supporting OCSF (Open Cybersecurity Schema Framework)

[nyrahul]

Feature Request

The Open Cybersecurity Schema Framework (OCSF) is a collaborative, open-source effort led by AWS and leading partners in the cybersecurity industry. OCSF provides a standard schema for common security events, defines versioning criteria to facilitate schema evolution, and includes a self-governance process for security log producers and consumers.

Why should KubeArmor care about it?

OCSF is agnostic to storage format, data collection and ETL processes. The core schema for cybersecurity events is intended to be agnostic to implementations. The schema framework definition files and the resulting schema are written as JSON.

OCSF is intended to be used by both products and devices which produce log events, analytic systems, and logging systems which retain log events.

By supporting OCSF, KubeArmor can:

• Integrate with powerful tools such as OpenSearch
• Natively integrate with AWS monitoring infrastructure

Solution description

Tasklist

• [ ] Identify the OCSF categories that needs to be supported by KubeArmor
• [ ] Create the mapping of the detailed fields using existing KubeArmor native JSON format.
• [ ] Write an adapter that connects to KubeArmor Relay and exports in OCSF format
• [ ] Connect the feed to AWS Security Lake and check if the feed is imported ok.
• [ ] Ingest KubeArmor OCSF logs in OpenSearch (reference)
• [ ] Documentation & Tests

[rudrakshkarpe]

Hi @nyrahul! I've experience working with data formats, the concept to support OCSF for KubeArmor seems pretty interesting to me and I'd like to work on it. Could you please navigate me to the KubeArmor's existing native JSON format?

[DelusionalOptimist]

Hey @rudrakshkarpe! Thank you for showing interest! Schema for KubeArmor's native telemetry events can be found at: Logs and Alerts. I think most of the fields present in KubeArmor's events are present in OCSF schema as well, some fields specific to KubeArmor can be kept as unmapped fields.

We were looking into possible ways to add OCSF support in most generic ways possible. Currently KubeArmor maintains a sidekick (based on falcosidekick) which offers many integrations including OCSF. Can you try it out and see what are it's capabilities? It would be great if we could make this integration work using sidekick itself without creating a new adapter!

References:

• OCSF integration in kubearmor/sidekick - https://github.com/kubearmor/sidekick/blob/master/outputs/awssecuritylake.go#L36
• Blog from Falco community on the same: https://falco.org/blog/falco-aws-security-lake. Though this is aws centric, we want to support non-aws modes as well.

[rudrakshkarpe]

Thank you @DelusionalOptimist! I appreciate your help on briefing down the issue. I'll explore Sidekick by KubeArmor and possibilities to make this integration happen without an essence of new adapter.

Though this is aws centric, we want to support non-aws modes as well.

It would be great if you could list down possible support options we're looking into? So, that I'll consider them while having my research.

[DelusionalOptimist]

It would be great if you could list down possible support options we're looking into? So, that I'll consider them while having my research.

So if you take a look into sidekick, the OCSF specific code is put into this integration for AWS Security Lake, implying that it can be only be consumed through AWS security lake. However, as mentioned in the issue description OCSF can be used with tools like OpenSearch. Some other extensions can be found at - https://github.com/ocsf/ocsf-schema/blob/main/extensions.md. We want to see what's needed to support all of these generically.

[rudrakshkarpe]

OCSF specific code is put into this integration for AWS Security Lake, implying that it can be only be consumed through AWS security lake.

Thanks for pointing that out!

We want to see what's needed to support all of these generically.

Noted! I'm looking forward to working on it, possibly will come up with some good outcomes by upcoming community meeting next week :) Also, I was wondering if this issue is explict for mentorship?

[DelusionalOptimist]

Also, I was wondering if this issue is explicit for mentorship?

We were thinking of doing that in this term initially but then realized sidekick might have most of the required integration already and other integrations should be possible without many changes likewise... possibly reducing the time and scope of the issue to much less then that involved in mentorship programs. We look forward to your research though to understand if it's not the case. : )

[rudrakshkarpe]

Alright @DelusionalOptimist that makes sense, I'll check thoroughly over the possibilities, thank you :)

[DelusionalOptimist]

Hey @rudrakshkarpe how's it going? Were you able to make any progress?