Pramiti Docs

OCSF Export

OCSF schema mapping for SIEM integration

Flight Recorder exports action records in OCSF (Open Cybersecurity Schema Framework) format, enabling native integration with any OCSF-compatible SIEM: Splunk, Microsoft Sentinel, Datadog, Google Chronicle, and others.

How It Works

The exporter.py module maps Flight Recorder records to OCSF Class 6003 (API Activity):

from pramiti_flight_recorder import FlightRecorder
 
fr = FlightRecorder()
 
# Export all records as OCSF events
ocsf_events = fr.export_ocsf()
 
# Export filtered records
ocsf_events = fr.export_ocsf(
    agent_id="sales-agent-1",
    start="2026-01-01",
    end="2026-06-30"
)

Each OCSF event includes:

{
  "class_uid": 6003,
  "class_name": "API Activity",
  "activity_name": "update",
  "actor": {
    "user": {"uid": "sales-agent-1", "type": "System"}
  },
  "api": {
    "operation": "salesforce.update_contact",
    "request": {"uid": "record-uuid"}
  },
  "status": "Success",
  "severity_id": 1,
  "time": 1719792000000,
  "metadata": {
    "product": {"name": "Pramiti Flight Recorder", "vendor_name": "Pramiti Labs"},
    "version": "1.0.0"
  }
}

OCSF Field Mapping

Flight Recorder FieldOCSF FieldNotes
agent_idactor.user.uidAgent identity
tool_nameapi.operationNamespaced tool name
action_typeactivity_namecreate, read, update, delete
verdictstatusMapped to Success/Failure/Other
created_attimeUnix timestamp in milliseconds
idapi.request.uidRecord UUID

Severity Mapping

VerdictOCSF Severityseverity_id
allowInformational1
rewriteLow2
denyMedium3
escalateHigh4

Delivery to SIEMs

OCSF events can be delivered to SIEMs via:

  1. File export — Write OCSF JSON to files for batch ingestion
  2. HTTP push — Send directly to SIEM HTTP endpoints
  3. Platform integration — When running inside the Pramiti platform, events are delivered via the Aegis SIEM outbox pattern

Technical Details

  • OCSF Class 6003 (API Activity) was chosen because it maps naturally to "an agent performed an API operation"
  • The exporter produces valid OCSF 1.1 schema output
  • Timestamps are converted to Unix epoch milliseconds per OCSF specification
  • The metadata.product block identifies the source as Pramiti Flight Recorder for SIEM correlation rules

On this page