Open Cybersecurity Schema Framework

Hello Elastic Community,

With the release of the Open Cybersecurity Schema Framework, I was wondering is there was any discussion happening on aligning the Elastic Common Schema with it? The goals of the OCSF seem similar to the Elastic Common Schema.

What is the OCSF?
The Open Cybersecurity Schema Framework is an open-source project, delivering an extensible framework for developing schemas, along with a vendor-agnostic core security schema. Vendors and other data producers can adopt and extend the schema for their specific domains. Data engineers can map differing schemas to help security teams simplify data ingestion and normalization, so that data scientists and analysts can work with a common language for threat detection and investigation. The goal is to provide an open standard, adopted in any environment, application, or solution, while complementing existing security standards and processes.

Hi @grandmasterv, welcome to the Elastic Discuss community :slight_smile:

While Elastic Common Schema will remain our schema of choice, we are always open to ingesting data from other schemas and automatically mapping it to ECS for use in Elastic Security (and other Elastic solutions). We are currently assessing options to support OCSF formatted data, via an Elastic agent integration. Similar to CEF, we'd take OCSF mapped data and convert it to ECS. We are also keen to contribute to OCSF in the future.

May I ask, if you are already in the process of mapping events to OCSF or working with vendors who are providing OCSF formatted events out-of-the-box?

Hi @jamie.hynds. Thanks for the info. My organization has standardized on ECS ourselves and were just curious about any plans regarding OCSF. I'm not currently involved with ingesting any OCSF formatted data at this time but we definitely have quite a few of the OCSF launching partner's equipment and systems in play and this may come up down the road.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.