ocsf: add OCSF security event analytics demo app#41
Merged
Conversation
Approved design for a new .tpapp wrapping the timeplus-ocsf-simulator PyPI package with four flatten views (auth, network, process, security finding) and a single dashboard. Lean v1 — no alerts, no sequence analysis, no cross-schema joins. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
17 panels across Authentication, Network Activity, Process Activity, and Security Finding event classes: 4 metric headers, 4 multi-series line charts (with color by series column), 8 tables, and 1 markdown about panel. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Each new dashboard stays under 6 live streaming queries. The overview dashboard holds the 4 headline counters and About markdown; each event class (auth, network, process, findings) gets its own 3-panel dashboard.
The 4 header metric panels were using chartType:'single_value' with a
config of {updateMode, updateKey} — neither matches axion's chart
registry. The actual chart type is 'singleValue' (camelCase) with a
config containing the column name to display plus sparkline/delta/unit/
font controls. Per-panel 'value' wired to each SELECT's alias; counts
use fractionDigits=0 and events_per_sec uses fractionDigits=2.
All existing apps use a 12-column position grid (per skill/references/ dashboard-spec.md line 44 and every dashboard in apps/). The OCSF dashboards were authored against an assumed 24-column grid, which made the 3rd and 4th overview metric panels (x=12, x=18) wrap into a vertical stack on the right column. Halving x and w on every panel: overview metrics now fit 4 across, per-class line charts span the full row, and the two-table rows split 50/50. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Records the executed task-by-task plan: pre-flight simulator signature check, 9 implementation tasks, and final verification. Matches what shipped (singleValue chart fix and 12-column grid fix retroactively applied after the user spotted the bugs in the browser). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a new
apps/ocsf/Timeplus app that streams synthetic OCSF (Open Cybersecurity Schema Framework) security events from thetimeplus-ocsf-simulatorPyPI package and surfaces real-time threat-detection analytics across five dashboards.What's in the box
Pipeline (7 resources): a Python streaming
external_streamcallingocsf_simulator.stream_ocsf_events→ MV → persistentocsf_events(raw, class_uid)stream with configurable TTL → four flatten views projecting nested JSON into typed columns for each OCSF class:v_ocsf_authentication_flatten(3002)v_ocsf_network_activity_flatten(4001)v_ocsf_process_activity_flatten(1007)v_ocsf_security_finding_flatten(2001)Flatten view bodies copied verbatim from
demos/cases/ocsf/extraction.sqlwith three mechanical edits per file:{{ .DB }}templating, switchWHERE json_value(raw, '$.class_uid') = 'NNNN'→ typedclass_uid = NNNN, andIF NOT EXISTS.Five dashboards (each ≤6 live streaming queries):
Config knobs:
event_classes,interval_seconds,ocsf_version,retention_hours.Lessons captured (memory updated)
Two non-obvious dashboard gotchas surfaced during build and are now recorded so future apps avoid them:
chartType: "singleValue"(camelCase) —single_valueis not registered in axion and silently renders "Unable to render chart"x=12orx=18wraps panels into a stacked column on the right edgeTest plan
make build install APP=ocsffrom a fresh checkout succeeds against a local TimeplusSHOW STREAMS FROM ocsflistsocsf_events_source,ocsf_events, the 4 flatten views, andmv_ocsf_events_ingestSELECT class_uid, count() FROM table(ocsf.ocsf_events) GROUP BY class_uidreturns positive counts for all of {1007, 2001, 3002, 4001}make build install APP=ocsfover an existing install is a clean upgrade (idempotent CREATEs)🤖 Generated with Claude Code