Subscribe to the Non-Human & AI Identity Journal

How should security teams decide where to use OCSF in a telemetry pipeline?

Use OCSF where a shared event language improves exchange, correlation, or downstream reporting, but keep the internal model rich enough to support investigations and behavioural analytics. The best rule is simple: standardise at the boundaries, preserve fidelity at the core, and never let canonical formatting remove context that analysts will need later.

Why This Matters for Security Teams

OCSF is most useful when teams need a shared event language across tools, business units, or incident response workflows. The risk is not standardisation itself, but standardising too early and flattening the detail that investigators need later. A telemetry pipeline can be compliant with a schema and still be weak for detection if it strips process ancestry, identity context, or raw vendor fields that explain why an event matters.

This is especially relevant in NHI-heavy environments, where service accounts, API keys, and tokens generate high-volume machine activity that often looks ordinary until it is correlated across systems. NHI Management Group research shows that only 5.7% of organisations have full visibility into their service accounts, which means telemetry design often starts from incomplete ground truth rather than clean inventory. The practical decision is not whether to adopt OCSF, but where its consistency improves exchange without reducing analytical fidelity. See the Ultimate Guide to NHIs and the NIST Cybersecurity Framework 2.0 for the broader governance context.

In practice, many security teams discover that a clean schema is less valuable than a complete one only after an investigation fails to reconstruct what the workload actually did.

How It Works in Practice

The most effective pattern is to map telemetry into OCSF at the boundaries of the pipeline, while keeping the original event payload and high-fidelity fields in the core data store. That lets ingestion, enrichment, and SIEM search operate on a consistent shared model, while detections, hunt queries, and forensics can still access source-specific detail. OCSF becomes the interchange layer, not the sole record of truth.

Security teams usually decide placement by asking three questions: will this feed be shared, will it be correlated with other sources, and will a downstream consumer need a common schema to interpret it correctly? If the answer is yes, OCSF is a strong fit. If the data is being used for behavioural analytics, threat hunting, or replayable investigations, preserve the native event alongside the normalised record. That approach aligns with current guidance in the NIST Cybersecurity Framework 2.0, which emphasises managing evidence and detection value, not just format compliance.

  • Use OCSF at ingestion for cross-tool correlation and reporting.
  • Retain raw source events for forensic depth and parser validation.
  • Preserve identity, process, and lineage fields that support behavioural analytics.
  • Apply field mapping rules consistently, but do not discard vendor-specific context prematurely.

For pipeline risk examples, the CI/CD pipeline exploitation case study and the Guide to the Secret Sprawl Challenge show why event context often matters more than field uniformity. These controls tend to break down when teams normalise at source and later need to reconstruct exact command paths, token use, or lateral movement chains from flattened records.

Common Variations and Edge Cases

Tighter normalisation often improves interoperability, but it also increases the risk of losing investigative depth, so organisations have to balance clean exchange against forensic completeness. Best practice is evolving here, and there is no universal standard for how much source fidelity must be retained in every pipeline.

One common edge case is cloud and SaaS telemetry, where the same OCSF class may represent events with very different provider semantics. Another is high-cardinality NHI activity, where service accounts, workload identities, and automated agents generate repetitive signals that only become meaningful when correlated with surrounding authentication, network, and process events. In these environments, OCSF should usually sit in the transport and reporting layers, while the detection layer consumes both the mapped event and the raw source record.

Another variation is regulatory reporting versus incident response. For reporting, schema consistency matters more, so OCSF can be applied more aggressively. For incident response, preserve more native detail. The practical rule is to standardise where consumers need comparability, and defer normalisation where analysts need context. The Ultimate Guide to NHIs — Standards is useful for understanding how telemetry choices connect to identity governance and control coverage.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 GV.OV-01 Telemetry standardisation is a governance and oversight decision.
OWASP Non-Human Identity Top 10 NHI-08 NHI telemetry must preserve identity context for detection and response.
NIST AI RMF Telemetry design affects observability, monitoring, and AI risk controls.

Map NHI activity into OCSF without stripping source identity, token, or workload lineage fields.