How do we create a Pack for a Security tool that doesn't have pack to convert data into OCSF?

Teja Vivek

Kyle McCririe

To create a Pack for a security tool that doesn't yet have a Pack for converting data into the Open Cybersecurity Schema Framework (OCSF), you will need to follow these general steps:

1. Prepare:
   • Understand the schema and data format of the security tool's output.
   • Decide on the problem you’re trying to solve and determine the dataset(s), Sources, and Destinations you’re going to work with.
2. Develop your Pack:
   • Create a new Pack within your Cribl Stream or Cribl Edge environment using saved samples to develop pipelines that will transform the security tool's data into the OCSF format.
3. Test your Pack:
   • Rigorously test your Pack in your own environment to ensure that data is properly being transformed and routed.
   • Import your Pack into a new environment to make sure all content was exported and is functioning correctly.
   • Use checklists, such as the Pack Review Checklist referenced in the documentation, to ensure your Pack meets necessary standards.
4. Submit your Pack for review:
   • Once you're satisfied with the Pack, sign in to the Cribl Packs Dispensary site (or create an account if necessary) using your Cribl.Cloud account.
   • Use the Publish Pack button to submit your Pack for review by the community.

During this process, you should consider engaging with the Cribl community for support and feedback, particularly via the Cribl’s Community Slack #packs channel.

Remember that this is a high-level overview. For detailed guidance and specific instructions, it's best to refer to the Pack Publication Standards and related documentation provided by Cribl.

Refer to the Cribl documentation for more detailed instructions:

• Use Case – Setting Up Cribl for Amazon Security Lake
• Packs Publication Standards