Open Cybersecurity Schema Framework (OCSF) Gains Momentum

What an incredible 8 months it has been. Last August, Splunk, Amazon Web Services (AWS) and 16 other cybersecurity companies launched the Open Cybersecurity Schema Framework (OCSF), an open-source project that provides a common vendor-agnostic taxonomy to simplify and accelerate the ingestion and analysis of security data. Since then, the number of participating organizations has grown more than four-fold, with over 75 companies and 369 individuals, including unaffiliated contributors, involved in OCSF at the time of this writing.  

A key development during this period was AWS announcing the Amazon Security Lake, the first service that utilizes OCSF as the data schema foundation. I elaborated on how customers can benefit from Amazon Security Lake’s integration with Splunk in the blog, "Splunk Integrates with Amazon Security Lake to Deliver Analytics Using the Open Cybersecurity Schema Framework."

Additionally, IBM became a Steering Committee member, bringing their extensive experience with industry standards groups and open source projects to the OCSF consortium leadership.

And, importantly, the continued attention and contributions of the OCSF community brought about enhancements to an initial release candidate, helping shape up the latest release candidate RC3. Some members have been writing vendor extensions, with others bringing forward new core classes that can benefit everyone. New capabilities of RC3 include new objects, event classes and categories based on OCSF members’ work with the schema and framework.

I’d like to mention just a few of the enhancements OCSF contributors have made this calendar year: 

  • Aligned 20 of the 82 OCSF objects with MITRE D3EFEND artifacts
  • Promoted two new categories from the Development extension: Discovery and Applications. The Discovery category holds classes that query or scan for device state and configuration state. The existing Device Inventory Info and Device Config State classes now have a new home within the Discovery category, with more classes planned after the GA release. The Application category is now home to the API Activity class, along with new Application Activity and Application Lifecycle classes.
  • The Audit category is now the Access Control category, with refactored Authorization and Entity Management classes that can cover more use cases with different authentication and role-based access systems.

Let’s zero in on the Security Finding class as another example of RC3 innovation:

  • The Security Finding class was augmented with the enhancements from the Splunk Detection Report extension
  • Support for NIST, Lockheed-Martin Kill Chain and CIS Controls frameworks has been enabled (in addition to the previously included MITRE ATT&CK framework)
  • Impact and risk-level scoring has been added along with confidence percentages and intervals  
  • A new Analytics object was created that subsumes the Rule object and supports more advanced analytic-finding techniques for machine learning, deep learning, and statistical analysis. The object supports complex composite analytics from distinct building blocks.

For more information on this comprehensive class, take a look at a recent article, OCSF Security Finding and how it can change threat detection from IBM OCSF contributors Irakle Dzneladze and Jason Keirstead.

RC3 is around the corner and is intended to become the stable candidate for a 1.0 GA release after a public review period. Many of the members are already actively implementing applications, for both internal and vendor products, based on the working versions of the schema, which is very exciting. I invite you to check out the latest schema at or download your own schema browser and validation server Docker image at Stay tuned for the public review announcement for RC3!

If you need any additional information or have questions on RC3 and OCSF overall, I encourage you to join the Slack community at or send me an inquiry at

Finally, if you’re attending RSA Conference 2023 in San Francisco, be sure to stop by the Splunk booth N-5770 to speak with our experts and check out our latest innovations in security analytics.

Paul Agbabian
Posted by

Paul Agbabian

Paul is responsible for technology strategy and architecture for the Security business unit at Splunk. Prior to joining Splunk, Paul was a Broadcom Fellow and the Global CTO and Chief Architect of the Symantec Enterprise Security Business Unit.

Show All Tags
Show Less Tags