pagbabian-splunk
commented
10 months ago OCSF isn't technically limited to security events, in fact much of the Activity classes are not security specific until certain profiles are added to them. OTel could have used the OCSF dictionary for its body, and ECS was proprietary to Elastic (although public) at the time OTel first considered using it, hence it wasn't a candidate for a fully open schema project. Since that time, OTel and ECS converged as you said, in fact very recently.
OTel was focused on Observability wire protocols, with multi-platform agents originally, and is gaining momentum with the leading players in that domain. Further, there are some intersecting use cases of Observability and Security, where Security systems can make use of Observability metrics for example.
There are no plans at this point to do anything with OTel, unfortunately that ship may have sailed (I had suggested it to the Splunk participants more than a year ago). However, it is likely that translation or cross-references to the ECS objects is something that could be a useful project (much like with do with D3FEND Artifacts and OCSF objects).
jasonbreimer
Elastic Common Schema defines a set of attributes for vulnerabilities, certificates, process, users, etc that has an intersection with OCSF. It was also historically actively used for security events.
OpenTelemetry defines a set of semantic conventions that describe specific events, implements distributed tracing, etc. It also provides extensive tooling to collect information from user applications or cloud providers. It also has a lot of intersection with OCSF around general-purpose data such as cloud resources, host, service, os, network peers, etc
Recently, ECS and OpenTelemetry announced convergence and will eventually provide a common set of attributes.
Given that security events are a subset of the general purpose events and have a lot of general attributes in common with OTel and ECS, what's the vision for OCSF?