CrowdStrike and Industry Partners Release Open Cybersecurity Schema Framework

The OCSF is an open source effort among industry leaders to break down the data silos that hamper security teams’ efforts to detect, investigate and stop cyberattacks

CrowdStrike is excited to announce the release of the Open Cybersecurity Schema Framework (OCSF) project, a collaborative open-source effort among cybersecurity and technology leaders to break down silos that impede cybersecurity teams’ abilities to quickly and effectively detect, investigate and stop breaches.

Detecting and stopping advanced cyberattacks demands coordination across multiple security tools and domains. Security teams too often exhaust time and resources normalizing data from disparate tools to perform the analysis and investigation needed to contain attacks. The OCSF project was developed to address this problem by making it simpler and less burdensome for organizations to use and exchange security data in the global fight against cybercrime.

The OCSF is an open-source standard designed for both data producers and consumers. It delivers a common and extensible, vendor-agnostic taxonomy to help security teams attain simpler and faster data ingestion and analysis without time-consuming data normalization. The goal for this initiative is to provide an open standard that can be adopted in any environment, application or solution provider while aligning with existing security standards and processes. In doing so, it can remove a long-standing obstacle that security teams face around the world. 

Similar to the Structured Threat Information eXpression (STIX) and Trusted Automated eXchange of Intelligence Information (TAXII) for threat intelligence, and the MITRE ATT&CK framework for tactic classification, OCSF simplifies threat detection and investigation for security teams. 

Innovating for the Future of Cybersecurity 

The OCSF project will benefit organizations in several ways; for example, in security analytics and extended detection and response (XDR) technologies. This coalition of industry partners supports unified data ingestion, enhanced detection and investigation across different domains.

Organizations don’t need more alerts — they need relevant insights across their security stack to detect and stop attacks. CrowdStrike already provides our customers with these insights through the Falcon platform, including CROWDSTRIKE FALCON® XDR, which ingests data from across a broad range of third-party sources and correlates it with our industry-leading threat intelligence in the CrowdStrike Security Cloud. CROWDSTRIKE FALCON® XDR applies CrowdStrike’s world-class machine learning, artificial intelligence (AI) and indicators of attack (IOAs) to extend endpoint detection and response (EDR) outcomes and advanced threat detection across the security stack.

CrowdStrike has also made great strides in helping our customers stop breaches through the CrowdXDR Alliance, which has brought together industry partners to establish a common XDR language for data sharing between security tools and processes. We see the Open Cybersecurity Schema Framework as a natural extension of the work we’ve been doing with leaders across the cybersecurity industry, and look forward to continuing our joint work on behalf of our customers. 

Industry Collaboration Drives Stronger Defense

CrowdStrike has always valued cybersecurity as a team sport. As an initial OCSF member, we continue this commitment as we collaborate with industry leaders to unburden security teams of the onerous work required to collect and normalize data before they can focus on analyzing it. 

This framework was conceived and initiated by AWS and Splunk, and derived from the Integrated Cyber Defense (ICD) schema work done at Symantec, a division of Broadcom, to unify all event formats. Along with CrowdStrike, the OCSF project now includes contributions and participation from 15 additional leading security organizations including Cloudflare, DTEX, IBM Security, IronNet, Okta, Rapid7, Salesforce, Securonix, Sumo Logic and Zscaler. Starting today, all members of the security community are welcome to use and contribute to the OCSF initiative.

This level of open-source collaboration is imperative as the cybersecurity market grows more crowded with vendors whose customers want to transfer data between tools and improve their efficacy. Organizations are actively consolidating vendors and integrating technologies, and survey data reveals this poses a challenge to security teams: cybersecurity professionals identified “numerous problems” in managing an assortment of security products from different vendors, ESG research shows

More than four out of five security professionals agree open source standards are a key requirement for future security technology interoperability, ESG’s data reveals. More than 75% of the 280 people surveyed would like to see greater industry support for open standards. Today’s release of the OCSF brings the security industry one step closer to achieving this goal. 

In keeping with the best practices of open-source efforts, the OCSF project is guided by a steering committee and managed as an open source software project under the Apache 2 license. It is not owned by any single organization; rather it is jointly managed by a team of maintainers in collaboration with project contributors. 

This effort would not have been possible without the many industry partners who came together to address a problem affecting organizations worldwide, and we are excited to be part of the OCSF initiative. Now that the news is out, we welcome more security teams and vendors to join and participate in the project. For more information on how to become part of the OCSF project, please visit

Visit us at Black Hat 2022 in Las Vegas, Booth #1520 to learn more and have conversations with our experts on the show floor as they offer insights into protecting and enabling the people, processes and technologies that drive modern enterprise.

Additional Resources

  • Read the press release about OCSF
  • Find out more about how CrowdStrike supports U.S. federal initiatives at Fal.Con 2022, the cybersecurity industry’s most anticipated annual event. Register now and meet us in Las Vegas, Sept. 19-21!  
  • View the CROWDSTRIKE FALCON® XDR demo and learn more about CROWDSTRIKE FALCON® XDR.
  • Learn how the powerful CrowdStrike Falcon® platform provides comprehensive protection across your organization, workers and data, wherever they are located.
  • Get a free 15-day trial to check out CrowdStrike Falcon®’s superior prevention from cyberattacks, malicious activity detection and immediate response capabilities for your business.
Related Content