The Open Cybersecurity Schema Framework (OCSF) is a standardized data model for cybersecurity information sharing.

It is composed of categories, event classes, data types, attributes, and objects. It provides a detailed overview of the framework, its key concepts, and its role in standardizing cybersecurity data sharing.

OCSF has also evolved significantly since its initial release.

The following analysis provides a detailed overview of the key updates and changes introduced in each major version. By understanding the key changes and enhancements introduced in each version, you can:

• Make informed decisions: Choose the most suitable OCSF version for your organization's specific needs.
• Stay up-to-date: Keep abreast of the latest developments in cybersecurity data standardization.
• Improve data sharing: Leverage OCSF to enhance data sharing and collaboration within your organization and with external partners.

OCSF 1.0.0

• Initial Release: OCSF 1.0.0 laid the groundwork for a standardized cybersecurity data model.
• Core Concepts: Introduced fundamental entities like assets, threats, vulnerabilities, and incidents.
• Basic Relationships: Defined relationships between these entities to represent cybersecurity events and incidents.
• Limited Flexibility: While providing a foundation, OCSF 1.0.0 had limitations in terms of granularity and flexibility for certain use cases.

OCSF 1.0.0 introduced fundamental entities like assets, threats, vulnerabilities, and incidents, along with relationships between them to represent cybersecurity events and incidents. While providing a foundation, OCSF 1.0.0 had limitations in terms of granularity and flexibility for certain use cases.

Release candidates (RCs) played a crucial role in the development and refinement of OCSF. These pre-release versions were made available to the community for testing and feedback, helping to identify and address potential issues before the official release. The RCs ensured that OCSF 1.0.0 was stable, reliable, and met the needs of its intended users.

OCSF 1.1.0

• New Event Classes: Introduced new event classes for user inventory, vulnerability findings, network traffic, and data access.
• New Objects: Added new objects like cwe, kb_article, and epss for vulnerability and knowledge base information.
• Improved Profiles: Enhanced the security_control profile to include access control semantics and firewall properties.
• Metaschema Improvements: Introduced JSON-schema based metaschema validation for improved data correctness and consistency.

OCSF 1.2.0

• New Event Classes: Added event classes for data security findings, file queries, folder queries, and other query types.
• New Objects: Introduced new objects like auth_factor, data_security, and autonomous_system.
• Improved Event Classes: Enhanced existing event classes with new attributes and functionalities.
• Improved Objects: Expanded existing objects with new attributes and improved data types.
• Metaschema Improvements: Continued to refine the metaschema for better validation and error reporting.

OCSF 1.3.0

• New Event Classes: Introduced event classes for remediation activities, software inventory, and device config state changes.
• New Profiles: Added the osint profile for OSINT data.
• New Objects: Introduced new objects like d3fend, d3f_tactic, d3f_technique, and ja4_fingerprint.
• Improved Event Classes: Enhanced existing event classes with new attributes and functionalities, such as file_result in File Hosting Activity and risk_details in Detection Finding.
• Improved Objects: Expanded existing objects with new attributes, such as ext in File, auth_factors in Authentication, and data_classification in multiple objects.
• Bug Fixes: Implemented various bug fixes to improve the schema's accuracy and reliability.
• Deprecated Features: Marked some attributes and objects as deprecated in favor of newer or more standardized alternatives.

OCSF 1.4.0

• New Profiles: Added Incident and Trace profiles for improved incident response documentation and event traceability.
• Extensions: Released official Linux (v1.4.0) and Windows (v1.4.0) extensions.
• Categories and Event Classes: Maintained the core categories from previous versions with refinements to event classes.
• Enhanced Discovery: Added new event classes, including Cloud Resources Inventory Info.
• Improved IAM Coverage: Enhanced Identity & Access Management event classes with more detailed attributes.
• System Activity Monitoring: Refined event classes for comprehensive system activity monitoring.
• Findings Framework: Continued development of the findings framework for security events.
• Network Activity Monitoring: Enhanced network activity event classes for better visibility.

