While the security industry has been heavily focused on models, copilots, and agents over the past year, a significant yet quieter transformation is unfolding beneath the surface: companies are coalescing around a unified method for defining security data. The Open Cybersecurity Schema Framework (OCSF) is becoming a leading contender for this role.
OCSF provides a standardized approach for vendors, businesses, and security professionals to express security events, findings, objects, and context. This results in less time spent on modifying field names and creating custom parsers, allowing more time for detecting correlations, conducting analytics, and developing workflows that are compatible across various products. In an environment where security teams integrate endpoint, identity, cloud, SaaS, and AI telemetry, a unified infrastructure was once considered a lofty goal; however, OCSF is bringing it closer to reality.
Understanding OCSF
OCSF is an open-source framework for cybersecurity schemas, designed to be vendor-neutral and independent of storage formats, data collection methods, and ETL processes. It offers application teams and data engineers a common structure for events, enabling analysts to utilize a consistent language for threat detection and investigative purposes.
Though it might seem technical, the impact of OCSF becomes apparent in a security operations center (SOC), where teams dedicate considerable effort to harmonizing data from various tools to correlate events. For instance, identifying an employee logging in from San Francisco at 10 a.m. on a laptop and then accessing a cloud resource from New York at 10:02 a.m. could indicate a compromised credential.
Creating a system that correlates such events is complex, as different tools describe similar concepts with varying fields, nesting structures, and assumptions. OCSF aims to reduce this complexity by helping vendors align their schemas with a common model and enabling customers to transfer data through lakes, pipelines, and security incident and event management (SIEM) tools without requiring extensive translation at each stage.
A Rapid Evolution
OCSF has seen significant growth in the last two years. The initiative was announced in August 2022 by Amazon AWS and Splunk, building upon contributions from industry giants like Symantec, Broadcom, Cloudflare, CrowdStrike, IBM, Okta, Palo Alto Networks, Rapid7, Salesforce, Securonix, Sumo Logic, Tanium, Trend Micro, and Zscaler.
The OCSF community has consistently released updates over the past two years
The community has expanded rapidly. In August 2024, AWS reported that OCSF had grown from a 17-company initiative to a community with over 200 participating organizations and 800 contributors, increasing to 900 when OCSF joined the Linux Foundation in November 2024.
OCSF’s Industry Presence
OCSF is becoming ubiquitous in the observability and security sectors. AWS Security Lake transforms AWS logs and events into OCSF and stores them in Parquet. AWS AppFabric can produce OCSF-normalized audit data, while AWS Security Hub findings utilize OCSF, and AWS offers an extension for cloud-specific resource details.
Splunk can convert incoming data into OCSF using its edge and ingest processors. Cribl facilitates seamless transformation of streaming data into OCSF and compatible formats.
Palo Alto Networks can channel Strata Logging Service data into Amazon Security Lake in OCSF format. CrowdStrike operates on both sides of the OCSF pipeline, translating Falcon data into OCSF for Security Lake and positioning Falcon Next-Gen SIEM to ingest and analyze OCSF-formatted data. OCSF has successfully transitioned from an abstract concept to a standard operational practice across the industry.
The Role of AI in OCSF
Incorporating AI infrastructure involves large language models (LLMs) at the core, surrounded by intricate distributed systems such as model gateways, agent runtimes, vector stores, tool calls, retrieval systems, and policy engines. These components produce new types of telemetry, often crossing product boundaries. SOC security teams are increasingly focused on collecting and analyzing this data. The primary question often centers on the actions of an agentic AI system, rather than solely its output, and whether those actions resulted in any security breaches.
This increases the demand on the underlying data model. An AI assistant that misuses tools, retrieves incorrect data, or triggers a risky sequence of actions creates a security event that must be comprehended across systems. A shared security schema becomes crucial in this context, especially when AI is also leveraged on the analytics side to process more data swiftly.
OCSF’s AI-Focused Year
Imagine a company utilizing an AI assistant to assist employees in accessing internal documents and activating tools like ticketing systems or code repositories. If the assistant begins retrieving incorrect files, invoking unauthorized tools, and revealing sensitive information in its responses, it presents a challenge.
Updates in OCSF versions 1.5.0, 1.6.0, and 1.7.0 help security teams reconstruct events by flagging unusual behavior, identifying system access, and tracing the assistant’s tool calls step by step. This allows teams to review the complete sequence of actions leading to the issue, rather than just the AI’s final response.
Future Developments
Consider a scenario where an AI customer support bot starts issuing lengthy, detailed responses that include internal troubleshooting guidance intended only for staff. Enhancements in OCSF 1.8.0 would enable the security team to identify which model handled the exchange, which provider supplied it, the role of each message, and how token counts varied throughout the conversation.
A sharp increase in prompt or completion tokens might indicate the bot received an unusually large hidden prompt, accessed excessive background data from a vector database, or generated an overly lengthy response, raising the risk of sensitive information exposure. This provides investigators with a practical clue to where the interaction deviated, rather than just leaving them with the final response.
The Broader Impact
OCSF has rapidly evolved from a community effort to a recognized standard used daily by security products. Over the past two years, it has achieved stronger governance, frequent releases, and practical support across data lakes, ingest pipelines, SIEM workflows, and partner ecosystems.
In a world where AI broadens the security landscape with scams, abuse, and new attack vectors, security teams depend on OCSF to integrate data from diverse systems without losing context, ensuring data security.
Nikhil Mungel has been building distributed systems and AI teams at SaaS companies for more than 15 years.
