using OCSF schema for generating audits in saas product

[shreyasGit]

Hi Experts,
We are a SaaS product and were thinking of leveraging ocsf schema, for generating audit events in our product. these audit events will be generated by multiple components of a product and will be collated for usage. (Can be made available via Api, real time etc.)

The driver of doing this being - Security / Audit level security logging is going to be a requirement for SaaS vendors in the future & SaaS vendors must start providing more detailed logging from their solutions towards customers. The expectation will be that SaaS solutions output information which can be integrated with the customers security monitoring (SIEM) in real-time.

Few questions

1. we were thinking of using a Kafka topic for capturing audit events, will it be a good idea to build an Avro schema based on ocsf schema?
   2)is something of this kind done already somewhere? would i be able to generate Avro schema from Json schema ocsf provides?
   3)is it good time to use ocsf schema to generate audit or its early stage and things could change.

I need some guidance on this approach, we were thinking of designing a custom Avro schema ,earlier and we stumbled upon ocsf schema.

Thanks for your attention.

[jp-harvey]

Hi @shreyasGit, I had a look in the OCSF Slack workspace and found that there is a member who is representing OCSF in Avro. I've asked in the Slack workspace if he can comment on here as I'm not sure of his GH username, but you may also want to join the open Slack workspace, the process according to our docs is:

If you would like to be invited to join, send an email to [email protected]. Tell us about interests and introduce yourself to the group after you accept an invite.

[shreyasGit]

Thanks for that, Also have joined slack community

[brbrown25]

@shreyasGit I'm an engineer over at SecurityScorecard and we indeed represented OCSF in avro for a security findings event utilizing KsqlDB to convert our data into a valid schema representation of an OCSF SecurityFinding event. This was something that we had automatically created in the schema registry and basically we played with the query to get a sample record and validated it with the OCSF api to make sure it would work.

I have not explored the space much but I'd say there should be tools that could convert json schema into avro. From my stand point, it would be great if the schema definitions where provided in multiple formats (avro, json schema, protobuf). Even if it was just a tool that derived avro and protobuf from json schema. One thing I've liked about protobuf is the compile time check but I know avro is a very common format especially when creating say parquet files.

[shreyasGit]

Thanks for the reply, i am for now interested in events Audit Activity category, but i understand its not possible to import in Avro selectively in absence of any tools.and approach you took is to convert your data into ocsf format using ksqldb approach.