Adapting NetBackup Audit Events to Conform with OCSF Standard

Description

Currently there is no way to pull NetBackup Audit messages out of NetBackup in a standard format such as OCSF. From NetBackup 10.4, there is a way to export the NetBackup audit events in OCSF format (more information on OCSF can be found at https://schema.ocsf.io/.) Current supported version of OCSF v1.0.0.  Users can access v1.0.0 OCSF-formatted NetBackup audit events through the API by adjusting the content type to application/vnd.netbackup+ocsf+json;version=11.0. Using this API, users can pull all/required messages and push them onto different SIEM (Security Information and Event Management) platforms. These platforms can help create alerts or process the details as data will be classified in required OCSF classes.

There is a possibility that customers might feel the severity of the event is more or NetBackup category is not mapped with the proper OCSF class. There is a way this can be customized via a template file present in ../var/global/audit_ocsf_mapper.json.template. Users need to clone this JSON file as audit_ocsf_mapper.json in the same directory, customize it based on their preferences, and save it. Subsequently, the API will prioritize this user-modified file over the internal mapping.

• Example : If a user feels that the severity of NetBackup LOGIN category and ACCESS operation should be higher, the user can then modify that  respective field to get the desired output. In the following, the OcsfSeverity parameter has been edited from 2 to 3:

Review the attached audit_ocsf_mapper.json file for a complete list of audit categories and its operations mapped with OCSF classes and activity. This file will be shipped as  /usr/openv/var/global/audit_ocsf_mapper.json.template.