Telemetry Extension Specification v1
Version: 1.0.0
Status: Published (Sprint 33)
1. Purpose
Define normalized telemetry contract across orchestrator, broker, and federation bridge for VectorVue ingestion.
2. Supported Input Shapes
- CloudEvents
specversion=1.0 - Internal telemetry event (
event_type,actor,target,status) - Legacy compatibility event (
event,result,context)
Reference parser:
pkg.orchestrator.telemetry_schema.TelemetrySchemaParser
3. Required Normalized Fields
Canonical event fields after parsing:
event_typeactortargetstatustenant_idattributes
4. Federation Extension Fields
Outbound federation payload MUST carry:
execution_hash(unified execution fingerprint)tenant_idoperator_id- signed metadata and nonce/timestamp fields
Telemetry enrichment fields:
mitre_techniquesmitre_tacticssoc2_controlsiso27001_annex_a_controlsnist_800_53_controls
5. Integrity and Trust Requirements
- mTLS MUST be used for federation transport.
- Payload signing MUST be enabled for federation requests.
- Replay detection MUST enforce nonce uniqueness + bounded timestamp freshness.
- Tenant context MUST remain present and unambiguous across parsing and federation.
6. Compatibility Notes
- Unknown attributes are preserved in
attributes. - Default ATT&CK/compliance mappings are applied when omitted.
- Explicit producer-supplied mappings override defaults when present and valid.