Re: OCSF Information Sharing



You mention the meetings are open to all, yet up until recently lawyers wouldn’t allow you to tell us of it’s existence. I sense some tension there. Where do I find the information on how to attend the meetings?


You mention possible OCA ‘endorsement’ of OCSF. Could you explain what OCSF is from an organization viewpoint? If there were NDA’s and lawyers then I assume it’s an industry association or a foundation or a 5013c or something. I’d like to understand ‘who’ we’d be talking about organizationally. I’d hesitate to endorse “one company” and that extends a little to ‘a cabal of companies’ unless they had some figleaf organizationally. I certainly don’t want to get into favoring AWS over Microsoft/Google/… without more understanding of exactly what we are favoring – and especially if they aren’t OCA members. I don’t want to start our own version of Japanese keiretsu.


I’d also like the answers to the various FAQs I emailed you about (the PR’s against the OCSF documentation repo I recognize getting approved OCSF answers would take time. I’d like your opinion on whether OCSF is “complimentary to” or “in competition with” (or “too soon to tell”):

  • STIX
  • OpenC2
  • PACE
  • Kestrel
  • Stixshifter
  • OCA Ontology


I am hopeful I’ll like all the answers you’d provide but I’m worried I won’t. My ‘think evilly’ part of my brain is hard to turn off so I default to assuming the worst.



Duncan Sparrell

sFractal Consulting LLC

iPhone, iTypo, iApologize

I welcome VSRE emails. Learn more at




From: oca-pgb@... <oca-pgb@...> on behalf of Jason Keirstead via <>
Date: Wednesday, August 17, 2022 at 10:40 AM
To: oca-pgb@... <oca-pgb@...>
Subject: [oca-pgb] OCSF Information Sharing

Hello fellow PGB members. By now you have probably heard about the announcement of Open Cybersecurity Schema Format (OCSF) -, which was announced at BlackHat last week. As I relayed to others – IBM was unfortunately under an NDA so I was unable to share this with other OCA members until now (beyond Rapid7, who was also part of the launch).

I have been receiving a lot of questions on how OCSF relates to OCA, and some are asking why it is not part of the OCA, etc. - and I want to share my point of view. I believe that OCSF and the OCA are complimentary efforts. Our mission statement at the OCA is to build an open ecosystem where cybersecurity products can interoperate without the need for customized integrations, using open standards and projects. OCSF clearly aligns with that mission. While we have been focused on using the STIX 2.1 data model for most efforts, it is even today not the only standard we use - and as such OCSF can be a format that OCA may use in future efforts. OCSF, as a purposefully designed format for large-scale log ingestion, has some benefits over the STIX 2.1 SCO model for some use cases including log management and SIEM.

I also want to make it clear that from what I have seen, the efforts to be a true open standard in this community are genuine. Everyone I have interacted with thus far has been very committed to doing everything collaboratively with a true, open approach. The calls are open and free to join to anyone, and the process for how to submit PRs into the codebase are clearly documented. Simultaneously however – there are clear gaps in the governance structure, the things you run into when you do not have a neutral organization like the OCA stewarding. Some of these became even more obvious when we were launching this (who owns the website? Who owns the twitter handle? Who owns the LinkedIn? Etc).  IBM has been taking this opportunity to promote OCA to the OCSF community, and making the importance of open governance in efforts like this. Maybe someday, OCSF could come over to OCA.


I hope for the OCA to support the mission of OCSF after it's announce. It will be up to the OCA PGB to decide if the we want to issue any official statements of support or not with OCSF, or develop any closer relationship between the efforts. I think that regardless of if the PGB wants to support or not, we need to work on a message for the community to share our point of view. We can discuss this at the next PGB call (and also here on the mailing list of course).

As always, open to any other questions or thoughts on this;



Jason Keirstead
Distinguished Engineer, CTO - IBM Security Threat Management |

Declare an Emergency: USA +1 888 241 9812, Global +1 312 212 8034


Assistant - Mauricio Durán Cambronero (mauduran@...)

See my calendar -

Co-Chair - Open Cybersecurity Alliance, Project Governing Board


Join to automatically receive all group messages.