ocsf-schema icon indicating copy to clipboard operation
ocsf-schema copied to clipboard
verified publisher icon ocsf

Add Observability Metric Info Event Class to Discovery Category

Open pladamgregory opened this issue 7 months ago • 6 comments

This PR introduces a new event class, Observability Metric Info, under the Discovery category in OCSF. The event class is designed to standardize the representation of observability metrics from various telemetry sources, such as application performance monitoring (APM), network monitoring, and infrastructure health monitoring.

Addressed Use Case: Many security and IT operations teams struggle with mapping observability logs—such as Zscaler Private Access (ZPA) App Connector Metrics and Private Service Edge Metrics—to existing security data models. These logs provide valuable insights into system health, performance, and connectivity but lack a structured, standardized representation in OCSF.

The following is an example of an App Connector Metrics event

{ "LogTimestamp": "2025-05-29T14:32:10Z", "Connector": "connector-001", "CPUUtilization": 37.5, "SystemMemoryUtilization": 62.3, "ProcessMemoryUtilization": 28.9, "AppCount": 12, "ServiceCount": 5, "TargetCount": 8, "AliveTargetCount": 7, "ActiveConnectionsToPublicSE": 134, "DisconnectedConnectionsToPublicSE": 11, "ActiveConnectionsToPrivateSE": 85, "DisconnectedConnectionsToPrivateSE": 5, "TransmittedBytesToPublicSE": 1578392, "ReceivedBytesFromPublicSE": 1483945, "TransmittedBytesToPrivateSE": 1029381, "ReceivedBytesFromPrivateSE": 998123, "AppConnectionsCreated": 56, "AppConnectionsCleared": 12, "AppConnectionsActive": 44, "UsedTCPPortsIPv4": 124, "UsedUDPPortsIPv4": 88, "UsedTCPPortsIPv6": 43, "UsedUDPPortsIPv6": 21, "AvailablePorts": 34211, "SystemMaximumFileDescriptors": 65536, "SystemUsedFileDescriptors": 12345, "ProcessMaximumFileDescriptors": 4096, "ProcessUsedFileDescriptors": 987, "AvailableDiskBytes": 21474836480, "MicroTenantID": "tenant-xyz-789" }

and would OCSF normalize to the following...

{ "time": 1748538730, "class_name": "observability_metric", "class_uid": 5024, "category_uid": 5, "activity_name": "Log", "activity_id": 1, "metrics": [ { "name": "CPUUtilization", "value": 37.5 }, { "name": "SystemMemoryUtilization", "value": 62.3 }, { "name": "ProcessMemoryUtilization", "value": 28.9 }, { "name": "AppCount", "value": 12 }, { "name": "ServiceCount", "value": 5 }, { "name": "TargetCount", "value": 8 }, { "name": "AliveTargetCount", "value": 7 }, { "name": "ActiveConnectionsToPublicSE", "value": 134 }, { "name": "DisconnectedConnectionsToPublicSE", "value": 11 }, { "name": "ActiveConnectionsToPrivateSE", "value": 85 }, { "name": "DisconnectedConnectionsToPrivateSE", "value": 5 }, { "name": "TransmittedBytesToPublicSE", "value": 1578392 }, { "name": "ReceivedBytesFromPublicSE", "value": 1483945 }, { "name": "TransmittedBytesToPrivateSE", "value": 1029381 }, { "name": "ReceivedBytesFromPrivateSE", "value": 998123 }, { "name": "AppConnectionsCreated", "value": 56 }, { "name": "AppConnectionsCleared", "value": 12 }, { "name": "AppConnectionsActive", "value": 44 }, { "name": "UsedTCPPortsIPv4", "value": 124 }, { "name": "UsedUDPPortsIPv4", "value": 88 }, { "name": "UsedTCPPortsIPv6", "value": 43 }, { "name": "UsedUDPPortsIPv6", "value": 21 }, { "name": "AvailablePorts", "value": 34211 }, { "name": "SystemMaximumFileDescriptors", "value": 65536 }, { "name": "SystemUsedFileDescriptors", "value": 12345 }, { "name": "ProcessMaximumFileDescriptors", "value": 4096 }, { "name": "ProcessUsedFileDescriptors", "value": 987 }, { "name": "AvailableDiskBytes", "value": 21474836480 } ] }

By introducing this event class, we enable:

Consistent mapping of observability metrics from sources like ZPA’s App Connector and Private Service Edge logs, ensuring seamless integration into Security Information and Event Management (SIEM) systems and Security Data Lakes.

CHANGELOG New event is added to OCSF via the addition of: events/discovery/observability_metric_info

Old PR - https://github.com/ocsf/ocsf-schema/pull/1385

pladamgregory avatar May 13 '25 15:05 pladamgregory

@pladamgregory could you reference the old PR number in the description of this new PR, just so we can track the conversations?

mikeradka avatar May 13 '25 16:05 mikeradka

@pladamgregory could you reference the old PR number in the description of this new PR, just so we can track the conversations?

