsf:cisco:asa source type when configuring the add-on. For more information, see the OCSF-CIM Add-On for Splunk documentation.
  
  Note: The OCSF-CIM Add-On for Splunk is not a Splunk-supported application. It is provided "as is" without any warranties, maintenance and support, or service level commitments.
- Add the following stanza to the props.conf file for your indexers:
```
[(?::){0}ocsf:*]
SHOULD_LINEMERGE = False
TRUNCATE = 8388608
TIME_PREFIX = "time"\s*\:\s*
TIME_FORMAT = %s%6N
MAX_TIMESTAMP_LOOKAHEAD = 25
KV_MODE = json
category = Structured
description = JSON-formatted data compliant with OCSF (Open Cybersecurity Schema Framework)
```
  For more information, see props.conf in the Splunk Enterprise Admin Manual and Configure timestamp recognition in the Splunk Cloud Platform Getting Data In manual.
In the Ingest Processor service, create a pipeline that converts your incoming data to OCSF format and then sends it to the Splunk platform. You can choose to convert the data using the ocsf SPL2 command or the to_ocsf SPL2 evaluation function.
- To overwrite the data in the _raw event field with the converted data, use the ocsf command. For more information, see Convert data in the “_raw” field to OCSF format.
- To specify different event fields for storing the original data and the converted data, use the to_ocsf function. For more information, see Convert data in a specified event field to OCSF format.
Note: In both cases, you can configure the pipeline to preserve a copy of the original data.
If you did not install the OCSF-CIM Add-On for Splunk, then you must create detections in Splunk Enterprise Security to search for threats in your OCSF-formatted data. For more information, see the Detections chapter in the Administer Splunk Enterprise Security manual.
In Splunk Enterprise Security, navigate to the Mission Control page and review the analyst queue for any findings resulting from your data. For more information, see the Findings chapter in the Administer Splunk Enterprise Security manual.

Documentation

Working with OCSF-formatted data in the Splunk platform and Splunk Enterprise Security

See also