Skip to content

Generate an OCSF mapping

This guide shows you how to map security logs to the Open Cybersecurity Schema Framework (OCSF) using the MCP server’s code generation tools.

What you’ll create

Section titled “What you’ll create”

A complete OCSF mapping package that:

  • Identifies the appropriate OCSF event class for your logs
  • Maps source fields to OCSF schema fields
  • Generates TQL transformation code
  • Validates the mapping against OCSF schema definitions
  • Includes test cases with sample data
  • Provides a ready-to-install Tenzir package

Prerequisites

Section titled “Prerequisites”

Generate the mapping

Section titled “Generate the mapping”

  1. Provide sample log events. Give your AI agent one or more representative security events:

    Prompt with Fortinet DNS query log
    Hey, map this log to OCSF:
    

    date=2019-05-15 time=15:05:49 logid="1501054802" type="utm" subtype="dns" eventtype="dns-response" level="notice" vd="vdom1" eventtime=1557957949740931155 policyid=1 sessionid=6887 srcip=10.1.100.22 srcport=50002 srcintf="port12" srcintfrole="undefined" dstip=172.16.100.100 dstport=53 dstintf="port11" dstintfrole="undefined" proto=17 profile="dnsfilter_fgd" srcmac="a2:e9:00:ec:40:41" xid=57945 qname="changelogs.ubuntu.com" qtype="AAAA" qtypeval=28 qclass="IN" ipaddr="2001:67c:1560:8008::11" msg="Domain is monitored" action="pass" cat=52 catdesc="Information Technology"

    The MCP server uses the make_ocsf_mapping tool to analyze your data and generate a complete workflow with step-by-step instructions. This tool builds on make_parser and calls it as the first step to ensure your logs are properly parsed before mapping them to OCSF.

  2. Wait for completion. In most cases you can now keep the hands off the keyboard and wait until completion. The make_ocsf_mapping tool provides your agent with detailed guidance for:

    • Parsing: Builds on the parser generation tool to bootstrap the process
    • Class identification: Selects the appropriate OCSF event class
    • Schema analysis: Understands required and optional OCSF fields
    • Field mapping: Maps source fields to OCSF schema fields
    • Code generation: Generates the complete TQL transformation code
    • Testing: Creates test cases to validate the mapping

    Your AI agent follows these instructions to build the mapping.

  3. Verify and iterate. The above log sample resulted in a new package fortinet in your agent’s current working directory that may have the following structure:

    • Directoryfortinet/
      • Directoryoperators/
        • Directoryocsf/
          • dns.tql
        • parse.tql
      • Directorytests/
        • Directoryinputs/
          • Directoryocsf/
            • dns.txt
          • parse.txt
        • Directoryocsf/
          • dns.tql
          • dns.txt
        • parse.tql
        • parse.txt
      • package.yaml

    This is a valid package including tests. The package contains both user-defined operators fortinet::parse for parsing the raw logs and fortinet::ocsf::map for mapping the parsed data to OCSF. Make sure to check the test outputs to ensure the OCSF mapping is correct.

Next steps

Section titled “Next steps”
  • Refine the mapping: Add enrichment, handle edge cases, or map additional fields in unmapped.
  • Install the package: Use package::add or set tenzir.package_dirs to make the mapping package available in your Tenzir node.
  • Add a changelog entry: Ask the agent to add a changelog entry, documenting the work.
Section titled “Related guides”

Last updated: