Meta Title: OCSF Version History: Key Changes and Enhancements

Meta Description: Explore the evolution of the Open Cybersecurity Schema Framework (OCSF) with a detailed breakdown of version updates from 1.0.0 to 1.5.0.

Author: Anmol Jain

#Image: 

Alt Text: OCSF Version Updates

OCSF Version History: A Guide to Enhancements and Security Benefits

The Open Cybersecurity Schema Framework (OCSF) is a standardized data model for cybersecurity information sharing. It is composed of categories, event classes, data types, attributes, and objects. It provides a detailed overview of the framework, its key concepts, and its role in standardizing cybersecurity data sharing.OCSF has evolved significantly since its initial release. This analysis provides a detailed overview of the key updates and changes introduced in each major version. By understanding the key changes and enhancements introduced in each version, you can:

• Make informed decisions: Choose the most suitable OCSF version for your organization's specific needs.
• Stay up-to-date: Keep abreast of the latest developments in cybersecurity data standardization.
• Improve data sharing: Leverage OCSF to enhance data sharing and collaboration within your organization and with external partners.

OCSF 1.0.0

• Initial Release: OCSF 1.0.0 laid the groundwork for a standardized cybersecurity data model.
• Core Concepts: Introduced fundamental entities like assets, threats, vulnerabilities, and incidents.
• Basic Relationships: Defined relationships between these entities to represent cybersecurity events and incidents.
• Limited Flexibility: While providing a foundation, OCSF 1.0.0 had limitations in terms of granularity and flexibility for certain use cases.

Release candidates (RCs) played a crucial role in the development and refinement of OCSF. These pre-release versions were made available to the community for testing and feedback, helping to identify and address potential issues before the official release. The RCs ensured that OCSF 1.0.0 was stable, reliable, and met the needs of its intended users.

OCSF 1.1.0

• New Event Classes: Introduced new event classes for user inventory, vulnerability findings, network traffic, and data access.
• New Objects: Added new objects like cwe, kb_article, and epss for vulnerability and knowledge base information.
• Improved Profiles: Enhanced the security_control profile to include access control semantics and firewall properties.
• Metaschema Improvements: Introduced JSON-schema based metaschema validation for improved data correctness and consistency.

OCSF 1.2.0

• New Event Classes: Added event classes for data security findings, file queries, folder queries, and other query types.
• New Objects: Introduced new objects like auth_factor, data_security, and autonomous_system.
• Improved Event Classes: Enhanced existing event classes with new attributes and functionalities.
• Improved Objects: Expanded existing objects with new attributes and improved data types.
• Metaschema Improvements: Continued to refine the metaschema for better validation and error reporting.

OCSF 1.3.0

• New Event Classes: Introduced event classes for remediation activities, software inventory, and device config state changes.
• New Profiles: Added the osint profile for OSINT data.
• New Objects: Introduced new objects like d3fend, d3f_tactic, d3f_technique, and ja4_fingerprint.
• Improved Event Classes: Enhanced existing event classes with new attributes and functionalities, such as file_result in File Hosting Activity and risk_details in Detection Finding.
• Improved Objects: Expanded existing objects with new attributes, such as ext in File, auth_factors in Authentication, and data_classification in multiple objects.
• Bug Fixes: Implemented various bug fixes to improve the schema's accuracy and reliability.
• Deprecated Features: Marked some attributes and objects as deprecated in favor of newer or more standardized alternatives.

OCSF 1.4.0

• New Profiles: Added Incident and Trace profiles for improved incident response documentation and event traceability.
• Extensions: Released official Linux (v1.4.0) and Windows (v1.4.0) extensions.
• Categories and Event Classes: Maintained the core categories from previous versions with refinements to event classes.
• Enhanced Discovery: Added new event classes, including Cloud Resources Inventory Info.
• Improved IAM Coverage: Enhanced Identity & Access Management event classes with more detailed attributes.
• System Activity Monitoring: Refined event classes for comprehensive system activity monitoring.
• Findings Framework: Continued development of the findings framework for security events.
• Network Activity Monitoring: Enhanced network activity event classes for better visibility.

OCSF 1.5.0

• New Finding Class: Added Application Security Posture Finding [2007] to the Findings category.
• New Discovery Class: Added Live Evidence Info [5040] for forensic evidence collection.
• Extensions: Updated Linux (v1.5.0) and Windows (v1.5.0) extensions.
• Maintained Profiles: Continued support for all profiles from v1.4.0 (Cloud, Container, Data Classification, Date/Time, Host, Incident, Linux Users, Load Balancer, Network Proxy, OSINT, Security Control, Trace).
• Streamlined Discovery: Simplified the Discovery category by focusing on key inventory information classes.
• Enhanced Application Activity: Refined application activity monitoring capabilities.
• Improved Remediation: Enhanced remediation activity event classes for better response documentation.

OCSF 1.6.0

Released on August 1st, 2025, OCSF 1.6.0 introduces significant enhancements focused on IAM analysis, email handling improvements, and comprehensive registry data support:

• New Event Classes: Added IAM Analysis Finding for enhanced identity and access management security analysis.
• New Objects: Introduced IAM analysis objects (access_analysis_result, additional_restriction, identity_activity_metrics, permission_analysis_result, programmatic_credential) and port_info for network analysis.
• Enhanced Email Handling: Expanded email attributes with comprehensive sender/recipient support, including from_list, reply_to_list, and sender_mailbox.
• Registry Data Support: Added Windows registry data attributes (reg_binary_data, reg_integer_data, reg_string_data, reg_string_list_data).
• Improved Event Classes: Enhanced RDP Activity with Disconnect/Reconnect activities, expanded Group Management with subgroup operations, and improved Authentication with Account Switch activity.
• Object Improvements: Expanded the Fingerprint object with xxHash algorithm support, enhanced the User object with Service type and IAM attributes, and improved the Process object with ptid attribute.
• Deprecated Features: Deprecated group attribute in favor of groups in the databucket object, and credential_uid in favor of programmatic_credentials in the user object.

Future of OCSF - OCSF 1.7.0-dev

Based on the unreleased changes in the OCSF repository, the next version is currently in development with the following anticipated features:

Development Focus

• Network Direction Enhancement: Addition of Local (4) enum to the direction_id attribute for improved network traffic classification
• Continued Schema Optimization: Building upon v1.6.0's IAM analysis capabilities with further refinements
• Enhanced Platform Support: Continued development of platform-specific extensions
• Advanced Security Analytics: Further improvements to support sophisticated security analytics and threat detection

Anticipated Timeline

• Currently in unreleased development phase
• Expected to include additional IAM enhancements and network analysis improvements
• Focus on maintaining backward compatibility while introducing cutting-edge security capabilities

Key Changes Between Versions

Detailed Analysis of Specific Changes

OCSF 1.1.0 introduced significant enhancements in terms of coverage and flexibility. It introduced new event classes for user inventory, vulnerability findings, and network traffic, as well as new objects like cwe, kb_article, and epss. The security_control profile was also improved to include access control semantics and firewall properties.

OCSF 1.2.0 further expanded the scope of OCSF by adding event classes for data security findings, file queries, folder queries, and other query types. It also introduced new objects like auth_factor, data_security, and autonomous_system. The framework's flexibility and integration capabilities were also enhanced during this version.

OCSF 1.3.0 introduced new event classes for remediation activities, software inventory, and device config state changes. It also added the osint profile for OSINT data and several new objects like d3fend, d3f_tactic, and d3f_technique. The framework's capabilities for capturing detailed information about cybersecurity events were further enhanced during this version.

OCSF 1.4.0 introduced important new profiles for incident response and traceability. With the addition of official Linux and Windows extensions, this version enhanced platform-specific support. The introduction of Cloud Resources Inventory Info [5023] demonstrated OCSF's commitment to supporting cloud environments and multi-cloud deployments.

OCSF 1.5.0 expanded the framework's capabilities with the addition of Application Security Posture Finding [2007] and Live Evidence Info [5040], addressing growing needs in application security and digital forensics. This version also streamlined the Discovery category to focus on the most essential inventory information classes while maintaining comprehensive coverage. Key enhancements included new dictionary attributes like boot_uid, cpid, raw_data_size, and extensive new objects such as assessment, anomaly_analysis, threat_actor, and authentication_token, demonstrating significant advancement in analytics and threat intelligence capabilities.

OCSF 1.6.0 represents a major advancement in IAM security analysis and email handling capabilities. Released in August 2025, this version introduced the IAM Analysis Finding event class and comprehensive attributes for identity and access management analysis, including access_level, programmatic_credentials, identity_activity_metrics, and permission_analysis_results. The version also significantly enhanced email processing with improved sender/recipient handling, registry data support for Windows environments, and network analysis improvements with source/destination assignment tracking.OCSF 1.7.0-dev, currently in development, focuses on advanced network analysis with enhancements like the Local (4) enum for network direction classification. This development version aims to build upon the IAM analysis capabilities introduced in v1.6.0 while introducing further refinements for sophisticated security analytics and threat detection.

Final Thoughts

By understanding the key changes and enhancements introduced in each OCSF version, organizations can make informed decisions about which version best suits their specific needs and goals. The evolution from OCSF 1.0.0 to 1.6.0 and the ongoing development of 1.7.0 shows a progression toward comprehensive, analytics-ready cybersecurity data standardization, with particular strength in IAM analysis.

To gain a deeper understanding of how OCSF structures and organizes its data, including the key elements and relationships within the data model, you can refer to our detailed blog on the OCSF Data Hierarchy. This will provide additional insights into how the framework standardizes security telemetry.

Also Read: Improved Data Integration with OCSF

Metron Security provides on-demand and effective approaches to managing third-party integrations for security ecosystems. Since 2014, Metron has delivered automation solutions for over 300 security applications, along with several hundred custom automation solutions.

If you are looking to set up any integrations with the OCSF Schema and are facing challenges, you can reach out to us at connect@metronlabs.com.