[DOCS-11214] Add OCSF Processor #32550
Conversation
github-actions
bot
added
Architecture
Preview links (active after the
|
.../security/cloud_siem/ingest_and_enrich/open_cybersecurity_schema_framework/ocsf_processor.md
Outdated
Show resolved
Hide resolved
.../security/cloud_siem/ingest_and_enrich/open_cybersecurity_schema_framework/ocsf_processor.md
Outdated
Show resolved
Hide resolved
| 1. Select the OCSF schema version and class you want to use in the dropdown menus. | ||
| 1. (Optional) Select the profile in the dropdown menu. | ||
|
|
||
| #### Define mapping (class attribute) |
There was a problem hiding this comment.
Is this the best heading for this section? In general I'm a little confused about the hierarchy between this heading and the next heading (ENUM attribute configuration). Are ENUM attributes a sub-category of class attributes, or are they at the same hierarchy level?
I could imagine something more like this:
#### Define mapping
##### Class attribute configuration
##### ENUM attribute configuration
Or if ENUM is indeed a sub-category, then:
#### Define mapping for OCSF schema class attributes
##### ENUM attribute configuration
There was a problem hiding this comment.
So I was basing the headers off of what's in the UI:
Class attribute and ENUM attributes are on the same hierarchy level. I'll go with your first version.
| | `WARN` | 3 | `Medium` | | ||
| | `ERROR` | 4 | `High` | | ||
|
|
||
| In the **ENUM Attribute Configuration** section of the processor, you define the source log attribute that corresponds to the different attribute IDs. Some attributes are pre-populated based on the class selected. For example, in the image below, the `ocsf.metadata.version` target class has the source attribute automatically assigned. |
There was a problem hiding this comment.
I couldn't find this UI in-app to reference, so seeing it might clear up some of my confusion, but: is there a section titled ENUM Attribute Configuration in the app? It's confusing to me that that section is referenced in this paragraph, but then the screenshot is of a section with the heading "Define Mapping (OCSF Schema Class Attributes)"
There was a problem hiding this comment.
I totally missed that. I'm just going to take that image out and see if the PM can give me one for ENUM attribute. Good catch!
|
|
||
| In the **ENUM Attribute Configuration** section of the processor, you define the source log attribute that corresponds to the different attribute IDs. Some attributes are pre-populated based on the class selected. For example, in the image below, the `ocsf.metadata.version` target class has the source attribute automatically assigned. | ||
|
|
||
| {{< img src="security/security_monitoring/ocsf/source_attribute_auto_assigned.png" alt="" style="width:100%;" >}} |
There was a problem hiding this comment.
Removing this image.
.../security/cloud_siem/ingest_and_enrich/open_cybersecurity_schema_framework/ocsf_processor.md
Outdated
Show resolved
Hide resolved
.../security/cloud_siem/ingest_and_enrich/open_cybersecurity_schema_framework/ocsf_processor.md
Outdated
Show resolved
Hide resolved
.../security/cloud_siem/ingest_and_enrich/open_cybersecurity_schema_framework/ocsf_processor.md
Outdated
Show resolved
Hide resolved
|
|
||
| ##### Unrecognized ENUM Attribute, add as Class Attribute | ||
|
|
||
| If you see the error `Unrecognized ENUM attribute, add as a class attribute`, you are trying to add a class attribute in the ENUM attribute configuration section. To resolve the issue, add the class attribute in the [Define mapping (class attribute)](#define-mapping-class-attribute) section. |
There was a problem hiding this comment.
| If you see the error `Unrecognized ENUM attribute, add as a class attribute`, you are trying to add a class attribute in the ENUM attribute configuration section. To resolve the issue, add the class attribute in the [Define mapping (class attribute)](#define-mapping-class-attribute) section. | |
| If you see the error `Unrecognized ENUM attribute, add as a class attribute`, you are trying to add a class attribute in the ENUM attribute configuration section. To resolve the issue, add the class attribute in the [Define mapping (OCSF Schema Class Attributes)](#define-mapping-class-attribute) section. |
it looks like Define Mapping (OCSF Schema Class Attributes) is the actual name of the section in the app
There was a problem hiding this comment.
Yes, that's correct. I still like how you had Define mapping as the main header and then Class Attributes and ENUM Attributes as sub-headers. I don't think it'd be confusing for users that it doesn't follow the UI headers exactly. What do you think?
There was a problem hiding this comment.
Hmmm in this case, this isn't really in reference to any of the sections on this docs page. You're telling the user to add a class attribute in a certain location, and that location is in the app, and named Define Mapping (OCSF Schema Class Attributes) — the link goes to some text about this location, but it doesn't really matter what the text is called.
I think because you're explicitly telling the user to do an action in a certain location, the text should exactly match the UI header.
Co-authored-by: cecilia saixue wat-kim <cecilia.watt@datadoghq.com>
.../security/cloud_siem/ingest_and_enrich/open_cybersecurity_schema_framework/ocsf_processor.md
Outdated
Show resolved
Hide resolved
…urity_schema_framework/ocsf_processor.md
.../security/cloud_siem/ingest_and_enrich/open_cybersecurity_schema_framework/ocsf_processor.md
Outdated
Show resolved
Hide resolved
…urity_schema_framework/ocsf_processor.md
maycmlee
added
editorial review
* add doc and images * Apply suggestions from code review Co-authored-by: cecilia saixue wat-kim <cecilia.watt@datadoghq.com> * remove image * update define mapping headers * Update content/en/security/cloud_siem/ingest_and_enrich/open_cybersecurity_schema_framework/ocsf_processor.md * Update content/en/security/cloud_siem/ingest_and_enrich/open_cybersecurity_schema_framework/ocsf_processor.md * remove unused image --------- Co-authored-by: cecilia saixue wat-kim <cecilia.watt@datadoghq.com>
What does this PR do? What is the motivation?
Adds OCSF Processor doc.
Merge instructions
Merge readiness:
For Datadog employees:
Your branch name MUST follow the
<name>/<description>convention and include the forward slash (/). Without this format, your pull request will not pass CI, the GitLab pipeline will not run, and you won't get a branch preview. Getting a branch preview makes it easier for us to check any issues with your PR, such as broken links.If your branch doesn't follow this format, rename it or create a new branch and PR.
[6/5/2025] Merge queue has been disabled on the documentation repo. If you have write access to the repo, the PR has been reviewed by a Documentation team member, and all of the required checks have passed, you can use the Squash and Merge button to merge the PR. If you don't have write access, or you need help, reach out in the #documentation channel in Slack.
Additional notes