Done

pladamgregory avatar May 13 '25 16:05 pladamgregory

@pladamgregory as requested in your previous as well, can you add a real event/log that you are trying to normalize? A raw and a normalized version of the event that uses the proposed event class would be helpful to review.

floydtree avatar May 14 '25 17:05 floydtree

@pladamgregory as requested in your previous as well, can you add a real event/log that you are trying to normalize? A raw and a normalized version of the event that uses the proposed event class would be helpful to review.

The following would be an example of a raw log from Zscaler ZPA App Connector Metrics -

{ "LogTimestamp": "2025-05-29T14:32:10Z", "Connector": "connector-001", "CPUUtilization": 37.5, "SystemMemoryUtilization": 62.3, "ProcessMemoryUtilization": 28.9, "AppCount": 12, "ServiceCount": 5, "TargetCount": 8, "AliveTargetCount": 7, "ActiveConnectionsToPublicSE": 134, "DisconnectedConnectionsToPublicSE": 11, "ActiveConnectionsToPrivateSE": 85, "DisconnectedConnectionsToPrivateSE": 5, "TransmittedBytesToPublicSE": 1578392, "ReceivedBytesFromPublicSE": 1483945, "TransmittedBytesToPrivateSE": 1029381, "ReceivedBytesFromPrivateSE": 998123, "AppConnectionsCreated": 56, "AppConnectionsCleared": 12, "AppConnectionsActive": 44, "UsedTCPPortsIPv4": 124, "UsedUDPPortsIPv4": 88, "UsedTCPPortsIPv6": 43, "UsedUDPPortsIPv6": 21, "AvailablePorts": 34211, "SystemMaximumFileDescriptors": 65536, "SystemUsedFileDescriptors": 12345, "ProcessMaximumFileDescriptors": 4096, "ProcessUsedFileDescriptors": 987, "AvailableDiskBytes": 21474836480, "MicroTenantID": "tenant-xyz-789" }

and would normalize to the following

{ "time": 1748538730, "class_name": "observability_metric", "class_uid": 5024, "category_uid": 5, "activity_name": "Log", "activity_id": 1, "metrics": [ { "name": "CPUUtilization", "value": 37.5 }, { "name": "SystemMemoryUtilization", "value": 62.3 }, { "name": "ProcessMemoryUtilization", "value": 28.9 }, { "name": "AppCount", "value": 12 }, { "name": "ServiceCount", "value": 5 }, { "name": "TargetCount", "value": 8 }, { "name": "AliveTargetCount", "value": 7 }, { "name": "ActiveConnectionsToPublicSE", "value": 134 }, { "name": "DisconnectedConnectionsToPublicSE", "value": 11 }, { "name": "ActiveConnectionsToPrivateSE", "value": 85 }, { "name": "DisconnectedConnectionsToPrivateSE", "value": 5 }, { "name": "TransmittedBytesToPublicSE", "value": 1578392 }, { "name": "ReceivedBytesFromPublicSE", "value": 1483945 }, { "name": "TransmittedBytesToPrivateSE", "value": 1029381 }, { "name": "ReceivedBytesFromPrivateSE", "value": 998123 }, { "name": "AppConnectionsCreated", "value": 56 }, { "name": "AppConnectionsCleared", "value": 12 }, { "name": "AppConnectionsActive", "value": 44 }, { "name": "UsedTCPPortsIPv4", "value": 124 }, { "name": "UsedUDPPortsIPv4", "value": 88 }, { "name": "UsedTCPPortsIPv6", "value": 43 }, { "name": "UsedUDPPortsIPv6", "value": 21 }, { "name": "AvailablePorts", "value": 34211 }, { "name": "SystemMaximumFileDescriptors", "value": 65536 }, { "name": "SystemUsedFileDescriptors", "value": 12345 }, { "name": "ProcessMaximumFileDescriptors", "value": 4096 }, { "name": "ProcessUsedFileDescriptors", "value": 987 }, { "name": "AvailableDiskBytes", "value": 21474836480 } ] }

pladamgregory avatar May 30 '25 00:05 pladamgregory

In your example, you have only used the key:value pair - metrics object. Can you demonstrate how other objects are used and why are they needed? Currently, it appears that Device Inventory class with an addition of metrics object, should suffice.

floydtree avatar May 30 '25 15:05 floydtree

In your example, you have only used the key:value pair - metrics object. Can you demonstrate how other objects are used and why are they needed? Currently, it appears that Device Inventory class with an addition of metrics object, should suffice.

We talked about this on the call. This event is not a device inventory information event, the "activity" of the event is the retrieval of the metric. The other objects are included because observability metrics can occur on applications and networks as well not on devices. My example is not inclusive of every possible event of this nature

pladamgregory avatar Jun 03 '25 16:06 pladamgregory

Per some discussion in slack, I'm going to close #1421 and continue this in #1422.

hmadison avatar Jul 08 '25 16:07 hmadison