OCSF Export
OCSF schema mapping for SIEM integration
Flight Recorder exports action records in OCSF (Open Cybersecurity Schema Framework) format, enabling native integration with any OCSF-compatible SIEM: Splunk, Microsoft Sentinel, Datadog, Google Chronicle, and others.
How It Works
The exporter.py module maps Flight Recorder records to OCSF Class 6003 (API Activity):
Each OCSF event includes:
OCSF Field Mapping
| Flight Recorder Field | OCSF Field | Notes |
|---|---|---|
agent_id | actor.user.uid | Agent identity |
tool_name | api.operation | Namespaced tool name |
action_type | activity_name | create, read, update, delete |
verdict | status | Mapped to Success/Failure/Other |
created_at | time | Unix timestamp in milliseconds |
id | api.request.uid | Record UUID |
Severity Mapping
| Verdict | OCSF Severity | severity_id |
|---|---|---|
| allow | Informational | 1 |
| rewrite | Low | 2 |
| deny | Medium | 3 |
| escalate | High | 4 |
Delivery to SIEMs
OCSF events can be delivered to SIEMs via:
- File export — Write OCSF JSON to files for batch ingestion
- HTTP push — Send directly to SIEM HTTP endpoints
- Platform integration — When running inside the Pramiti platform, events are delivered via the Aegis SIEM outbox pattern
Technical Details
- OCSF Class 6003 (API Activity) was chosen because it maps naturally to "an agent performed an API operation"
- The exporter produces valid OCSF 1.1 schema output
- Timestamps are converted to Unix epoch milliseconds per OCSF specification
- The
metadata.productblock identifies the source as Pramiti Flight Recorder for SIEM correlation rules