OCSF 1.5.0

• New Finding Class: Added Application Security Posture Finding [2007] to the Findings category.
• New Discovery Class: Added Live Evidence Info [5040] for forensic evidence collection.
• Extensions: Updated Linux (v1.5.0) and Windows (v1.5.0) extensions.
• Maintained Profiles: Continued support for all profiles from v1.4.0 (Cloud, Container, Data Classification, Date/Time, Host, Incident, Linux Users, Load Balancer, Network Proxy, OSINT, Security Control, Trace).
• Streamlined Discovery: Simplified the Discovery category by focusing on key inventory information classes.
• Enhanced Application Activity: Refined application activity monitoring capabilities.
• Improved Remediation: Enhanced remediation activity event classes for better response documentation.

Future of OCSF - OCSF 1.6.0-dev

As OCSF continues to evolve, the upcoming version 1.6.0-dev is set to bring a range of new advancements that will further elevate its role in the cybersecurity ecosystem. Here are some of the key areas where the framework is expected to innovate:

• Extensions: Development versions of Linux (v1.6.0-dev) and Windows (v1.6.0-dev) extensions.
• Deprecated Classes: Several event classes marked as deprecated, including Security Finding [2001], Device Config State [5002], and various query classes (File Query [5007], Folder Query [5008], etc.).
• Network Activity Refinement: Deprecated several network activity classes, including Network File Activity [4010], Email File Activity [4011], and Email URL Activity [4012].
• Application Activity Cleanup: Deprecated Web Resource Access Activity [6004].
• Maintained Profiles: Continuing support for all profiles from v1.5.0.
• Focus on Schema Optimization: Working on streamlining the schema by deprecating redundant or overlapping event classes.
• Enhanced Categories: Refining existing categories for better organization and clarity.

Key Changes Between Versions

Detailed Analysis of Specific Changes

OCSF 1.1.0 introduced significant enhancements in terms of coverage and flexibility. It introduced new event classes for user inventory, vulnerability findings, and network traffic, as well as new objects like cwe, kb_article, and epss. The security_control profile was also improved to include access control semantics and firewall properties.

OCSF 1.2.0 further expanded the scope of OCSF by adding event classes for data security findings, file queries, folder queries, and other query types. It also introduced new objects like auth_factor, data_security, and autonomous_system. The framework's flexibility and integration capabilities were also enhanced during this version.

OCSF 1.3.0 introduced new event classes for remediation activities, software inventory, and device config state changes. It also added the osint profile for OSINT data and several new objects like d3fend, d3f_tactic, and d3f_technique. The framework's capabilities for capturing detailed information about cybersecurity events were further enhanced during this version.

OCSF 1.4.0 introduced important new profiles for incident response and traceability. With the addition of official Linux and Windows extensions, this version enhanced platform-specific support. The introduction of Cloud Resources Inventory Info [5023] demonstrated OCSF's commitment to supporting cloud environments and multi-cloud deployments.

OCSF 1.5.0 expanded the framework's capabilities with the addition of Application Security Posture Finding [2007] and Live Evidence Info [5040], addressing growing needs in application security and digital forensics. This version also streamlined the Discovery category to focus on the most essential inventory information classes while maintaining comprehensive coverage.

OCSF 1.6.0-dev, still under development, focuses on schema optimization by deprecating several redundant or overlapping event classes. This cleanup effort aims to streamline the schema and reduce complexity while maintaining comprehensive security coverage. The development of updated Linux and Windows extensions reflects the ongoing commitment to platform-specific support.

Final Thoughts

By understanding the key changes and enhancements introduced in each OCSF version, organizations can make informed decisions about which version best suits their specific needs and goals.

To gain a deeper understanding of how OCSF structures and organizes its data, including the key elements and relationships within the data model, you can refer to our detailed blog on the OCSF Data Hierarchy. This will provide additional insights into how the framework standardizes security telemetry.

Also Read: Improved Data Integration with OCSF

Metron Security provides on-demand and effective approaches to managing third-party integrations for security ecosystems. Since 2014, Metron has delivered automation solutions for over 250 security applications along with several hundred custom automation solutions.

If you are looking to set up any integrations with the OCSF Schema and are facing challenges, you can reach out to us at connect@metronlabs.com.